diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index 83408d2121c56..f581c21901ebd 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -159,6 +159,7 @@ enabled: - x-pack/test/examples/config.ts - x-pack/test/fleet_api_integration/config.ts - x-pack/test/fleet_functional/config.ts + - x-pack/test/ftr_apis/security_and_spaces/config.ts - x-pack/test/functional_basic/config.ts - x-pack/test/functional_cors/config.ts - x-pack/test/functional_embedded/config.ts diff --git a/.buildkite/pipelines/scalability/daily.yml b/.buildkite/pipelines/scalability/daily.yml index 8529a2f36b4de..d88c6c00e7383 100644 --- a/.buildkite/pipelines/scalability/daily.yml +++ b/.buildkite/pipelines/scalability/daily.yml @@ -12,6 +12,10 @@ steps: agents: queue: kb-static-scalability timeout_in_minutes: 90 + retry: + automatic: + - exit_status: '*' + limit: 1 - wait: ~ continue_on_failure: true diff --git a/.buildkite/scripts/post_build_kibana.sh b/.buildkite/scripts/post_build_kibana.sh index d8b297935471a..e03c55684bf3d 100755 --- a/.buildkite/scripts/post_build_kibana.sh +++ b/.buildkite/scripts/post_build_kibana.sh @@ -3,10 +3,18 @@ set -euo pipefail if [[ ! "${DISABLE_CI_STATS_SHIPPING:-}" ]]; then + cmd=( + "node" "scripts/ship_ci_stats" + "--metrics" "target/optimizer_bundle_metrics.json" + "--metrics" "build/kibana/node_modules/@kbn/ui-shared-deps-src/shared_built_assets/metrics.json" + ) + + if [ "$BUILDKITE_PIPELINE_SLUG" == "kibana-on-merge" ]; then + cmd+=("--validate") + fi + echo "--- Ship Kibana Distribution Metrics to CI Stats" - node scripts/ship_ci_stats \ - --metrics target/optimizer_bundle_metrics.json \ - --metrics build/kibana/node_modules/@kbn/ui-shared-deps-src/shared_built_assets/metrics.json + "${cmd[@]}" fi echo "--- Upload Build Artifacts" diff --git a/.ci/Dockerfile b/.ci/Dockerfile index 4f5236c733bc3..6eddcd2060922 100644 --- a/.ci/Dockerfile +++ b/.ci/Dockerfile @@ -1,7 +1,7 @@ # NOTE: This Dockerfile is ONLY used to run certain tasks in CI. It is not used to run Kibana or as a distributable. # If you're looking for the Kibana Docker image distributable, please see: src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts -ARG NODE_VERSION=18.13.0 +ARG NODE_VERSION=16.19.0 FROM node:${NODE_VERSION} AS base diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 174cd07a4f00a..1a4e356ede959 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -901,6 +901,7 @@ packages/kbn-chart-icons @elastic/kibana-visualizations packages/kbn-ci-stats-core @elastic/kibana-operations packages/kbn-ci-stats-performance-metrics @elastic/kibana-operations packages/kbn-ci-stats-reporter @elastic/kibana-operations +packages/kbn-ci-stats-shipper-cli @elastic/kibana-operations packages/kbn-cli-dev-mode @elastic/kibana-operations packages/kbn-coloring @elastic/kibana-visualizations packages/kbn-config @elastic/kibana-core diff --git a/.node-version b/.node-version index d939939b25962..e65243f2ea379 100644 --- a/.node-version +++ b/.node-version @@ -1 +1 @@ -18.13.0 +16.19.0 diff --git a/.nvmrc b/.nvmrc index d939939b25962..e65243f2ea379 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -18.13.0 +16.19.0 diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel index 2e0916692591a..f097ad8152a59 100644 --- a/WORKSPACE.bazel +++ b/WORKSPACE.bazel @@ -22,13 +22,13 @@ load("@build_bazel_rules_nodejs//:index.bzl", "node_repositories", "yarn_install # Setup the Node.js toolchain for the architectures we want to support node_repositories( node_repositories = { - "18.13.0-darwin_amd64": ("node-v18.13.0-darwin-x64.tar.gz", "node-v18.13.0-darwin-x64", "8b57c4da4ff6cca19d5ef7953f8816e3406d1508a2e4ee7f997984b3b1d11b77"), - "18.13.0-darwin_arm64": ("node-v18.13.0-darwin-arm64.tar.gz", "node-v18.13.0-darwin-arm64", "418d535e64dbcbd628715180c2de4ffcecb8a84b81f233c60e6ab9f0d795c249"), - "18.13.0-linux_arm64": ("node-v18.13.0-linux-arm64.tar.xz", "node-v18.13.0-linux-arm64", "5b338667822341d1ea3b18d5b37d442a655829b9eafdc5f9008f00b8451ac148"), - "18.13.0-linux_amd64": ("node-v18.13.0-linux-x64.tar.xz", "node-v18.13.0-linux-x64", "7f5d6922a91986ef059ba8a4396aa435440adacfe6fc6fab60a857c8f2cf5e7a"), - "18.13.0-windows_amd64": ("node-v18.13.0-win-x64.zip", "node-v18.13.0-win-x64", "29c99ad1167ddbd72f2b15e91b560e36ac785b1873ba6791ab50d9d62f1957e2"), + "16.19.0-darwin_amd64": ("node-v16.19.0-darwin-x64.tar.gz", "node-v16.19.0-darwin-x64", "491e5a5592eca1961dcbb1fae28567428ce56ce9cc7977b04041e163e0c1670c"), + "16.19.0-darwin_arm64": ("node-v16.19.0-darwin-arm64.tar.gz", "node-v16.19.0-darwin-arm64", "5c9434fbb0f323fecf3d261b23a2e544919380c5043d0046d9745682fefd9cde"), + "16.19.0-linux_arm64": ("node-v16.19.0-linux-arm64.tar.xz", "node-v16.19.0-linux-arm64", "9072c995052f832678fe8fab18e960bd9853f30e481787e53f8dd1ec8aaa3bb6"), + "16.19.0-linux_amd64": ("node-v16.19.0-linux-x64.tar.xz", "node-v16.19.0-linux-x64", "c88b52497ab38a3ddf526e5b46a41270320409109c3f74171b241132984fd08f"), + "16.19.0-windows_amd64": ("node-v16.19.0-win-x64.zip", "node-v16.19.0-win-x64", "534ca7a24e999c81cec847a498cc43d47e2bb158f6edf639e5297f2718350e96"), }, - node_version = "18.13.0", + node_version = "16.19.0", node_urls = [ "https://nodejs.org/dist/v{version}/{filename}", ], diff --git a/api_docs/actions.mdx b/api_docs/actions.mdx index 5af6f4bc32d27..620204733cb30 100644 --- a/api_docs/actions.mdx +++ b/api_docs/actions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/actions title: "actions" image: https://source.unsplash.com/400x175/?github description: API docs for the actions plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'actions'] --- import actionsObj from './actions.devdocs.json'; diff --git a/api_docs/advanced_settings.mdx b/api_docs/advanced_settings.mdx index b959b3c28eb54..75fe306030264 100644 --- a/api_docs/advanced_settings.mdx +++ b/api_docs/advanced_settings.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/advancedSettings title: "advancedSettings" image: https://source.unsplash.com/400x175/?github description: API docs for the advancedSettings plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'advancedSettings'] --- import advancedSettingsObj from './advanced_settings.devdocs.json'; diff --git a/api_docs/aiops.mdx b/api_docs/aiops.mdx index 63d37dc999326..651abd7f57d77 100644 --- a/api_docs/aiops.mdx +++ b/api_docs/aiops.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/aiops title: "aiops" image: https://source.unsplash.com/400x175/?github description: API docs for the aiops plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'aiops'] --- import aiopsObj from './aiops.devdocs.json'; diff --git a/api_docs/alerting.mdx b/api_docs/alerting.mdx index 5f517105b65f1..39b899d4076b6 100644 --- a/api_docs/alerting.mdx +++ b/api_docs/alerting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/alerting title: "alerting" image: https://source.unsplash.com/400x175/?github description: API docs for the alerting plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'alerting'] --- import alertingObj from './alerting.devdocs.json'; diff --git a/api_docs/apm.devdocs.json b/api_docs/apm.devdocs.json index e4bdaa18a4266..4fc59e2c641db 100644 --- a/api_docs/apm.devdocs.json +++ b/api_docs/apm.devdocs.json @@ -920,6 +920,10 @@ }, ">]>; }>, ", "PartialC", + "<{ offset: ", + "StringC", + "; }>, ", + "PartialC", "<{ transactionType: ", "StringC", "; }>]>; }>, ", diff --git a/api_docs/apm.mdx b/api_docs/apm.mdx index 76cb793134ae6..100dc72e69fe5 100644 --- a/api_docs/apm.mdx +++ b/api_docs/apm.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/apm title: "apm" image: https://source.unsplash.com/400x175/?github description: API docs for the apm plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'apm'] --- import apmObj from './apm.devdocs.json'; diff --git a/api_docs/banners.mdx b/api_docs/banners.mdx index d96f0d1e71ff0..e7f8ebd468027 100644 --- a/api_docs/banners.mdx +++ b/api_docs/banners.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/banners title: "banners" image: https://source.unsplash.com/400x175/?github description: API docs for the banners plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'banners'] --- import bannersObj from './banners.devdocs.json'; diff --git a/api_docs/bfetch.mdx b/api_docs/bfetch.mdx index 30deb966dde64..42dc6fb78c1f2 100644 --- a/api_docs/bfetch.mdx +++ b/api_docs/bfetch.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/bfetch title: "bfetch" image: https://source.unsplash.com/400x175/?github description: API docs for the bfetch plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'bfetch'] --- import bfetchObj from './bfetch.devdocs.json'; diff --git a/api_docs/canvas.mdx b/api_docs/canvas.mdx index 49597d58d3bdc..f62435146997b 100644 --- a/api_docs/canvas.mdx +++ b/api_docs/canvas.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/canvas title: "canvas" image: https://source.unsplash.com/400x175/?github description: API docs for the canvas plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'canvas'] --- import canvasObj from './canvas.devdocs.json'; diff --git a/api_docs/cases.devdocs.json b/api_docs/cases.devdocs.json index 86e97f6cd258e..cbeaef4fdcb10 100644 --- a/api_docs/cases.devdocs.json +++ b/api_docs/cases.devdocs.json @@ -872,7 +872,7 @@ }, " | undefined; severity?: ", "CaseSeverity", - " | undefined; assignees?: string | string[] | undefined; reporters?: string | string[] | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; fields?: string | string[] | undefined; from?: string | undefined; page?: number | undefined; perPage?: number | undefined; search?: string | undefined; searchFields?: string | string[] | undefined; sortField?: string | undefined; sortOrder?: \"asc\" | \"desc\" | undefined; to?: string | undefined; owner?: string | string[] | undefined; }, signal?: AbortSignal | undefined) => Promise<", + " | undefined; assignees?: string | string[] | undefined; reporters?: string | string[] | undefined; defaultSearchOperator?: \"AND\" | \"OR\" | undefined; fields?: string | string[] | undefined; from?: string | undefined; page?: number | undefined; perPage?: number | undefined; search?: string | undefined; searchFields?: string | string[] | undefined; rootSearchFields?: string[] | undefined; sortField?: string | undefined; sortOrder?: \"asc\" | \"desc\" | undefined; to?: string | undefined; owner?: string | string[] | undefined; }, signal?: AbortSignal | undefined) => Promise<", "Cases", ">; getCasesStatus: (query: { from?: string | undefined; to?: string | undefined; owner?: string | string[] | undefined; }, signal?: AbortSignal | undefined) => Promise<{ countOpenCases: number; countInProgressCases: number; countClosedCases: number; }>; getCasesMetrics: (query: { features: string[]; } & { from?: string | undefined; to?: string | undefined; owner?: string | string[] | undefined; }, signal?: AbortSignal | undefined) => Promise<{ mttr?: number | null | undefined; }>; }; }" ], diff --git a/api_docs/cases.mdx b/api_docs/cases.mdx index 9b6b16e48821f..3ba5adbfe50a7 100644 --- a/api_docs/cases.mdx +++ b/api_docs/cases.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cases title: "cases" image: https://source.unsplash.com/400x175/?github description: API docs for the cases plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cases'] --- import casesObj from './cases.devdocs.json'; diff --git a/api_docs/charts.devdocs.json b/api_docs/charts.devdocs.json index 1feebcea52e15..95753867fedab 100644 --- a/api_docs/charts.devdocs.json +++ b/api_docs/charts.devdocs.json @@ -1309,6 +1309,56 @@ ], "initialIsOpen": false }, + { + "parentPluginId": "charts", + "id": "def-public.MultiClickTriggerEvent", + "type": "Interface", + "tags": [], + "label": "MultiClickTriggerEvent", + "description": [], + "path": "src/plugins/charts/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "charts", + "id": "def-public.MultiClickTriggerEvent.name", + "type": "string", + "tags": [], + "label": "name", + "description": [], + "signature": [ + "\"multiFilter\"" + ], + "path": "src/plugins/charts/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "charts", + "id": "def-public.MultiClickTriggerEvent.data", + "type": "Object", + "tags": [], + "label": "data", + "description": [], + "signature": [ + "{ data: { table: Pick<", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + }, + ", \"rows\" | \"columns\">; column: number; value: any[]; }; timeFieldName?: string | undefined; negate?: boolean | undefined; }" + ], + "path": "src/plugins/charts/public/index.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, { "parentPluginId": "charts", "id": "def-public.RawColorSchema", diff --git a/api_docs/charts.mdx b/api_docs/charts.mdx index 27d8c02de9712..fdb9807c9c75b 100644 --- a/api_docs/charts.mdx +++ b/api_docs/charts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/charts title: "charts" image: https://source.unsplash.com/400x175/?github description: API docs for the charts plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'charts'] --- import chartsObj from './charts.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualization | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 267 | 16 | 252 | 9 | +| 270 | 16 | 255 | 9 | ## Client diff --git a/api_docs/cloud.mdx b/api_docs/cloud.mdx index 9afb82f5b3a82..cc71a8a77c5b9 100644 --- a/api_docs/cloud.mdx +++ b/api_docs/cloud.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloud title: "cloud" image: https://source.unsplash.com/400x175/?github description: API docs for the cloud plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloud'] --- import cloudObj from './cloud.devdocs.json'; diff --git a/api_docs/cloud_chat.mdx b/api_docs/cloud_chat.mdx index 86b0adf6e8c9b..a782573ea1eec 100644 --- a/api_docs/cloud_chat.mdx +++ b/api_docs/cloud_chat.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudChat title: "cloudChat" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudChat plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudChat'] --- import cloudChatObj from './cloud_chat.devdocs.json'; diff --git a/api_docs/cloud_data_migration.mdx b/api_docs/cloud_data_migration.mdx index 996490eb633e1..7715ce37d81e5 100644 --- a/api_docs/cloud_data_migration.mdx +++ b/api_docs/cloud_data_migration.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudDataMigration title: "cloudDataMigration" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudDataMigration plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudDataMigration'] --- import cloudDataMigrationObj from './cloud_data_migration.devdocs.json'; diff --git a/api_docs/cloud_defend.mdx b/api_docs/cloud_defend.mdx index 5ee2a651a1234..bc8973f11de45 100644 --- a/api_docs/cloud_defend.mdx +++ b/api_docs/cloud_defend.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudDefend title: "cloudDefend" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudDefend plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudDefend'] --- import cloudDefendObj from './cloud_defend.devdocs.json'; diff --git a/api_docs/cloud_experiments.mdx b/api_docs/cloud_experiments.mdx index 3375fa1a35d2f..2776d6e930944 100644 --- a/api_docs/cloud_experiments.mdx +++ b/api_docs/cloud_experiments.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudExperiments title: "cloudExperiments" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudExperiments plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudExperiments'] --- import cloudExperimentsObj from './cloud_experiments.devdocs.json'; diff --git a/api_docs/cloud_security_posture.mdx b/api_docs/cloud_security_posture.mdx index a013c776d0f01..b964637493f67 100644 --- a/api_docs/cloud_security_posture.mdx +++ b/api_docs/cloud_security_posture.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudSecurityPosture title: "cloudSecurityPosture" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudSecurityPosture plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudSecurityPosture'] --- import cloudSecurityPostureObj from './cloud_security_posture.devdocs.json'; diff --git a/api_docs/console.mdx b/api_docs/console.mdx index a1dbb3b029ba4..6995016a6ff69 100644 --- a/api_docs/console.mdx +++ b/api_docs/console.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/console title: "console" image: https://source.unsplash.com/400x175/?github description: API docs for the console plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'console'] --- import consoleObj from './console.devdocs.json'; diff --git a/api_docs/controls.mdx b/api_docs/controls.mdx index 31476cd710f52..4dd05b69b5c94 100644 --- a/api_docs/controls.mdx +++ b/api_docs/controls.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/controls title: "controls" image: https://source.unsplash.com/400x175/?github description: API docs for the controls plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'controls'] --- import controlsObj from './controls.devdocs.json'; diff --git a/api_docs/core.devdocs.json b/api_docs/core.devdocs.json index 13efb1d24be0c..19ba907008b4f 100644 --- a/api_docs/core.devdocs.json +++ b/api_docs/core.devdocs.json @@ -20904,230 +20904,6 @@ "plugin": "@kbn/core-saved-objects-browser-mocks", "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" @@ -21136,70 +20912,6 @@ "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" - }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" @@ -21208,138 +20920,6 @@ "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" @@ -21380,102 +20960,6 @@ "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, { "plugin": "apm", "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" @@ -21668,70 +21152,6 @@ "plugin": "data", "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, { "plugin": "cases", "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" @@ -21780,42 +21200,6 @@ "plugin": "synthetics", "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, { "plugin": "cases", "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" @@ -21860,42 +21244,6 @@ "plugin": "cases", "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, { "plugin": "@kbn/core-saved-objects-browser-internal", "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" @@ -21917,156 +21265,16 @@ "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { "plugin": "@kbn/core-ui-settings-server-internal", @@ -22079,126 +21287,6 @@ { "plugin": "@kbn/core-ui-settings-server-internal", "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" } ], "initialIsOpen": false @@ -22265,30 +21353,6 @@ { "plugin": "visualizations", "path": "src/plugins/visualizations/public/utils/saved_visualization_references/saved_visualization_references.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" } ], "initialIsOpen": false @@ -22658,22 +21722,6 @@ "plugin": "ml", "path": "x-pack/plugins/ml/common/types/modules.ts" }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, { "plugin": "dashboard", "path": "src/plugins/dashboard/public/services/dashboard_saved_object/lib/save_dashboard_state_to_saved_object.ts" @@ -22681,14 +21729,6 @@ { "plugin": "dashboard", "path": "src/plugins/dashboard/public/services/dashboard_saved_object/lib/save_dashboard_state_to_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" } ], "initialIsOpen": false @@ -23117,22 +22157,6 @@ "plugin": "savedObjectsTaggingOss", "path": "src/plugins/saved_objects_tagging_oss/public/decorator/inject_tag_references.test.ts" }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, { "plugin": "kibanaUtils", "path": "src/plugins/kibana_utils/common/persistable_state/types.ts" @@ -23673,38 +22697,6 @@ "plugin": "data", "path": "src/plugins/data/common/search/search_source/inject_references.test.ts" }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, { "plugin": "lens", "path": "x-pack/plugins/lens/common/locator/locator.ts" @@ -23726,64 +22718,76 @@ "path": "x-pack/plugins/lens/public/app_plugin/share_action.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/types.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/tx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/tx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_read.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_read.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_write.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_write.ts" + }, + { + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + }, + { + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" } ], "initialIsOpen": false @@ -54679,6 +53683,30 @@ { "plugin": "savedSearch", "path": "src/plugins/saved_search/server/saved_objects/search_migrations.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" + }, + { + "plugin": "@kbn/core-saved-objects-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + }, + { + "plugin": "@kbn/core-saved-objects-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" } ], "children": [ diff --git a/api_docs/core.mdx b/api_docs/core.mdx index 91e0e52480418..e2831c8debde1 100644 --- a/api_docs/core.mdx +++ b/api_docs/core.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/core title: "core" image: https://source.unsplash.com/400x175/?github description: API docs for the core plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'core'] --- import coreObj from './core.devdocs.json'; diff --git a/api_docs/custom_integrations.mdx b/api_docs/custom_integrations.mdx index 9b6af9cc6cb91..52091cfb25622 100644 --- a/api_docs/custom_integrations.mdx +++ b/api_docs/custom_integrations.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/customIntegrations title: "customIntegrations" image: https://source.unsplash.com/400x175/?github description: API docs for the customIntegrations plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'customIntegrations'] --- import customIntegrationsObj from './custom_integrations.devdocs.json'; diff --git a/api_docs/dashboard.mdx b/api_docs/dashboard.mdx index feec23729aeeb..072fad419cbfb 100644 --- a/api_docs/dashboard.mdx +++ b/api_docs/dashboard.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboard title: "dashboard" image: https://source.unsplash.com/400x175/?github description: API docs for the dashboard plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboard'] --- import dashboardObj from './dashboard.devdocs.json'; diff --git a/api_docs/dashboard_enhanced.mdx b/api_docs/dashboard_enhanced.mdx index bcb2b88e7bf2d..090532664f28b 100644 --- a/api_docs/dashboard_enhanced.mdx +++ b/api_docs/dashboard_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboardEnhanced title: "dashboardEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the dashboardEnhanced plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboardEnhanced'] --- import dashboardEnhancedObj from './dashboard_enhanced.devdocs.json'; diff --git a/api_docs/data.devdocs.json b/api_docs/data.devdocs.json index 2f9626f9c64d0..706d2ab54715f 100644 --- a/api_docs/data.devdocs.json +++ b/api_docs/data.devdocs.json @@ -10942,10064 +10942,1449 @@ "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "core", + "path": "src/core/types/index.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "apm", + "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" - }, + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.SerializedSearchSourceFields", + "type": "Type", + "tags": [], + "label": "SerializedSearchSourceFields", + "description": [], + "signature": [ + "{ type?: string | undefined; query?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.Query", + "text": "Query" }, + " | ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.AggregateQuery", + "text": "AggregateQuery" }, + " | undefined; filter?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.Filter", + "text": "Filter" }, + "[] | undefined; sort?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.EsQuerySortValue", + "text": "EsQuerySortValue" }, + "[] | undefined; highlight?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" }, + " | undefined; highlightAll?: boolean | undefined; trackTotalHits?: number | boolean | undefined; aggs?: { type: string; enabled?: boolean | undefined; id?: string | undefined; params?: {} | ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" }, + " | undefined; schema?: string | undefined; }[] | undefined; from?: number | undefined; size?: number | undefined; source?: boolean | ", + "Fields", + " | undefined; version?: boolean | undefined; fields?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.SearchFieldValue", + "text": "SearchFieldValue" }, + "[] | undefined; fieldsFromSource?: ", + "Fields", + " | undefined; index?: string | ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, + " | undefined; searchAfter?: ", + "SortResults", + " | undefined; timeout?: string | undefined; terminate_after?: number | undefined; parent?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.SerializedSearchSourceFields", + "text": "SerializedSearchSourceFields" }, + " | undefined; }" + ], + "path": "src/plugins/data/common/search/search_source/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.TypeMeta", + "type": "Type", + "tags": [], + "label": "TypeMeta", + "description": [ + "\nInterface for metadata about rollup indices" + ], + "signature": [ + "{ aggs?: Record | undefined; params?: { rollup_index: string; } | undefined; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + } + ], + "objects": [ + { + "parentPluginId": "data", + "id": "def-public.AggGroupLabels", + "type": "Object", + "tags": [], + "label": "AggGroupLabels", + "description": [], + "path": "src/plugins/data/common/search/aggs/agg_groups.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "parentPluginId": "data", + "id": "def-public.AggGroupLabels.AggGroupNames.Buckets", + "type": "Any", + "tags": [], + "label": "[AggGroupNames.Buckets]", + "description": [], + "signature": [ + "any" + ], + "path": "src/plugins/data/common/search/aggs/agg_groups.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "parentPluginId": "data", + "id": "def-public.AggGroupLabels.AggGroupNames.Metrics", + "type": "Any", + "tags": [], + "label": "[AggGroupNames.Metrics]", + "description": [], + "signature": [ + "any" + ], + "path": "src/plugins/data/common/search/aggs/agg_groups.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, + "parentPluginId": "data", + "id": "def-public.AggGroupLabels.AggGroupNames.None", + "type": "Any", + "tags": [], + "label": "[AggGroupNames.None]", + "description": [], + "signature": [ + "any" + ], + "path": "src/plugins/data/common/search/aggs/agg_groups.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.AggGroupNames", + "type": "Object", + "tags": [], + "label": "AggGroupNames", + "description": [], + "signature": [ + "{ readonly Buckets: \"buckets\"; readonly Metrics: \"metrics\"; readonly None: \"none\"; }" + ], + "path": "src/plugins/data/common/search/aggs/agg_groups.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.exporters", + "type": "Object", + "tags": [], + "label": "exporters", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "parentPluginId": "data", + "id": "def-public.exporters.datatableToCSV", + "type": "Function", + "tags": [], + "label": "datatableToCSV", + "description": [], + "signature": [ + "({ columns, rows }: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + }, + ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.exporters.datatableToCSV.$1", + "type": "Object", + "tags": [], + "label": "__0", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + } + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.exporters.datatableToCSV.$2", + "type": "Object", + "tags": [], + "label": "__1", + "description": [], + "signature": [ + "CSVOptions" + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.exporters.CSV_MIME_TYPE", + "type": "string", + "tags": [], + "label": "CSV_MIME_TYPE", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.exporters.cellHasFormulas", + "type": "Function", + "tags": [], + "label": "cellHasFormulas", + "description": [], + "signature": [ + "(val: string) => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.exporters.cellHasFormulas.$1", + "type": "string", + "tags": [], + "label": "val", + "description": [], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, + "parentPluginId": "data", + "id": "def-public.exporters.tableHasFormulas", + "type": "Function", + "tags": [], + "label": "tableHasFormulas", + "description": [], + "signature": [ + "(columns: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + "[], rows: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableRow", + "text": "DatatableRow" + }, + "[]) => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.exporters.tableHasFormulas.$1", + "type": "Array", + "tags": [], + "label": "columns", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + "[]" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.exporters.tableHasFormulas.$2", + "type": "Array", + "tags": [], + "label": "rows", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableRow", + "text": "DatatableRow" + }, + "[]" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false + } + ] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.indexPatterns", + "type": "Object", + "tags": [], + "label": "indexPatterns", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS_KEY", + "type": "string", + "tags": [], + "label": "ILLEGAL_CHARACTERS_KEY", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.CONTAINS_SPACES_KEY", + "type": "string", + "tags": [], + "label": "CONTAINS_SPACES_KEY", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS_VISIBLE", + "type": "Array", + "tags": [], + "label": "ILLEGAL_CHARACTERS_VISIBLE", + "description": [], + "signature": [ + "string[]" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS", + "type": "Array", + "tags": [], + "label": "ILLEGAL_CHARACTERS", + "description": [], + "signature": [ + "string[]" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.isFilterable", + "type": "Function", + "tags": [], + "label": "isFilterable", + "description": [], + "signature": [ + "(field: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + ") => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.isFilterable.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + } + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.isNestedField", + "type": "Function", + "tags": [], + "label": "isNestedField", + "description": [], + "signature": [ + "(field: HasSubtype) => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.isNestedField.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "core", - "path": "src/core/types/index.ts" - }, - { - "plugin": "apm", - "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.isMultiField", + "type": "Function", + "tags": [], + "label": "isMultiField", + "description": [], + "signature": [ + "(field: HasSubtype) => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.isMultiField.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.getFieldSubtypeMulti", + "type": "Function", + "tags": [], + "label": "getFieldSubtypeMulti", + "description": [], + "signature": [ + "(field: HasSubtype) => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeMulti", + "text": "IFieldSubTypeMulti" + }, + " | undefined" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.getFieldSubtypeMulti.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" + "parentPluginId": "data", + "id": "def-public.indexPatterns.getFieldSubtypeNested", + "type": "Function", + "tags": [], + "label": "getFieldSubtypeNested", + "description": [], + "signature": [ + "(field: HasSubtype) => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeNested", + "text": "IFieldSubTypeNested" + }, + " | undefined" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.getFieldSubtypeNested.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" - }, - { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.SerializedSearchSourceFields", - "type": "Type", - "tags": [], - "label": "SerializedSearchSourceFields", - "description": [], - "signature": [ - "{ type?: string | undefined; query?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.Query", - "text": "Query" - }, - " | ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.AggregateQuery", - "text": "AggregateQuery" - }, - " | undefined; filter?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.Filter", - "text": "Filter" - }, - "[] | undefined; sort?: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.EsQuerySortValue", - "text": "EsQuerySortValue" - }, - "[] | undefined; highlight?: ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - " | undefined; highlightAll?: boolean | undefined; trackTotalHits?: number | boolean | undefined; aggs?: { type: string; enabled?: boolean | undefined; id?: string | undefined; params?: {} | ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - " | undefined; schema?: string | undefined; }[] | undefined; from?: number | undefined; size?: number | undefined; source?: boolean | ", - "Fields", - " | undefined; version?: boolean | undefined; fields?: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.SearchFieldValue", - "text": "SearchFieldValue" - }, - "[] | undefined; fieldsFromSource?: ", - "Fields", - " | undefined; index?: string | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - " | undefined; searchAfter?: ", - "SortResults", - " | undefined; timeout?: string | undefined; terminate_after?: number | undefined; parent?: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.SerializedSearchSourceFields", - "text": "SerializedSearchSourceFields" - }, - " | undefined; }" - ], - "path": "src/plugins/data/common/search/search_source/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.TypeMeta", - "type": "Type", - "tags": [], - "label": "TypeMeta", - "description": [ - "\nInterface for metadata about rollup indices" - ], - "signature": [ - "{ aggs?: Record | undefined; params?: { rollup_index: string; } | undefined; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "objects": [ - { - "parentPluginId": "data", - "id": "def-public.AggGroupLabels", - "type": "Object", - "tags": [], - "label": "AggGroupLabels", - "description": [], - "path": "src/plugins/data/common/search/aggs/agg_groups.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.AggGroupLabels.AggGroupNames.Buckets", - "type": "Any", - "tags": [], - "label": "[AggGroupNames.Buckets]", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/common/search/aggs/agg_groups.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.AggGroupLabels.AggGroupNames.Metrics", - "type": "Any", - "tags": [], - "label": "[AggGroupNames.Metrics]", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/common/search/aggs/agg_groups.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.AggGroupLabels.AggGroupNames.None", - "type": "Any", - "tags": [], - "label": "[AggGroupNames.None]", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/common/search/aggs/agg_groups.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.AggGroupNames", - "type": "Object", - "tags": [], - "label": "AggGroupNames", - "description": [], - "signature": [ - "{ readonly Buckets: \"buckets\"; readonly Metrics: \"metrics\"; readonly None: \"none\"; }" - ], - "path": "src/plugins/data/common/search/aggs/agg_groups.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.exporters", - "type": "Object", - "tags": [], - "label": "exporters", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.exporters.datatableToCSV", - "type": "Function", - "tags": [], - "label": "datatableToCSV", - "description": [], - "signature": [ - "({ columns, rows }: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - }, - ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.exporters.datatableToCSV.$1", - "type": "Object", - "tags": [], - "label": "__0", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - } - ], - "path": "src/plugins/data/common/exports/export_csv.tsx", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.exporters.datatableToCSV.$2", - "type": "Object", - "tags": [], - "label": "__1", - "description": [], - "signature": [ - "CSVOptions" - ], - "path": "src/plugins/data/common/exports/export_csv.tsx", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.exporters.CSV_MIME_TYPE", - "type": "string", - "tags": [], - "label": "CSV_MIME_TYPE", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.exporters.cellHasFormulas", - "type": "Function", - "tags": [], - "label": "cellHasFormulas", - "description": [], - "signature": [ - "(val: string) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.exporters.cellHasFormulas.$1", - "type": "string", - "tags": [], - "label": "val", - "description": [], - "path": "src/plugins/data/common/exports/formula_checks.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.exporters.tableHasFormulas", - "type": "Function", - "tags": [], - "label": "tableHasFormulas", - "description": [], - "signature": [ - "(columns: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - "[], rows: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableRow", - "text": "DatatableRow" - }, - "[]) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.exporters.tableHasFormulas.$1", - "type": "Array", - "tags": [], - "label": "columns", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - "[]" - ], - "path": "src/plugins/data/common/exports/formula_checks.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.exporters.tableHasFormulas.$2", - "type": "Array", - "tags": [], - "label": "rows", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableRow", - "text": "DatatableRow" - }, - "[]" - ], - "path": "src/plugins/data/common/exports/formula_checks.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns", - "type": "Object", - "tags": [], - "label": "indexPatterns", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS_KEY", - "type": "string", - "tags": [], - "label": "ILLEGAL_CHARACTERS_KEY", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.CONTAINS_SPACES_KEY", - "type": "string", - "tags": [], - "label": "CONTAINS_SPACES_KEY", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS_VISIBLE", - "type": "Array", - "tags": [], - "label": "ILLEGAL_CHARACTERS_VISIBLE", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.ILLEGAL_CHARACTERS", - "type": "Array", - "tags": [], - "label": "ILLEGAL_CHARACTERS", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isFilterable", - "type": "Function", - "tags": [], - "label": "isFilterable", - "description": [], - "signature": [ - "(field: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - ") => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isFilterable.$1", - "type": "Object", - "tags": [], - "label": "field", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - } - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isNestedField", - "type": "Function", - "tags": [], - "label": "isNestedField", - "description": [], - "signature": [ - "(field: HasSubtype) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isNestedField.$1", - "type": "Object", - "tags": [], - "label": "field", - "description": [], - "signature": [ - "{ subType?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined; }" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isMultiField", - "type": "Function", - "tags": [], - "label": "isMultiField", - "description": [], - "signature": [ - "(field: HasSubtype) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.isMultiField.$1", - "type": "Object", - "tags": [], - "label": "field", - "description": [], - "signature": [ - "{ subType?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined; }" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.getFieldSubtypeMulti", - "type": "Function", - "tags": [], - "label": "getFieldSubtypeMulti", - "description": [], - "signature": [ - "(field: HasSubtype) => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeMulti", - "text": "IFieldSubTypeMulti" - }, - " | undefined" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.getFieldSubtypeMulti.$1", - "type": "Object", - "tags": [], - "label": "field", - "description": [], - "signature": [ - "{ subType?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined; }" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.getFieldSubtypeNested", - "type": "Function", - "tags": [], - "label": "getFieldSubtypeNested", - "description": [], - "signature": [ - "(field: HasSubtype) => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeNested", - "text": "IFieldSubTypeNested" - }, - " | undefined" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.getFieldSubtypeNested.$1", - "type": "Object", - "tags": [], - "label": "field", - "description": [], - "signature": [ - "{ subType?: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined; }" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.validate", - "type": "Function", - "tags": [], - "label": "validate", - "description": [], - "signature": [ - "(indexPattern: string) => { ILLEGAL_CHARACTERS?: string[] | undefined; CONTAINS_SPACES?: boolean | undefined; }" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.indexPatterns.validate.$1", - "type": "string", - "tags": [], - "label": "indexPattern", - "description": [], - "path": "src/plugins/data_views/common/lib/validate_data_view.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs", - "type": "Object", - "tags": [], - "label": "aggs", - "description": [], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.CidrMask", - "type": "Object", - "tags": [], - "label": "CidrMask", - "description": [], - "signature": [ - "typeof ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.CidrMask", - "text": "CidrMask" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.dateHistogramInterval", - "type": "Function", - "tags": [], - "label": "dateHistogramInterval", - "description": [], - "signature": [ - "(interval: string, shouldForceFixed?: boolean | undefined) => Interval" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.dateHistogramInterval.$1", - "type": "string", - "tags": [], - "label": "interval", - "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.dateHistogramInterval.$2", - "type": "CompoundType", - "tags": [], - "label": "shouldForceFixed", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.intervalOptions", - "type": "Array", - "tags": [], - "label": "intervalOptions", - "description": [], - "signature": [ - "({ display: any; val: string; enabled(agg: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IBucketAggConfig", - "text": "IBucketAggConfig" - }, - "): boolean; } | { display: any; val: string; })[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.InvalidEsCalendarIntervalError", - "type": "Object", - "tags": [], - "label": "InvalidEsCalendarIntervalError", - "description": [], - "signature": [ - "typeof ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.InvalidEsCalendarIntervalError", - "text": "InvalidEsCalendarIntervalError" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.InvalidEsIntervalFormatError", - "type": "Object", - "tags": [], - "label": "InvalidEsIntervalFormatError", - "description": [], - "signature": [ - "typeof ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.InvalidEsIntervalFormatError", - "text": "InvalidEsIntervalFormatError" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.IpAddress", - "type": "Object", - "tags": [], - "label": "IpAddress", - "description": [], - "signature": [ - "typeof ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IpAddress", - "text": "IpAddress" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isDateHistogramBucketAggConfig", - "type": "Function", - "tags": [], - "label": "isDateHistogramBucketAggConfig", - "description": [], - "signature": [ - "(agg: any) => agg is ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IBucketDateHistogramAggConfig", - "text": "IBucketDateHistogramAggConfig" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isDateHistogramBucketAggConfig.$1", - "type": "Any", - "tags": [], - "label": "agg", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/common/search/aggs/buckets/date_histogram.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isNumberType", - "type": "Function", - "tags": [], - "label": "isNumberType", - "description": [], - "signature": [ - "(agg: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - }, - ") => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isNumberType.$1", - "type": "Object", - "tags": [], - "label": "agg", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - } - ], - "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isStringType", - "type": "Function", - "tags": [], - "label": "isStringType", - "description": [], - "signature": [ - "(agg: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - }, - ") => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isStringType.$1", - "type": "Object", - "tags": [], - "label": "agg", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - } - ], - "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isType", - "type": "Function", - "tags": [], - "label": "isType", - "description": [], - "signature": [ - "(...types: string[]) => (agg: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - }, - ") => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isType.$1", - "type": "Array", - "tags": [], - "label": "types", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isValidEsInterval", - "type": "Function", - "tags": [], - "label": "isValidEsInterval", - "description": [], - "signature": [ - "(interval: string) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isValidEsInterval.$1", - "type": "string", - "tags": [], - "label": "interval", - "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_es_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isValidInterval", - "type": "Function", - "tags": [], - "label": "isValidInterval", - "description": [], - "signature": [ - "(value: string, baseInterval?: string | undefined) => boolean" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isValidInterval.$1", - "type": "string", - "tags": [], - "label": "value", - "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_interval.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.isValidInterval.$2", - "type": "string", - "tags": [], - "label": "baseInterval", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.parentPipelineType", - "type": "Any", - "tags": [], - "label": "parentPipelineType", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.parseEsInterval", - "type": "Function", - "tags": [], - "label": "parseEsInterval", - "description": [], - "signature": [ - "(interval: string) => { value: number; unit: ", - { - "pluginId": "@kbn/datemath", - "scope": "common", - "docId": "kibKbnDatemathPluginApi", - "section": "def-common.Unit", - "text": "Unit" - }, - "; type: \"fixed\" | \"calendar\"; }" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.parseEsInterval.$1", - "type": "string", - "tags": [], - "label": "interval", - "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_es_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.parseInterval", - "type": "Function", - "tags": [], - "label": "parseInterval", - "description": [], - "signature": [ - "(interval: string) => moment.Duration | null" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.parseInterval.$1", - "type": "string", - "tags": [], - "label": "interval", - "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.propFilter", - "type": "Function", - "tags": [], - "label": "propFilter", - "description": [], - "signature": [ - "

(prop: P) => (list: T[], filters?: string | string[] | FilterFunc) => T[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.propFilter.$1", - "type": "Uncategorized", - "tags": [], - "label": "prop", - "description": [], - "signature": [ - "P" - ], - "path": "src/plugins/data/common/search/aggs/utils/prop_filter.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.siblingPipelineType", - "type": "Any", - "tags": [], - "label": "siblingPipelineType", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.termsAggFilter", - "type": "Array", - "tags": [], - "label": "termsAggFilter", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.toAbsoluteDates", - "type": "Function", - "tags": [], - "label": "toAbsoluteDates", - "description": [], - "signature": [ - "(range: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.TimeRange", - "text": "TimeRange" - }, - ") => { from: Date; to: Date; } | undefined" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.toAbsoluteDates.$1", - "type": "Object", - "tags": [], - "label": "range", - "description": [], - "signature": [ - "{ from: string; to: string; mode?: \"absolute\" | \"relative\" | undefined; }" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/to_absolute_dates.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.boundsDescendingRaw", - "type": "Array", - "tags": [], - "label": "boundsDescendingRaw", - "description": [], - "signature": [ - "({ bound: number; interval: moment.Duration; boundLabel: any; intervalLabel: any; } | { bound: moment.Duration; interval: moment.Duration; boundLabel: any; intervalLabel: any; })[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.calcAutoIntervalLessThan", - "type": "Function", - "tags": [], - "label": "calcAutoIntervalLessThan", - "description": [], - "signature": [ - "(maxBucketCount: number, duration: number) => moment.Duration" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.aggs.calcAutoIntervalLessThan.$1", - "type": "number", - "tags": [], - "label": "maxBucketCount", - "description": [], - "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.aggs.calcAutoIntervalLessThan.$2", - "type": "number", - "tags": [], - "label": "duration", - "description": [], - "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.getResponseInspectorStats", - "type": "Function", - "tags": [], - "label": "getResponseInspectorStats", - "description": [], - "signature": [ - "(resp?: ", - "SearchResponse", - "> | undefined, searchSource?: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.ISearchSource", - "text": "ISearchSource" - }, - " | undefined) => ", - { - "pluginId": "inspector", - "scope": "common", - "docId": "kibInspectorPluginApi", - "section": "def-common.RequestStatistics", - "text": "RequestStatistics" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.getResponseInspectorStats.$1", - "type": "Object", - "tags": [], - "label": "resp", - "description": [], - "signature": [ - "SearchResponse", - "> | undefined" - ], - "path": "src/plugins/data/common/search/search_source/inspect/inspector_stats.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.getResponseInspectorStats.$2", - "type": "Object", - "tags": [], - "label": "searchSource", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.ISearchSource", - "text": "ISearchSource" - }, - " | undefined" - ], - "path": "src/plugins/data/common/search/search_source/inspect/inspector_stats.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.tabifyAggResponse", - "type": "Function", - "tags": [], - "label": "tabifyAggResponse", - "description": [], - "signature": [ - "(aggConfigs: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfigs", - "text": "AggConfigs" - }, - ", esResponse: Record, respOpts?: Partial<", - "TabbedResponseWriterOptions", - "> | undefined) => ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - } - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.tabifyAggResponse.$1", - "type": "Object", - "tags": [], - "label": "aggConfigs", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfigs", - "text": "AggConfigs" - } - ], - "path": "src/plugins/data/common/search/tabify/tabify.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.tabifyAggResponse.$2", - "type": "Object", - "tags": [], - "label": "esResponse", - "description": [], - "signature": [ - "{ [x: string]: any; }" - ], - "path": "src/plugins/data/common/search/tabify/tabify.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.tabifyAggResponse.$3", - "type": "Object", - "tags": [], - "label": "respOpts", - "description": [], - "signature": [ - "Partial<", - "TabbedResponseWriterOptions", - "> | undefined" - ], - "path": "src/plugins/data/common/search/tabify/tabify.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.search.tabifyGetColumns", - "type": "Function", - "tags": [], - "label": "tabifyGetColumns", - "description": [], - "signature": [ - "(aggs: ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - }, - "[], minimalColumns: boolean) => ", - "TabbedAggColumn", - "[]" - ], - "path": "src/plugins/data/public/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-public.search.tabifyGetColumns.$1", - "type": "Array", - "tags": [], - "label": "aggs", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" - }, - "[]" - ], - "path": "src/plugins/data/common/search/tabify/get_columns.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.search.tabifyGetColumns.$2", - "type": "boolean", - "tags": [], - "label": "minimalColumns", - "description": [], - "path": "src/plugins/data/common/search/tabify/get_columns.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-public.UI_SETTINGS", - "type": "Object", - "tags": [], - "label": "UI_SETTINGS", - "description": [], - "signature": [ - "{ readonly META_FIELDS: \"metaFields\"; readonly DOC_HIGHLIGHT: \"doc_table:highlight\"; readonly QUERY_STRING_OPTIONS: \"query:queryString:options\"; readonly QUERY_ALLOW_LEADING_WILDCARDS: \"query:allowLeadingWildcards\"; readonly SEARCH_QUERY_LANGUAGE: \"search:queryLanguage\"; readonly SORT_OPTIONS: \"sort:options\"; readonly COURIER_IGNORE_FILTER_IF_FIELD_NOT_IN_INDEX: \"courier:ignoreFilterIfFieldNotInIndex\"; readonly COURIER_SET_REQUEST_PREFERENCE: \"courier:setRequestPreference\"; readonly COURIER_CUSTOM_REQUEST_PREFERENCE: \"courier:customRequestPreference\"; readonly COURIER_MAX_CONCURRENT_SHARD_REQUESTS: \"courier:maxConcurrentShardRequests\"; readonly SEARCH_INCLUDE_FROZEN: \"search:includeFrozen\"; readonly SEARCH_TIMEOUT: \"search:timeout\"; readonly HISTOGRAM_BAR_TARGET: \"histogram:barTarget\"; readonly HISTOGRAM_MAX_BARS: \"histogram:maxBars\"; readonly HISTORY_LIMIT: \"history:limit\"; readonly TIMEPICKER_REFRESH_INTERVAL_DEFAULTS: \"timepicker:refreshIntervalDefaults\"; readonly TIMEPICKER_QUICK_RANGES: \"timepicker:quickRanges\"; readonly TIMEPICKER_TIME_DEFAULTS: \"timepicker:timeDefaults\"; readonly FILTERS_PINNED_BY_DEFAULT: \"filters:pinnedByDefault\"; readonly FILTERS_EDITOR_SUGGEST_VALUES: \"filterEditor:suggestValues\"; readonly AUTOCOMPLETE_USE_TIMERANGE: \"autocomplete:useTimeRange\"; readonly AUTOCOMPLETE_VALUE_SUGGESTION_METHOD: \"autocomplete:valueSuggestionMethod\"; readonly DATE_FORMAT: \"dateFormat\"; readonly DATEFORMAT_TZ: \"dateFormat:tz\"; }" - ], - "path": "src/plugins/data/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "setup": { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginSetup", - "type": "Interface", - "tags": [], - "label": "DataPublicPluginSetup", - "description": [ - "\nData plugin public Setup contract" - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginSetup.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "public", - "docId": "kibDataSearchPluginApi", - "section": "def-public.ISearchSetup", - "text": "ISearchSetup" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginSetup.query", - "type": "Object", - "tags": [], - "label": "query", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "public", - "docId": "kibDataQueryPluginApi", - "section": "def-public.QuerySetup", - "text": "QuerySetup" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "lifecycle": "setup", - "initialIsOpen": true - }, - "start": { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart", - "type": "Interface", - "tags": [], - "label": "DataPublicPluginStart", - "description": [ - "\nData plugin public Start contract" - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.actions", - "type": "Object", - "tags": [], - "label": "actions", - "description": [ - "\nfilter creation utilities\n{@link DataPublicPluginStartActions}" - ], - "signature": [ - { - "pluginId": "data", - "scope": "public", - "docId": "kibDataPluginApi", - "section": "def-public.DataPublicPluginStartActions", - "text": "DataPublicPluginStartActions" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.dataViews", - "type": "Object", - "tags": [], - "label": "dataViews", - "description": [ - "\ndata views service\n{@link DataViewsContract}" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "public", - "docId": "kibDataViewsPluginApi", - "section": "def-public.DataViewsServicePublic", - "text": "DataViewsServicePublic" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.datatableUtilities", - "type": "Object", - "tags": [], - "label": "datatableUtilities", - "description": [ - "\nDatatable type utility functions." - ], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataPluginApi", - "section": "def-common.DatatableUtilitiesService", - "text": "DatatableUtilitiesService" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.indexPatterns", - "type": "Object", - "tags": [ - "deprecated" - ], - "label": "indexPatterns", - "description": [ - "\nindex patterns service\n{@link DataViewsContract}" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "public", - "docId": "kibDataViewsPluginApi", - "section": "def-public.DataViewsServicePublic", - "text": "DataViewsServicePublic" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/hooks/use_kibana_index_patterns.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/plugin.ts" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/components/editor/controls_tab.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/mock/endpoint/dependencies_start_mock.ts" - }, - { - "plugin": "savedObjects", - "path": "src/plugins/saved_objects/public/saved_object/saved_object.test.ts" - }, - { - "plugin": "savedObjects", - "path": "src/plugins/saved_objects/public/saved_object/saved_object.test.ts" - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [ - "\nsearch service\n{@link ISearchStart}" - ], - "signature": [ - { - "pluginId": "data", - "scope": "public", - "docId": "kibDataSearchPluginApi", - "section": "def-public.ISearchStart", - "text": "ISearchStart" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.fieldFormats", - "type": "CompoundType", - "tags": [ - "deprecated" - ], - "label": "fieldFormats", - "description": [], - "signature": [ - "Omit<", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormatsRegistry", - "text": "FieldFormatsRegistry" - }, - ", \"init\" | \"register\"> & { deserialize: ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FormatFactory", - "text": "FormatFactory" - }, - "; }" - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "dashboard", - "path": "src/plugins/dashboard/public/services/data/types.ts" - }, - { - "plugin": "dashboard", - "path": "src/plugins/dashboard/public/services/data/data_service.ts" - }, - { - "plugin": "dataVisualizer", - "path": "x-pack/plugins/data_visualizer/public/application/common/components/stats_table/components/field_data_row/document_stats.tsx" - }, - { - "plugin": "dataVisualizer", - "path": "x-pack/plugins/data_visualizer/public/application/common/components/top_values/top_values.tsx" - }, - { - "plugin": "dataVisualizer", - "path": "x-pack/plugins/data_visualizer/public/application/common/components/stats_table/components/field_data_expanded_row/choropleth_map.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/threshold/expression.tsx" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - }, - { - "plugin": "expressionPartitionVis", - "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" - } - ] - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.query", - "type": "Object", - "tags": [], - "label": "query", - "description": [ - "\nquery service\n{@link QueryStart}" - ], - "signature": [ - { - "pluginId": "data", - "scope": "public", - "docId": "kibDataQueryPluginApi", - "section": "def-public.QueryStart", - "text": "QueryStart" - } - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-public.DataPublicPluginStart.nowProvider", - "type": "Object", - "tags": [], - "label": "nowProvider", - "description": [], - "signature": [ - "{ get: () => Date; }" - ], - "path": "src/plugins/data/public/types.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "lifecycle": "start", - "initialIsOpen": true - } - }, - "server": { - "classes": [ - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin", - "type": "Class", - "tags": [], - "label": "DataServerPlugin", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "server", - "docId": "kibDataPluginApi", - "section": "def-server.DataServerPlugin", - "text": "DataServerPlugin" - }, - " implements ", - { - "pluginId": "@kbn/core-plugins-server", - "scope": "common", - "docId": "kibKbnCorePluginsServerPluginApi", - "section": "def-common.Plugin", - "text": "Plugin" - }, - "<", - { - "pluginId": "data", - "scope": "server", - "docId": "kibDataPluginApi", - "section": "def-server.DataPluginSetup", - "text": "DataPluginSetup" - }, - ", ", - { - "pluginId": "data", - "scope": "server", - "docId": "kibDataPluginApi", - "section": "def-server.DataPluginStart", - "text": "DataPluginStart" - }, - ", ", - "DataPluginSetupDependencies", - ", ", - "DataPluginStartDependencies", - ">" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "initializerContext", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-plugins-server", - "scope": "common", - "docId": "kibKbnCorePluginsServerPluginApi", - "section": "def-common.PluginInitializerContext", - "text": "PluginInitializerContext" - }, - "; }>; asyncSearch: Readonly<{ pollInterval?: number | undefined; } & { waitForCompletion: moment.Duration; keepAlive: moment.Duration; batchedReduceSize: number; }>; sessions: Readonly<{} & { enabled: boolean; notTouchedTimeout: moment.Duration; maxUpdateRetries: number; defaultExpiration: moment.Duration; management: Readonly<{} & { refreshInterval: moment.Duration; maxSessions: number; refreshTimeout: moment.Duration; expiresSoonWarning: moment.Duration; }>; }>; }>; }>>" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.setup", - "type": "Function", - "tags": [], - "label": "setup", - "description": [], - "signature": [ - "(core: ", - { - "pluginId": "@kbn/core-lifecycle-server", - "scope": "common", - "docId": "kibKbnCoreLifecycleServerPluginApi", - "section": "def-common.CoreSetup", - "text": "CoreSetup" - }, - "<", - "DataPluginStartDependencies", - ", ", - { - "pluginId": "data", - "scope": "server", - "docId": "kibDataPluginApi", - "section": "def-server.DataPluginStart", - "text": "DataPluginStart" - }, - ">, { bfetch, expressions, usageCollection, fieldFormats, taskManager, security, }: ", - "DataPluginSetupDependencies", - ") => { search: ", - "ISearchSetup", - "; query: ", - "QuerySetup", - "; fieldFormats: ", - { - "pluginId": "fieldFormats", - "scope": "server", - "docId": "kibFieldFormatsPluginApi", - "section": "def-server.FieldFormatsSetup", - "text": "FieldFormatsSetup" - }, - "; }" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.setup.$1", - "type": "Object", - "tags": [], - "label": "core", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-lifecycle-server", - "scope": "common", - "docId": "kibKbnCoreLifecycleServerPluginApi", - "section": "def-common.CoreSetup", - "text": "CoreSetup" - }, - "<", - "DataPluginStartDependencies", - ", ", - { - "pluginId": "data", - "scope": "server", - "docId": "kibDataPluginApi", - "section": "def-server.DataPluginStart", - "text": "DataPluginStart" - }, - ">" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.setup.$2", - "type": "Object", - "tags": [], - "label": "{\n bfetch,\n expressions,\n usageCollection,\n fieldFormats,\n taskManager,\n security,\n }", - "description": [], - "signature": [ - "DataPluginSetupDependencies" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.start", - "type": "Function", - "tags": [], - "label": "start", - "description": [], - "signature": [ - "(core: ", - { - "pluginId": "@kbn/core-lifecycle-server", - "scope": "common", - "docId": "kibKbnCoreLifecycleServerPluginApi", - "section": "def-common.CoreStart", - "text": "CoreStart" - }, - ", { fieldFormats, dataViews, taskManager }: ", - "DataPluginStartDependencies", - ") => { datatableUtilities: ", - "DatatableUtilitiesService", - "; search: ", - "ISearchStart", - "<", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IEsSearchRequest", - "text": "IEsSearchRequest" - }, - ", ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IEsSearchResponse", - "text": "IEsSearchResponse" - }, - ">; fieldFormats: ", - { - "pluginId": "fieldFormats", - "scope": "server", - "docId": "kibFieldFormatsPluginApi", - "section": "def-server.FieldFormatsStart", - "text": "FieldFormatsStart" - }, - "; indexPatterns: ", - { - "pluginId": "dataViews", - "scope": "server", - "docId": "kibDataViewsPluginApi", - "section": "def-server.DataViewsServerPluginStart", - "text": "DataViewsServerPluginStart" - }, - "; }" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.start.$1", - "type": "Object", - "tags": [], - "label": "core", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-lifecycle-server", - "scope": "common", - "docId": "kibKbnCoreLifecycleServerPluginApi", - "section": "def-common.CoreStart", - "text": "CoreStart" - } - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.start.$2", - "type": "Object", - "tags": [], - "label": "{ fieldFormats, dataViews, taskManager }", - "description": [], - "signature": [ - "DataPluginStartDependencies" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataServerPlugin.stop", - "type": "Function", - "tags": [], - "label": "stop", - "description": [], - "signature": [ - "() => void" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView", - "type": "Class", - "tags": [], - "label": "DataView", - "description": [ - "\nData view class. Central kibana abstraction around multiple indices." - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " implements ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.DataViewBase", - "text": "DataViewBase" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.id", - "type": "string", - "tags": [], - "label": "id", - "description": [ - "\nSaved object id" - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.title", - "type": "string", - "tags": [ - "deprecated" - ], - "label": "title", - "description": [ - "\nTitle of data view" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/types.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/source/index.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/source/index.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_from_timeline.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/utils.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts" - }, - { - "plugin": "timelines", - "path": "x-pack/plugins/timelines/public/mock/index_pattern.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/mock/index_pattern.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" - }, - { - "plugin": "threatIntelligence", - "path": "x-pack/plugins/threat_intelligence/public/common/mocks/mock_security_context.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/flyout_components/alerts_actions/utils.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/build_es_query.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/from_combined_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/from_filters.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/from_filters.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/from_kuery.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/es_query/from_nested_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/build_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/exists_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/get_filter_field.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/phrase_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/phrase_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/build_filters/phrases_filter.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/ast/ast.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/and.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/exists.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/is.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/nested.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/not.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/or.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/range.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/node_types/function.test.ts" - }, - { - "plugin": "@kbn/es-query", - "path": "packages/kbn-es-query/src/kuery/functions/utils/get_full_field_name_node.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "unifiedSearch", - "path": "src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts" - }, - { - "plugin": "unifiedSearch", - "path": "src/plugins/unified_search/public/query_string_input/fetch_index_patterns.ts" - }, - { - "plugin": "unifiedSearch", - "path": "src/plugins/unified_search/public/dataview_picker/change_dataview.tsx" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/rest_api_routes/update_data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/rest_api_routes/update_data_view.ts" - }, - { - "plugin": "triggersActionsUi", - "path": "x-pack/plugins/triggers_actions_ui/public/common/lib/data_apis.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/public/management_section/objects_table/components/flyout.tsx" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/public/management_section/objects_table/components/flyout.tsx" - }, - { - "plugin": "controls", - "path": "src/plugins/controls/public/services/options_list/options_list_service.ts" - }, - { - "plugin": "controls", - "path": "src/plugins/controls/public/services/options_list/options_list_service.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/public/services/field_stats/load_field_stats.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/public/hooks/use_existing_fields.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/public/hooks/use_existing_fields.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/data_views_service/loader.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx" - }, - { - "plugin": "aiops", - "path": "x-pack/plugins/aiops/public/components/log_categorization/log_categorization_page.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/server/models/data_frame_analytics/index_patterns.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/server/models/job_service/new_job_caps/rollup.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/server/lib/alerts/alerting_service.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/server/models/data_recognizer/data_recognizer.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/log_views/resolved_log_view.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/get_fields.ts" - }, - { - "plugin": "apm", - "path": "x-pack/plugins/apm/server/routes/data_view/create_static_data_view.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/utils/observability_data_views/observability_data_views.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_definition_field.tsx" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/filter_value_btn.tsx" - }, - { - "plugin": "dataVisualizer", - "path": "x-pack/plugins/data_visualizer/public/application/index_data_visualizer/hooks/use_data_visualizer_grid_data.ts" - }, - { - "plugin": "dataVisualizer", - "path": "x-pack/plugins/data_visualizer/public/application/index_data_visualizer/components/index_data_visualizer_view/index_data_visualizer_view.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_details.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/datavisualizer/index_based/data_loader/data_loader.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/page.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/action_clone/clone_action_name.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/common/job_creator/job_creator.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/common/results_loader/categorization_examples_loader.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/index_or_search/preconfigured_job_redirect.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/components/pick_fields_step/components/bucket_span_estimator/estimate_bucket_span.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/components/datafeed_step/components/data_view/change_data_view.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/new_job/wizard_steps.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/outlier_exploration/use_outlier_data.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration_results_table/use_exploration_results.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/source_selection/source_selection.tsx" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/embeddables/anomaly_charts/anomaly_charts_embeddable.tsx" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.tsx" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/services/kibana/data_views.ts" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/services/kibana/data_views.ts" - }, - { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/datasource/datasource_component.js" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/datasource.sagas.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/persistence.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/persistence.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx" - }, - { - "plugin": "timelines", - "path": "x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/components/data_view_select_popover.tsx" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/components/filter_term_form.tsx" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/hooks/use_search_items/common.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/services/es_index_service.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/server/routes/api/transforms.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/public/application/components/es_deprecation_logs/fix_deprecation_logs/external_links.tsx" - }, - { - "plugin": "ux", - "path": "x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/use_data_view.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/services/new_job_capabilities/remove_nested_field_children.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/mobile_test_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_cwv.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts" - }, - { - "plugin": "controls", - "path": "src/plugins/controls/public/services/data_views/data_views.story.ts" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/field_editor/components/scripting_help/test_script.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/create_edit_field/create_edit_field.tsx" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/agg_select.tsx" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/test_utils/get_index_pattern_mock.ts" - }, - { - "plugin": "presentationUtil", - "path": "src/plugins/presentation_util/public/services/data_views/data_views.story.ts" - }, - { - "plugin": "visTypeTimelion", - "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" - }, - { - "plugin": "visTypeTimelion", - "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.ts" - }, - { - "plugin": "visTypeVega", - "path": "src/plugins/vis_types/vega/public/data_model/search_api.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" - }, - { - "plugin": "discover", - "path": "src/plugins/discover/public/application/main/hooks/use_text_based_query_language.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/metrics/hosts/hooks/use_data_view.test.ts" - } - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.fieldFormatMap", - "type": "Object", - "tags": [], - "label": "fieldFormatMap", - "description": [ - "\nMap of field formats by field name" - ], - "signature": [ - "{ [x: string]: ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" - }, - "<{}, ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - ">; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.typeMeta", - "type": "Object", - "tags": [], - "label": "typeMeta", - "description": [ - "\nOnly used by rollup indices, used by rollup specific endpoint to load field list." - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TypeMeta", - "text": "TypeMeta" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.fields", - "type": "CompoundType", - "tags": [], - "label": "fields", - "description": [ - "\nField list, in extended array format" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.IIndexPatternFieldList", - "text": "IIndexPatternFieldList" - }, - " & { toSpec: () => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" - }, - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.timeFieldName", - "type": "string", - "tags": [], - "label": "timeFieldName", - "description": [ - "\nTimestamp field name" - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.type", - "type": "string", - "tags": [], - "label": "type", - "description": [ - "\nType is used to identify rollup index patterns." - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.flattenHit", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "flattenHit", - "description": [], - "signature": [ - "(hit: Record, deep?: boolean | undefined) => Record" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" - }, - { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" - } - ], - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.flattenHit.$1", - "type": "Object", - "tags": [], - "label": "hit", - "description": [], - "signature": [ - "{ [x: string]: unknown[]; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.flattenHit.$2", - "type": "CompoundType", - "tags": [], - "label": "deep", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.metaFields", - "type": "Array", - "tags": [], - "label": "metaFields", - "description": [ - "\nList of meta fields by name" - ], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.version", - "type": "string", - "tags": [], - "label": "version", - "description": [ - "\nSavedObject version" - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.sourceFilters", - "type": "Array", - "tags": [], - "label": "sourceFilters", - "description": [ - "\nArray of filters - hides fields in discover" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.SourceFilter", - "text": "SourceFilter" - }, - "[] | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.namespaces", - "type": "Array", - "tags": [], - "label": "namespaces", - "description": [ - "\nArray of namespace ids" - ], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.allowNoIndex", - "type": "boolean", - "tags": [], - "label": "allowNoIndex", - "description": [ - "\nPrevents errors when index pattern exists before indices" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.name", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "\nName of the data view. Human readable name used to differentiate data view." - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.matchedIndices", - "type": "Array", - "tags": [], - "label": "matchedIndices", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [ - "\nconstructor" - ], - "signature": [ - "any" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "config", - "description": [ - "- config data and dependencies" - ], - "signature": [ - "DataViewDeps" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getName", - "type": "Function", - "tags": [], - "label": "getName", - "description": [ - "\nGet name of Data View" - ], - "signature": [ - "() => string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getIndexPattern", - "type": "Function", - "tags": [], - "label": "getIndexPattern", - "description": [ - "\nGet index pattern" - ], - "signature": [ - "() => string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [ - "index pattern string" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setIndexPattern", - "type": "Function", - "tags": [], - "label": "setIndexPattern", - "description": [ - "\nSet index pattern" - ], - "signature": [ - "(indexPattern: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.setIndexPattern.$1", - "type": "string", - "tags": [], - "label": "indexPattern", - "description": [], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getOriginalSavedObjectBody", - "type": "Function", - "tags": [], - "label": "getOriginalSavedObjectBody", - "description": [ - "\nGet last saved saved object fields" - ], - "signature": [ - "() => { fieldAttrs?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; fields?: string | undefined; sourceFilters?: string | undefined; fieldFormatMap?: string | undefined; typeMeta?: string | undefined; type?: string | undefined; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.resetOriginalSavedObjectBody", - "type": "Function", - "tags": [], - "label": "resetOriginalSavedObjectBody", - "description": [ - "\nReset last saved saved object fields. Used after saving." - ], - "signature": [ - "() => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getFieldAttrs", - "type": "Function", - "tags": [], - "label": "getFieldAttrs", - "description": [ - "\nReturns field attributes map" - ], - "signature": [ - "() => { [x: string]: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" - }, - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getComputedFields", - "type": "Function", - "tags": [], - "label": "getComputedFields", - "description": [ - "\nReturns scripted fields" - ], - "signature": [ - "() => { storedFields: string[]; scriptFields: Record; docvalueFields: { field: string; format: string; }[]; runtimeFields: ", - "MappingRuntimeFields", - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.isPersisted", - "type": "Function", - "tags": [], - "label": "isPersisted", - "description": [], - "signature": [ - "() => boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.toSpec", - "type": "Function", - "tags": [], - "label": "toSpec", - "description": [ - "\nCreates static representation of the data view." - ], - "signature": [ - "(includeFields?: boolean) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.toSpec.$1", - "type": "boolean", - "tags": [], - "label": "includeFields", - "description": [ - "Whether or not to include the `fields` list as part of this spec. If not included, the list\nwill be fetched from Elasticsearch when instantiating a new Data View with this spec." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getSourceFiltering", - "type": "Function", - "tags": [], - "label": "getSourceFiltering", - "description": [ - "\nGet the source filtering configuration for that index." - ], - "signature": [ - "() => { excludes: string[]; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.removeScriptedField", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "removeScriptedField", - "description": [ - "\nRemoves scripted field from field list." - ], - "signature": [ - "(fieldName: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - } - ], - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.removeScriptedField.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of scripted field to remove" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getNonScriptedFields", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "getNonScriptedFields", - "description": [ - "\n" - ], - "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/strategies/abstract_search_strategy.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/source_filters_table/components/table/table.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/lib/fetch_fields.ts" - } - ], - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getScriptedFields", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "getScriptedFields", - "description": [ - "\n" - ], - "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/register_index_pattern_usage_collection.ts" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - } - ], - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.isTSDBMode", - "type": "Function", - "tags": [], - "label": "isTSDBMode", - "description": [ - "\nreturns true if dataview contains TSDB fields" - ], - "signature": [ - "() => boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.isTimeBased", - "type": "Function", - "tags": [], - "label": "isTimeBased", - "description": [ - "\nDoes the data view have a timestamp field?" - ], - "signature": [ - "() => this is ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TimeBasedDataView", - "text": "TimeBasedDataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.isTimeNanosBased", - "type": "Function", - "tags": [], - "label": "isTimeNanosBased", - "description": [ - "\nDoes the data view have a timestamp field and is it a date nanos field?" - ], - "signature": [ - "() => this is ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TimeBasedDataView", - "text": "TimeBasedDataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getTimeField", - "type": "Function", - "tags": [], - "label": "getTimeField", - "description": [ - "\nGet timestamp field as DataViewField or return undefined" - ], - "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getFieldByName", - "type": "Function", - "tags": [], - "label": "getFieldByName", - "description": [ - "\nGet field by name." - ], - "signature": [ - "(name: string) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.getFieldByName.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getAggregationRestrictions", - "type": "Function", - "tags": [], - "label": "getAggregationRestrictions", - "description": [ - "\nGet aggregation restrictions. Rollup fields can only perform a subset of aggregations." - ], - "signature": [ - "() => Record | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getAsSavedObjectBody", - "type": "Function", - "tags": [], - "label": "getAsSavedObjectBody", - "description": [ - "\nReturns index pattern as saved object body for saving" - ], - "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getFormatterForField", - "type": "Function", - "tags": [], - "label": "getFormatterForField", - "description": [ - "\nProvide a field, get its formatter" - ], - "signature": [ - "(field: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - ") => ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.getFormatterForField.$1", - "type": "CompoundType", - "tags": [], - "label": "field", - "description": [ - "field to get formatter for" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.addRuntimeField", - "type": "Function", - "tags": [], - "label": "addRuntimeField", - "description": [ - "\nAdd a runtime field - Appended to existing mapped field or a new field is\ncreated as appropriate." - ], - "signature": [ - "(name: string, runtimeField: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - }, - ") => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.addRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "Field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.addRuntimeField.$2", - "type": "Object", - "tags": [], - "label": "runtimeField", - "description": [ - "Runtime field definition" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.hasRuntimeField", - "type": "Function", - "tags": [], - "label": "hasRuntimeField", - "description": [ - "\nChecks if runtime field exists" - ], - "signature": [ - "(name: string) => boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.hasRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getRuntimeField", - "type": "Function", - "tags": [], - "label": "getRuntimeField", - "description": [ - "\nReturns runtime field if exists" - ], - "signature": [ - "(name: string) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - }, - " | null" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.getRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "Runtime field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getAllRuntimeFields", - "type": "Function", - "tags": [], - "label": "getAllRuntimeFields", - "description": [ - "\nGet all runtime field definitions.\nNOTE: this does not strip out runtime fields that match mapped field names" - ], - "signature": [ - "() => Record" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [ - "map of runtime field definitions by field name" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getFieldsByRuntimeFieldName", - "type": "Function", - "tags": [], - "label": "getFieldsByRuntimeFieldName", - "description": [ - "\nReturns data view fields backed by runtime fields." - ], - "signature": [ - "(name: string) => Record | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.getFieldsByRuntimeFieldName.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "runtime field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [ - "map of DataViewFields (that are runtime fields) by field name" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.replaceAllRuntimeFields", - "type": "Function", - "tags": [], - "label": "replaceAllRuntimeFields", - "description": [ - "\nReplaces all existing runtime fields with new fields." - ], - "signature": [ - "(newFields: Record) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.replaceAllRuntimeFields.$1", - "type": "Object", - "tags": [], - "label": "newFields", - "description": [ - "Map of runtime field definitions by field name" - ], - "signature": [ - "Record" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.removeRuntimeField", - "type": "Function", - "tags": [], - "label": "removeRuntimeField", - "description": [ - "\nRemove a runtime field - removed from mapped field or removed unmapped\nfield as appropriate. Doesn't clear associated field attributes." - ], - "signature": [ - "(name: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.removeRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "- Field name to remove" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getRuntimeMappings", - "type": "Function", - "tags": [], - "label": "getRuntimeMappings", - "description": [ - "\nReturn the \"runtime_mappings\" section of the ES search query." - ], - "signature": [ - "() => ", - "MappingRuntimeFields" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.getFormatterForFieldNoDefault", - "type": "Function", - "tags": [], - "label": "getFormatterForFieldNoDefault", - "description": [ - "\nGet formatter for a given field name. Return undefined if none exists." - ], - "signature": [ - "(fieldname: string) => ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.getFormatterForFieldNoDefault.$1", - "type": "string", - "tags": [], - "label": "fieldname", - "description": [ - "name of field to get formatter for" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldAttrs", - "type": "Function", - "tags": [], - "label": "setFieldAttrs", - "description": [ - "\nSet field attribute" - ], - "signature": [ - "(fieldName: string, attrName: K, value: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" - }, - "[K]) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldAttrs.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set attribute on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldAttrs.$2", - "type": "Uncategorized", - "tags": [], - "label": "attrName", - "description": [ - "name of attribute to set" - ], - "signature": [ - "K" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldAttrs.$3", - "type": "Uncategorized", - "tags": [], - "label": "value", - "description": [ - "value of attribute" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" - }, - "[K]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCustomLabel", - "type": "Function", - "tags": [], - "label": "setFieldCustomLabel", - "description": [ - "\nSet field custom label" - ], - "signature": [ - "(fieldName: string, customLabel: string | null | undefined) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCustomLabel.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set custom label on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCustomLabel.$2", - "type": "CompoundType", - "tags": [], - "label": "customLabel", - "description": [ - "custom label value. If undefined, custom label is removed" - ], - "signature": [ - "string | null | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCount", - "type": "Function", - "tags": [], - "label": "setFieldCount", - "description": [ - "\nSet field count" - ], - "signature": [ - "(fieldName: string, count: number | null | undefined) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCount.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set count on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldCount.$2", - "type": "CompoundType", - "tags": [], - "label": "count", - "description": [ - "count value. If undefined, count is removed" - ], - "signature": [ - "number | null | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldFormat", - "type": "Function", - "tags": [], - "label": "setFieldFormat", - "description": [ - "\nSet field formatter" - ], - "signature": [ - "(fieldName: string, format: ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" - }, - "<{}, ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - ">) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldFormat.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set format on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.setFieldFormat.$2", - "type": "Object", - "tags": [], - "label": "format", - "description": [ - "field format in serialized form" - ], - "signature": [ - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" - }, - "<{}, ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataView.deleteFieldFormat", - "type": "Function", - "tags": [], - "label": "deleteFieldFormat", - "description": [ - "\nRemove field format from the field format map." - ], - "signature": [ - "(fieldName: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataView.deleteFieldFormat.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "field name associated with the format for removal" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService", - "type": "Class", - "tags": [], - "label": "DataViewsService", - "description": [ - "\nData views service, providing CRUD operations for data views." - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getCanSave", - "type": "Function", - "tags": [], - "label": "getCanSave", - "description": [ - "\nCan the user save data views?" - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [ - "\nDataViewsService constructor" - ], - "signature": [ - "any" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "deps", - "description": [ - "Service dependencies" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewsServiceDeps", - "text": "DataViewsServiceDeps" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getIds", - "type": "Function", - "tags": [], - "label": "getIds", - "description": [ - "\nGets list of index pattern ids." - ], - "signature": [ - "(refresh?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getIds.$1", - "type": "boolean", - "tags": [], - "label": "refresh", - "description": [ - "Force refresh of index pattern list" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getTitles", - "type": "Function", - "tags": [], - "label": "getTitles", - "description": [ - "\nGets list of index pattern titles." - ], - "signature": [ - "(refresh?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getTitles.$1", - "type": "boolean", - "tags": [], - "label": "refresh", - "description": [ - "Force refresh of index pattern list" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.find", - "type": "Function", - "tags": [], - "label": "find", - "description": [ - "\nFind and load index patterns by title." - ], - "signature": [ - "(search: string, size?: number) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - "[]>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.find.$1", - "type": "string", - "tags": [], - "label": "search", - "description": [ - "Search string" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.find.$2", - "type": "number", - "tags": [], - "label": "size", - "description": [ - "Number of data views to return" - ], - "signature": [ - "number" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [ - "DataView[]" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getIdsWithTitle", - "type": "Function", - "tags": [], - "label": "getIdsWithTitle", - "description": [ - "\nGets list of index pattern ids with titles." - ], - "signature": [ - "(refresh?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewListItem", - "text": "DataViewListItem" - }, - "[]>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getIdsWithTitle.$1", - "type": "boolean", - "tags": [], - "label": "refresh", - "description": [ - "Force refresh of index pattern list" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.clearCache", - "type": "Function", - "tags": [], - "label": "clearCache", - "description": [ - "\nClear index pattern saved objects cache." - ], - "signature": [ - "() => void" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.clearInstanceCache", - "type": "Function", - "tags": [], - "label": "clearInstanceCache", - "description": [ - "\nClear index pattern instance cache" - ], - "signature": [ - "(id?: string | undefined) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.clearInstanceCache.$1", - "type": "string", - "tags": [], - "label": "id", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getCache", - "type": "Function", - "tags": [], - "label": "getCache", - "description": [ - "\nGet cache, contains data view saved objects." - ], - "signature": [ - "() => Promise<", - { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" - }, - "<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSavedObjectAttrs", - "text": "DataViewSavedObjectAttrs" - }, - ">[] | null | undefined>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getDefault", - "type": "Function", - "tags": [], - "label": "getDefault", - "description": [ - "\nGet default index pattern" - ], - "signature": [ - "(displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | null>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getDefault.$1", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getDefaultId", - "type": "Function", - "tags": [], - "label": "getDefaultId", - "description": [ - "\nGet default index pattern id" - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.setDefault", - "type": "Function", - "tags": [], - "label": "setDefault", - "description": [ - "\nOptionally set default index pattern, unless force = true" - ], - "signature": [ - "(id: string | null, force?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.setDefault.$1", - "type": "CompoundType", - "tags": [], - "label": "id", - "description": [ - "data view id" - ], - "signature": [ - "string | null" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.setDefault.$2", - "type": "boolean", - "tags": [], - "label": "force", - "description": [ - "set default data view even if there's an existing default" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.hasUserDataView", - "type": "Function", - "tags": [], - "label": "hasUserDataView", - "description": [ - "\nChecks if current user has a user created index pattern ignoring fleet's server default index patterns." - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getFieldsForWildcard", - "type": "Function", - "tags": [], - "label": "getFieldsForWildcard", - "description": [ - "\nGet field list by providing { pattern }." - ], - "signature": [ - "(options: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - }, - ") => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[]>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getFieldsForWildcard.$1", - "type": "Object", - "tags": [], - "label": "options", - "description": [ - "options for getting field list" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [ - "FieldSpec[]" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getFieldsForIndexPattern", - "type": "Function", - "tags": [], - "label": "getFieldsForIndexPattern", - "description": [ - "\nGet field list by providing an index patttern (or spec)." - ], - "signature": [ - "(indexPattern: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", options?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - }, - " | undefined) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[]>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getFieldsForIndexPattern.$1", - "type": "CompoundType", - "tags": [], - "label": "indexPattern", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getFieldsForIndexPattern.$2", - "type": "Object", - "tags": [], - "label": "options", - "description": [ - "options for getting field list" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [ - "FieldSpec[]" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.refreshFields", - "type": "Function", - "tags": [], - "label": "refreshFields", - "description": [ - "\nRefresh field list for a given index pattern." - ], - "signature": [ - "(dataView: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ", displayErrors?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.refreshFields.$1", - "type": "Object", - "tags": [], - "label": "dataView", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.refreshFields.$2", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.fieldArrayToMap", - "type": "Function", - "tags": [], - "label": "fieldArrayToMap", - "description": [ - "\nConverts field array to map." - ], - "signature": [ - "(fields: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[], fieldAttrs?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" - }, - " | undefined) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.fieldArrayToMap.$1", - "type": "Array", - "tags": [], - "label": "fields", - "description": [ - ": FieldSpec[]" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.fieldArrayToMap.$2", - "type": "Object", - "tags": [], - "label": "fieldAttrs", - "description": [ - ": FieldAttrs" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [ - "Record" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.savedObjectToSpec", - "type": "Function", - "tags": [], - "label": "savedObjectToSpec", - "description": [ - "\nConverts data view saved object to data view spec." - ], - "signature": [ - "(savedObject: ", - { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" - }, - "<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" - }, - ">) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.savedObjectToSpec.$1", - "type": "Object", - "tags": [], - "label": "savedObject", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" - }, - "<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [ - "DataViewSpec" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.get", - "type": "Function", - "tags": [], - "label": "get", - "description": [ - "\nGet an index pattern by id, cache optimized." - ], - "signature": [ - "(id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.get.$1", - "type": "string", - "tags": [], - "label": "id", - "description": [], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.get.$2", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.get.$3", - "type": "boolean", - "tags": [], - "label": "refreshFields", - "description": [ - "- If set true, will fetch fields from the index pattern" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.create", - "type": "Function", - "tags": [], - "label": "create", - "description": [ - "\nCreate data view instance." - ], - "signature": [ - "(spec: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.create.$1", - "type": "Object", - "tags": [], - "label": "spec", - "description": [ - "data view spec" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.create.$2", - "type": "boolean", - "tags": [], - "label": "skipFetchFields", - "description": [ - "if true, will not fetch fields" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.create.$3", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [ - "DataView" - ] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createAndSave", - "type": "Function", - "tags": [], - "label": "createAndSave", - "description": [ - "\nCreate a new data view and save it right away." - ], - "signature": [ - "(spec: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createAndSave.$1", - "type": "Object", - "tags": [], - "label": "spec", - "description": [ - "data view spec" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createAndSave.$2", - "type": "boolean", - "tags": [], - "label": "override", - "description": [ - "Overwrite if existing index pattern exists." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createAndSave.$3", - "type": "boolean", - "tags": [], - "label": "skipFetchFields", - "description": [ - "Whether to skip field refresh step." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createAndSave.$4", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createSavedObject", - "type": "Function", - "tags": [], - "label": "createSavedObject", - "description": [ - "\nSave a new data view." - ], - "signature": [ - "(dataView: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ", override?: boolean, displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createSavedObject.$1", - "type": "Object", - "tags": [], - "label": "dataView", - "description": [ - "data view instance" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createSavedObject.$2", - "type": "boolean", - "tags": [], - "label": "override", - "description": [ - "Overwrite if existing index pattern exists" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.createSavedObject.$3", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.updateSavedObject", - "type": "Function", - "tags": [], - "label": "updateSavedObject", - "description": [ - "\nSave existing data view. Will attempt to merge differences if there are conflicts." - ], - "signature": [ - "(indexPattern: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.updateSavedObject.$1", - "type": "Object", - "tags": [], - "label": "indexPattern", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.updateSavedObject.$2", - "type": "number", - "tags": [], - "label": "saveAttempts", - "description": [], - "signature": [ - "number" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.updateSavedObject.$3", - "type": "boolean", - "tags": [], - "label": "ignoreErrors", - "description": [], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.updateSavedObject.$4", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.delete", - "type": "Function", - "tags": [], - "label": "delete", - "description": [ - "\nDeletes an index pattern from .kibana index." - ], - "signature": [ - "(indexPatternId: string) => Promise<{}>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.delete.$1", - "type": "string", - "tags": [], - "label": "indexPatternId", - "description": [ - ": Id of kibana Index Pattern to delete" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getDefaultDataView", - "type": "Function", - "tags": [], - "label": "getDefaultDataView", - "description": [ - "\nReturns the default data view as an object.\nIf no default is found, or it is missing\nanother data view is selected as default and returned.\nIf no possible data view found to become a default returns null.\n" - ], - "signature": [ - "(refreshFields?: boolean | undefined) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | null>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsService.getDefaultDataView.$1", - "type": "CompoundType", - "tags": [], - "label": "refreshFields", - "description": [ - "- if true, will refresh the fields of the default data view" - ], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], - "returnComment": [ - "default data view" - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher", - "type": "Class", - "tags": [], - "label": "IndexPatternsFetcher", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "elasticsearchClient", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-elasticsearch-server", - "scope": "common", - "docId": "kibKbnCoreElasticsearchServerPluginApi", - "section": "def-common.ElasticsearchClient", - "text": "ElasticsearchClient" - } - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.Unnamed.$2", - "type": "boolean", - "tags": [], - "label": "allowNoIndices", - "description": [], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard", - "type": "Function", - "tags": [ - "property", - "property", - "return" - ], - "label": "getFieldsForWildcard", - "description": [ - "\n Get a list of field objects for an index pattern that may contain wildcards\n" - ], - "signature": [ - "(options: { pattern: string | string[]; metaFields?: string[] | undefined; fieldCapsOptions?: { allow_no_indices: boolean; includeUnmapped?: boolean | undefined; } | undefined; type?: string | undefined; rollupIndex?: string | undefined; indexFilter?: ", - "QueryDslQueryContainer", - " | undefined; fields?: string[] | undefined; }) => Promise<{ fields: ", - { - "pluginId": "dataViews", - "scope": "server", - "docId": "kibDataViewsPluginApi", - "section": "def-server.FieldDescriptor", - "text": "FieldDescriptor" - }, - "[]; indices: string[]; }>" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1", - "type": "Object", - "tags": [], - "label": "options", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.pattern", - "type": "CompoundType", - "tags": [], - "label": "pattern", - "description": [], - "signature": [ - "string | string[]" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.metaFields", - "type": "Array", - "tags": [], - "label": "metaFields", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.fieldCapsOptions", - "type": "Object", - "tags": [], - "label": "fieldCapsOptions", - "description": [], - "signature": [ - "{ allow_no_indices: boolean; includeUnmapped?: boolean | undefined; } | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.type", - "type": "string", - "tags": [], - "label": "type", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.rollupIndex", - "type": "string", - "tags": [], - "label": "rollupIndex", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.indexFilter", - "type": "Object", - "tags": [], - "label": "indexFilter", - "description": [], - "signature": [ - "QueryDslQueryContainer", - " | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.fields", - "type": "Array", - "tags": [], - "label": "fields", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.validatePatternListActive", - "type": "Function", - "tags": [ - "return" - ], - "label": "validatePatternListActive", - "description": [ - "\n Returns an index pattern list of only those index pattern strings in the given list that return indices\n" - ], - "signature": [ - "(patternList: string[]) => Promise" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IndexPatternsFetcher.validatePatternListActive.$1", - "type": "Array", - "tags": [], - "label": "patternList", - "description": [ - "string[]" - ], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - } - ], - "initialIsOpen": false - } - ], - "functions": [ - { - "parentPluginId": "data", - "id": "def-server.getCapabilitiesForRollupIndices", - "type": "Function", - "tags": [], - "label": "getCapabilitiesForRollupIndices", - "description": [ - "\nGet rollup job capabilities" - ], - "signature": [ - "(indices: ", - "RollupGetRollupIndexCapsResponse", - ") => ", - { - "pluginId": "dataViews", - "scope": "server", - "docId": "kibDataViewsPluginApi", - "section": "def-server.RollupIndexCapability", - "text": "RollupIndexCapability" - } - ], - "path": "src/plugins/data_views/server/fetcher/lib/map_capabilities.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.getCapabilitiesForRollupIndices.$1", - "type": "Object", - "tags": [], - "label": "indices", - "description": [ - "rollup job index capabilites" - ], - "signature": [ - "RollupGetRollupIndexCapsResponse" - ], - "path": "src/plugins/data_views/server/fetcher/lib/map_capabilities.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.getEsQueryConfig", - "type": "Function", - "tags": [], - "label": "getEsQueryConfig", - "description": [], - "signature": [ - "(config: KibanaConfig) => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.EsQueryConfig", - "text": "EsQueryConfig" - } - ], - "path": "src/plugins/data/common/es_query/get_es_query_config.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.getEsQueryConfig.$1", - "type": "Object", - "tags": [], - "label": "config", - "description": [], - "signature": [ - "KibanaConfig" - ], - "path": "src/plugins/data/common/es_query/get_es_query_config.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.getRequestAbortedSignal", - "type": "Function", - "tags": [], - "label": "getRequestAbortedSignal", - "description": [ - "\nA simple utility function that returns an `AbortSignal` corresponding to an `AbortController`\nwhich aborts when the given request is aborted." - ], - "signature": [ - "(aborted$: ", - "Observable", - ") => AbortSignal" - ], - "path": "src/plugins/data/server/lib/get_request_aborted_signal.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.getRequestAbortedSignal.$1", - "type": "Object", - "tags": [], - "label": "aborted$", - "description": [ - "The observable of abort events (usually `request.events.aborted$`)" - ], - "signature": [ - "Observable", - "" - ], - "path": "src/plugins/data/server/lib/get_request_aborted_signal.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.getTime", - "type": "Function", - "tags": [], - "label": "getTime", - "description": [], - "signature": [ - "(indexPattern: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | undefined, timeRange: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.TimeRange", - "text": "TimeRange" - }, - ", options: { forceNow?: Date | undefined; fieldName?: string | undefined; } | undefined) => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.RangeFilter", - "text": "RangeFilter" - }, - " | ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.ScriptedRangeFilter", - "text": "ScriptedRangeFilter" - }, - " | ", - "MatchAllRangeFilter", - " | undefined" - ], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.getTime.$1", - "type": "Object", - "tags": [], - "label": "indexPattern", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | undefined" - ], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - }, - { - "parentPluginId": "data", - "id": "def-server.getTime.$2", - "type": "Object", - "tags": [], - "label": "timeRange", - "description": [], - "signature": [ - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.TimeRange", - "text": "TimeRange" - } - ], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-server.getTime.$3", - "type": "Object", - "tags": [], - "label": "options", - "description": [], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.getTime.$3.forceNow", - "type": "Object", - "tags": [], - "label": "forceNow", - "description": [], - "signature": [ - "Date | undefined" - ], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.getTime.$3.fieldName", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data/common/query/timefilter/get_time.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.parseInterval", - "type": "Function", - "tags": [], - "label": "parseInterval", - "description": [], - "signature": [ - "(interval: string) => moment.Duration | null" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.parseInterval.$1", - "type": "string", - "tags": [], - "label": "interval", - "description": [], - "signature": [ - "string" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - } - ], - "interfaces": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart", - "type": "Interface", - "tags": [], - "label": "DataViewsServerPluginStart", - "description": [ - "\nDataViews server plugin start api" - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory", - "type": "Function", - "tags": [], - "label": "dataViewsServiceFactory", - "description": [ - "\nReturns a DataViews service instance" - ], - "signature": [ - "(savedObjectsClient: ", - { - "pluginId": "@kbn/core-saved-objects-api-server", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsApiServerPluginApi", - "section": "def-common.SavedObjectsClientContract", - "text": "SavedObjectsClientContract" - }, - ", elasticsearchClient: ", - { - "pluginId": "@kbn/core-elasticsearch-server", - "scope": "common", - "docId": "kibKbnCoreElasticsearchServerPluginApi", - "section": "def-common.ElasticsearchClient", - "text": "ElasticsearchClient" - }, - ", request?: ", - { - "pluginId": "@kbn/core-http-server", - "scope": "common", - "docId": "kibKbnCoreHttpServerPluginApi", - "section": "def-common.KibanaRequest", - "text": "KibanaRequest" - }, - " | undefined, byPassCapabilities?: boolean | undefined) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewsService", - "text": "DataViewsService" - }, - ">" - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$1", - "type": "Object", - "tags": [], - "label": "savedObjectsClient", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-saved-objects-api-server", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsApiServerPluginApi", - "section": "def-common.SavedObjectsClientContract", - "text": "SavedObjectsClientContract" - } - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$2", - "type": "Object", - "tags": [], - "label": "elasticsearchClient", - "description": [], - "signature": [ - "{ name: string | symbol; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; cluster: ", - "default", - "; eql: ", - "default", - "; search: { >(this: That, params?: ", - "SearchRequest", - " | ", - "SearchRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "SearchResponse", - ">; >(this: That, params?: ", - "SearchRequest", - " | ", - "SearchRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "SearchResponse", - ", unknown>>; >(this: That, params?: ", - "SearchRequest", - " | ", - "SearchRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "SearchResponse", - ">; }; create: { (this: That, params: ", - "CreateRequest", - " | ", - "CreateRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "CreateRequest", - " | ", - "CreateRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "CreateRequest", - " | ", - "CreateRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; monitoring: ", - "default", - "; security: ", - "default", - "; index: { (this: That, params: ", - "IndexRequest", - " | ", - "IndexRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "IndexRequest", - " | ", - "IndexRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "IndexRequest", - " | ", - "IndexRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; update: { (this: That, params: ", - "UpdateRequest", - " | ", - "UpdateRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "UpdateResponse", - ">; (this: That, params: ", - "UpdateRequest", - " | ", - "UpdateRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "UpdateResponse", - ", unknown>>; (this: That, params: ", - "UpdateRequest", - " | ", - "UpdateRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "UpdateResponse", - ">; }; asyncSearch: ", - "default", - "; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", - "default", - "; helpers: ", - "default", - "; child: (opts: ", - "ClientOptions", - ") => ", - "default", - "; autoscaling: ", - "default", - "; bulk: { (this: That, params: ", - "BulkRequest", - " | ", - "BulkRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "BulkResponse", - ">; (this: That, params: ", - "BulkRequest", - " | ", - "BulkRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "BulkResponse", - ", unknown>>; (this: That, params: ", - "BulkRequest", - " | ", - "BulkRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "BulkResponse", - ">; }; cat: ", - "default", - "; ccr: ", - "default", - "; clearScroll: { (this: That, params?: ", - "ClearScrollRequest", - " | ", - "ClearScrollRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ClearScrollResponse", - ">; (this: That, params?: ", - "ClearScrollRequest", - " | ", - "ClearScrollRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ClearScrollResponse", - ", unknown>>; (this: That, params?: ", - "ClearScrollRequest", - " | ", - "ClearScrollRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ClearScrollResponse", - ">; }; closePointInTime: { (this: That, params: ", - "ClosePointInTimeRequest", - " | ", - "ClosePointInTimeRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ClosePointInTimeResponse", - ">; (this: That, params: ", - "ClosePointInTimeRequest", - " | ", - "ClosePointInTimeRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ClosePointInTimeResponse", - ", unknown>>; (this: That, params: ", - "ClosePointInTimeRequest", - " | ", - "ClosePointInTimeRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ClosePointInTimeResponse", - ">; }; count: { (this: That, params?: ", - "CountRequest", - " | ", - "CountRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "CountResponse", - ">; (this: That, params?: ", - "CountRequest", - " | ", - "CountRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "CountResponse", - ", unknown>>; (this: That, params?: ", - "CountRequest", - " | ", - "CountRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "CountResponse", - ">; }; danglingIndices: ", - "default", - "; deleteByQuery: { (this: That, params: ", - "DeleteByQueryRequest", - " | ", - "DeleteByQueryRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "DeleteByQueryResponse", - ">; (this: That, params: ", - "DeleteByQueryRequest", - " | ", - "DeleteByQueryRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "DeleteByQueryResponse", - ", unknown>>; (this: That, params: ", - "DeleteByQueryRequest", - " | ", - "DeleteByQueryRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "DeleteByQueryResponse", - ">; }; deleteByQueryRethrottle: { (this: That, params: ", - "DeleteByQueryRethrottleRequest", - " | ", - "DeleteByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "TasksTaskListResponseBase", - ">; (this: That, params: ", - "DeleteByQueryRethrottleRequest", - " | ", - "DeleteByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "TasksTaskListResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteByQueryRethrottleRequest", - " | ", - "DeleteByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "TasksTaskListResponseBase", - ">; }; deleteScript: { (this: That, params: ", - "DeleteScriptRequest", - " | ", - "DeleteScriptRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "AcknowledgedResponseBase", - ">; (this: That, params: ", - "DeleteScriptRequest", - " | ", - "DeleteScriptRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "AcknowledgedResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteScriptRequest", - " | ", - "DeleteScriptRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "AcknowledgedResponseBase", - ">; }; enrich: ", - "default", - "; exists: { (this: That, params: ", - "ExistsRequest", - " | ", - "ExistsRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise; (this: That, params: ", - "ExistsRequest", - " | ", - "ExistsRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - ">; (this: That, params: ", - "ExistsRequest", - " | ", - "ExistsRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise; }; existsSource: { (this: That, params: ", - "ExistsSourceRequest", - " | ", - "ExistsSourceRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise; (this: That, params: ", - "ExistsSourceRequest", - " | ", - "ExistsSourceRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - ">; (this: That, params: ", - "ExistsSourceRequest", - " | ", - "ExistsSourceRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise; }; explain: { (this: That, params: ", - "ExplainRequest", - " | ", - "ExplainRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ExplainResponse", - ">; (this: That, params: ", - "ExplainRequest", - " | ", - "ExplainRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ExplainResponse", - ", unknown>>; (this: That, params: ", - "ExplainRequest", - " | ", - "ExplainRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ExplainResponse", - ">; }; features: ", - "default", - "; fieldCaps: { (this: That, params: ", - "FieldCapsRequest", - " | ", - "FieldCapsRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "FieldCapsResponse", - ">; (this: That, params: ", - "FieldCapsRequest", - " | ", - "FieldCapsRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "FieldCapsResponse", - ", unknown>>; (this: That, params: ", - "FieldCapsRequest", - " | ", - "FieldCapsRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "FieldCapsResponse", - ">; }; fleet: ", - "default", - "; getScript: { (this: That, params: ", - "GetScriptRequest", - " | ", - "GetScriptRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetScriptResponse", - ">; (this: That, params: ", - "GetScriptRequest", - " | ", - "GetScriptRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetScriptResponse", - ", unknown>>; (this: That, params: ", - "GetScriptRequest", - " | ", - "GetScriptRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetScriptResponse", - ">; }; getScriptContext: { (this: That, params?: ", - "GetScriptContextRequest", - " | ", - "GetScriptContextRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetScriptContextResponse", - ">; (this: That, params?: ", - "GetScriptContextRequest", - " | ", - "GetScriptContextRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetScriptContextResponse", - ", unknown>>; (this: That, params?: ", - "GetScriptContextRequest", - " | ", - "GetScriptContextRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetScriptContextResponse", - ">; }; getScriptLanguages: { (this: That, params?: ", - "GetScriptLanguagesRequest", - " | ", - "GetScriptLanguagesRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetScriptLanguagesResponse", - ">; (this: That, params?: ", - "GetScriptLanguagesRequest", - " | ", - "GetScriptLanguagesRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetScriptLanguagesResponse", - ", unknown>>; (this: That, params?: ", - "GetScriptLanguagesRequest", - " | ", - "GetScriptLanguagesRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetScriptLanguagesResponse", - ">; }; getSource: { (this: That, params: ", - "GetSourceRequest", - " | ", - "GetSourceRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise; (this: That, params: ", - "GetSourceRequest", - " | ", - "GetSourceRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - ">; (this: That, params: ", - "GetSourceRequest", - " | ", - "GetSourceRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise; }; graph: ", - "default", - "; ilm: ", - "default", - "; indices: ", - "default", - "; info: { (this: That, params?: ", - "InfoRequest", - " | ", - "InfoRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "InfoResponse", - ">; (this: That, params?: ", - "InfoRequest", - " | ", - "InfoRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "InfoResponse", - ", unknown>>; (this: That, params?: ", - "InfoRequest", - " | ", - "InfoRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "InfoResponse", - ">; }; ingest: ", - "default", - "; knnSearch: { (this: That, params: ", - "KnnSearchRequest", - " | ", - "KnnSearchRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "KnnSearchResponse", - ">; (this: That, params: ", - "KnnSearchRequest", - " | ", - "KnnSearchRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "KnnSearchResponse", - ", unknown>>; (this: That, params: ", - "KnnSearchRequest", - " | ", - "KnnSearchRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "KnnSearchResponse", - ">; }; license: ", - "default", - "; logstash: ", - "default", - "; mget: { (this: That, params?: ", - "MgetRequest", - " | ", - "MgetRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "MgetResponse", - ">; (this: That, params?: ", - "MgetRequest", - " | ", - "MgetRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "MgetResponse", - ", unknown>>; (this: That, params?: ", - "MgetRequest", - " | ", - "MgetRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "MgetResponse", - ">; }; migration: ", - "default", - "; ml: ", - "default", - "; msearch: { >(this: That, params: ", - "MsearchRequest", - " | ", - "MsearchRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "MsearchResponse", - ">; >(this: That, params: ", - "MsearchRequest", - " | ", - "MsearchRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "MsearchResponse", - ", unknown>>; >(this: That, params: ", - "MsearchRequest", - " | ", - "MsearchRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "MsearchResponse", - ">; }; msearchTemplate: { >(this: That, params: ", - "MsearchTemplateRequest", - " | ", - "MsearchTemplateRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "MsearchTemplateResponse", - ">; >(this: That, params: ", - "MsearchTemplateRequest", - " | ", - "MsearchTemplateRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "MsearchTemplateResponse", - ", unknown>>; >(this: That, params: ", - "MsearchTemplateRequest", - " | ", - "MsearchTemplateRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "MsearchTemplateResponse", - ">; }; mtermvectors: { (this: That, params?: ", - "MtermvectorsRequest", - " | ", - "MtermvectorsRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "MtermvectorsResponse", - ">; (this: That, params?: ", - "MtermvectorsRequest", - " | ", - "MtermvectorsRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "MtermvectorsResponse", - ", unknown>>; (this: That, params?: ", - "MtermvectorsRequest", - " | ", - "MtermvectorsRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "MtermvectorsResponse", - ">; }; nodes: ", - "default", - "; openPointInTime: { (this: That, params: ", - "OpenPointInTimeRequest", - " | ", - "OpenPointInTimeRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "OpenPointInTimeResponse", - ">; (this: That, params: ", - "OpenPointInTimeRequest", - " | ", - "OpenPointInTimeRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "OpenPointInTimeResponse", - ", unknown>>; (this: That, params: ", - "OpenPointInTimeRequest", - " | ", - "OpenPointInTimeRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "OpenPointInTimeResponse", - ">; }; ping: { (this: That, params?: ", - "PingRequest", - " | ", - "PingRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise; (this: That, params?: ", - "PingRequest", - " | ", - "PingRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - ">; (this: That, params?: ", - "PingRequest", - " | ", - "PingRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise; }; putScript: { (this: That, params: ", - "PutScriptRequest", - " | ", - "PutScriptRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "AcknowledgedResponseBase", - ">; (this: That, params: ", - "PutScriptRequest", - " | ", - "PutScriptRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "AcknowledgedResponseBase", - ", unknown>>; (this: That, params: ", - "PutScriptRequest", - " | ", - "PutScriptRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "AcknowledgedResponseBase", - ">; }; rankEval: { (this: That, params: ", - "RankEvalRequest", - " | ", - "RankEvalRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "RankEvalResponse", - ">; (this: That, params: ", - "RankEvalRequest", - " | ", - "RankEvalRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "RankEvalResponse", - ", unknown>>; (this: That, params: ", - "RankEvalRequest", - " | ", - "RankEvalRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "RankEvalResponse", - ">; }; reindex: { (this: That, params: ", - "ReindexRequest", - " | ", - "ReindexRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ReindexResponse", - ">; (this: That, params: ", - "ReindexRequest", - " | ", - "ReindexRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ReindexResponse", - ", unknown>>; (this: That, params: ", - "ReindexRequest", - " | ", - "ReindexRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ReindexResponse", - ">; }; reindexRethrottle: { (this: That, params: ", - "ReindexRethrottleRequest", - " | ", - "ReindexRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ReindexRethrottleResponse", - ">; (this: That, params: ", - "ReindexRethrottleRequest", - " | ", - "ReindexRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ReindexRethrottleResponse", - ", unknown>>; (this: That, params: ", - "ReindexRethrottleRequest", - " | ", - "ReindexRethrottleRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ReindexRethrottleResponse", - ">; }; renderSearchTemplate: { (this: That, params?: ", - "RenderSearchTemplateRequest", - " | ", - "RenderSearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "RenderSearchTemplateResponse", - ">; (this: That, params?: ", - "RenderSearchTemplateRequest", - " | ", - "RenderSearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "RenderSearchTemplateResponse", - ", unknown>>; (this: That, params?: ", - "RenderSearchTemplateRequest", - " | ", - "RenderSearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "RenderSearchTemplateResponse", - ">; }; rollup: ", - "default", - "; scriptsPainlessExecute: { (this: That, params?: ", - "ScriptsPainlessExecuteRequest", - " | ", - "ScriptsPainlessExecuteRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ScriptsPainlessExecuteResponse", - ">; (this: That, params?: ", - "ScriptsPainlessExecuteRequest", - " | ", - "ScriptsPainlessExecuteRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ScriptsPainlessExecuteResponse", - ", unknown>>; (this: That, params?: ", - "ScriptsPainlessExecuteRequest", - " | ", - "ScriptsPainlessExecuteRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ScriptsPainlessExecuteResponse", - ">; }; scroll: { >(this: That, params: ", - "ScrollRequest", - " | ", - "ScrollRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "ScrollResponse", - ">; >(this: That, params: ", - "ScrollRequest", - " | ", - "ScrollRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "ScrollResponse", - ", unknown>>; >(this: That, params: ", - "ScrollRequest", - " | ", - "ScrollRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "ScrollResponse", - ">; }; searchMvt: { (this: That, params: ", - "SearchMvtRequest", - " | ", - "SearchMvtRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise; (this: That, params: ", - "SearchMvtRequest", - " | ", - "SearchMvtRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - ">; (this: That, params: ", - "SearchMvtRequest", - " | ", - "SearchMvtRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise; }; searchShards: { (this: That, params?: ", - "SearchShardsRequest", - " | ", - "SearchShardsRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "SearchShardsResponse", - ">; (this: That, params?: ", - "SearchShardsRequest", - " | ", - "SearchShardsRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "SearchShardsResponse", - ", unknown>>; (this: That, params?: ", - "SearchShardsRequest", - " | ", - "SearchShardsRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "SearchShardsResponse", - ">; }; searchTemplate: { (this: That, params?: ", - "SearchTemplateRequest", - " | ", - "SearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "SearchTemplateResponse", - ">; (this: That, params?: ", - "SearchTemplateRequest", - " | ", - "SearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "SearchTemplateResponse", - ", unknown>>; (this: That, params?: ", - "SearchTemplateRequest", - " | ", - "SearchTemplateRequest", - " | undefined, options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "SearchTemplateResponse", - ">; }; searchableSnapshots: ", - "default", - "; shutdown: ", - "default", - "; slm: ", - "default", - "; snapshot: ", - "default", - "; sql: ", - "default", - "; ssl: ", - "default", - "; tasks: ", - "default", - "; termsEnum: { (this: That, params: ", - "TermsEnumRequest", - " | ", - "TermsEnumRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "TermsEnumResponse", - ">; (this: That, params: ", - "TermsEnumRequest", - " | ", - "TermsEnumRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "TermsEnumResponse", - ", unknown>>; (this: That, params: ", - "TermsEnumRequest", - " | ", - "TermsEnumRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "TermsEnumResponse", - ">; }; termvectors: { (this: That, params: ", - "TermvectorsRequest", - " | ", - "TermvectorsRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "TermvectorsResponse", - ">; (this: That, params: ", - "TermvectorsRequest", - " | ", - "TermvectorsRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "TermvectorsResponse", - ", unknown>>; (this: That, params: ", - "TermvectorsRequest", - " | ", - "TermvectorsRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "TermvectorsResponse", - ">; }; textStructure: ", - "default", - "; transform: ", - "default", - "; updateByQuery: { (this: That, params: ", - "UpdateByQueryRequest", - " | ", - "UpdateByQueryRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "UpdateByQueryResponse", - ">; (this: That, params: ", - "UpdateByQueryRequest", - " | ", - "UpdateByQueryRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "UpdateByQueryResponse", - ", unknown>>; (this: That, params: ", - "UpdateByQueryRequest", - " | ", - "UpdateByQueryRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "UpdateByQueryResponse", - ">; }; updateByQueryRethrottle: { (this: That, params: ", - "UpdateByQueryRethrottleRequest", - " | ", - "UpdateByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "UpdateByQueryRethrottleResponse", - ">; (this: That, params: ", - "UpdateByQueryRethrottleRequest", - " | ", - "UpdateByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "UpdateByQueryRethrottleResponse", - ", unknown>>; (this: That, params: ", - "UpdateByQueryRethrottleRequest", - " | ", - "UpdateByQueryRethrottleRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "UpdateByQueryRethrottleResponse", - ">; }; watcher: ", - "default", - "; xpack: ", - "default", - "; }" - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$3", - "type": "Object", - "tags": [], - "label": "request", - "description": [], - "signature": [ - { - "pluginId": "@kbn/core-http-server", - "scope": "common", - "docId": "kibKbnCoreHttpServerPluginApi", - "section": "def-common.KibanaRequest", - "text": "KibanaRequest" - }, - " | undefined" - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$4", - "type": "CompoundType", - "tags": [], - "label": "byPassCapabilities", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/server/types.ts", - "deprecated": false, - "trackAdoption": false - } - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor", - "type": "Interface", - "tags": [], - "label": "FieldDescriptor", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.aggregatable", - "type": "boolean", - "tags": [], - "label": "aggregatable", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.name", - "type": "string", - "tags": [], - "label": "name", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.readFromDocValues", - "type": "boolean", - "tags": [], - "label": "readFromDocValues", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.searchable", - "type": "boolean", - "tags": [], - "label": "searchable", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.type", - "type": "string", - "tags": [], - "label": "type", - "description": [], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.esTypes", - "type": "Array", - "tags": [], - "label": "esTypes", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.subType", - "type": "Object", - "tags": [], - "label": "subType", - "description": [], - "signature": [ - "FieldSubType | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.metadata_field", - "type": "CompoundType", - "tags": [], - "label": "metadata_field", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.fixedInterval", - "type": "Array", - "tags": [], - "label": "fixedInterval", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.timeZone", - "type": "Array", - "tags": [], - "label": "timeZone", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.timeSeriesMetric", - "type": "CompoundType", - "tags": [], - "label": "timeSeriesMetric", - "description": [], - "signature": [ - "\"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.FieldDescriptor.timeSeriesDimension", - "type": "CompoundType", - "tags": [], - "label": "timeSeriesDimension", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.IEsSearchRequest", - "type": "Interface", - "tags": [], - "label": "IEsSearchRequest", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IEsSearchRequest", - "text": "IEsSearchRequest" - }, - " extends ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IKibanaSearchRequest", - "text": "IKibanaSearchRequest" - }, - "<", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.ISearchRequestParams", - "text": "ISearchRequestParams" - }, - ">" - ], - "path": "src/plugins/data/common/search/strategies/es_search/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.IEsSearchRequest.indexType", - "type": "string", - "tags": [], - "label": "indexType", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data/common/search/strategies/es_search/types.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions", - "type": "Interface", - "tags": [], - "label": "ISearchOptions", - "description": [], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.abortSignal", - "type": "Object", - "tags": [], - "label": "abortSignal", - "description": [ - "\nAn `AbortSignal` that allows the caller of `search` to abort a search request." - ], - "signature": [ - "AbortSignal | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.strategy", - "type": "string", - "tags": [], - "label": "strategy", - "description": [ - "\nUse this option to force using a specific server side search strategy. Leave empty to use the default strategy." - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.legacyHitsTotal", - "type": "CompoundType", - "tags": [], - "label": "legacyHitsTotal", - "description": [ - "\nRequest the legacy format for the total number of hits. If sending `rest_total_hits_as_int` to\nsomething other than `true`, this should be set to `false`." - ], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.sessionId", - "type": "string", - "tags": [], - "label": "sessionId", - "description": [ - "\nA session ID, grouping multiple search requests into a single session." - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.isStored", - "type": "CompoundType", - "tags": [], - "label": "isStored", - "description": [ - "\nWhether the session is already saved (i.e. sent to background)" - ], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.isSearchStored", - "type": "CompoundType", - "tags": [], - "label": "isSearchStored", - "description": [ - "\nWhether the search was successfully polled after session was saved. Search was added to a session saved object and keepAlive extended." - ], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.isRestore", - "type": "CompoundType", - "tags": [], - "label": "isRestore", - "description": [ - "\nWhether the session is restored (i.e. search requests should re-use the stored search IDs,\nrather than starting from scratch)" - ], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.executionContext", - "type": "Object", - "tags": [], - "label": "executionContext", - "description": [ - "\nRepresents a meta-information about a Kibana entity intitating a saerch request." - ], - "signature": [ - { - "pluginId": "@kbn/core-execution-context-common", - "scope": "common", - "docId": "kibKbnCoreExecutionContextCommonPluginApi", - "section": "def-common.KibanaExecutionContext", - "text": "KibanaExecutionContext" - }, - " | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.indexPattern", - "type": "Object", - "tags": [], - "label": "indexPattern", - "description": [ - "\nIndex pattern reference is used for better error messages" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - " | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.ISearchOptions.transport", - "type": "Object", - "tags": [], - "label": "transport", - "description": [ - "\nTransportRequestOptions, other than `signal`, to pass through to the ES client.\nTo pass an abort signal, use {@link ISearchOptions.abortSignal}" - ], - "signature": [ - "Omit<", - "TransportRequestOptions", - ", \"signal\"> | undefined" - ], - "path": "src/plugins/data/common/search/types.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - } - ], - "enums": [ - { - "parentPluginId": "data", - "id": "def-server.ES_FIELD_TYPES", - "type": "Enum", - "tags": [], - "label": "ES_FIELD_TYPES", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.KBN_FIELD_TYPES", - "type": "Enum", - "tags": [], - "label": "KBN_FIELD_TYPES", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.METRIC_TYPES", - "type": "Enum", - "tags": [], - "label": "METRIC_TYPES", - "description": [], - "path": "src/plugins/data/common/search/aggs/metrics/metric_agg_types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "misc": [ - { - "parentPluginId": "data", - "id": "def-server.DEFAULT_QUERY_LANGUAGE", - "type": "string", - "tags": [], - "label": "DEFAULT_QUERY_LANGUAGE", - "description": [], - "signature": [ - "\"kuery\"" - ], - "path": "src/plugins/data/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.ES_SEARCH_STRATEGY", - "type": "string", - "tags": [], - "label": "ES_SEARCH_STRATEGY", - "description": [], - "signature": [ - "\"es\"" - ], - "path": "src/plugins/data/common/search/strategies/es_search/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.IEsSearchResponse", - "type": "Type", - "tags": [], - "label": "IEsSearchResponse", - "description": [], - "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IKibanaSearchResponse", - "text": "IKibanaSearchResponse" - }, - "<", - "SearchResponse", - ">>" - ], - "path": "src/plugins/data/common/search/strategies/es_search/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.ParsedInterval", - "type": "Type", - "tags": [], - "label": "ParsedInterval", - "description": [], - "signature": [ - "{ value: number; unit: ", - { - "pluginId": "@kbn/datemath", - "scope": "common", - "docId": "kibKbnDatemathPluginApi", - "section": "def-common.Unit", - "text": "Unit" - }, - "; type: \"fixed\" | \"calendar\"; }" - ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_es_interval.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "objects": [ - { - "parentPluginId": "data", - "id": "def-server.exporters", - "type": "Object", - "tags": [], - "label": "exporters", - "description": [], - "path": "src/plugins/data/server/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + "parentPluginId": "data", + "id": "def-public.indexPatterns.validate", + "type": "Function", + "tags": [], + "label": "validate", + "description": [], + "signature": [ + "(indexPattern: string) => { ILLEGAL_CHARACTERS?: string[] | undefined; CONTAINS_SPACES?: boolean | undefined; }" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.indexPatterns.validate.$1", + "type": "string", + "tags": [], + "label": "indexPattern", + "description": [], + "path": "src/plugins/data_views/common/lib/validate_data_view.ts", + "deprecated": false, + "trackAdoption": false + } + ] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.search", + "type": "Object", + "tags": [], + "label": "search", + "description": [], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-server.exporters.datatableToCSV", - "type": "Function", + "id": "def-public.search.aggs", + "type": "Object", "tags": [], - "label": "datatableToCSV", + "label": "aggs", "description": [], - "signature": [ - "({ columns, rows }: ", + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" + "parentPluginId": "data", + "id": "def-public.search.aggs.CidrMask", + "type": "Object", + "tags": [], + "label": "CidrMask", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.CidrMask", + "text": "CidrMask" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.dateHistogramInterval", + "type": "Function", + "tags": [], + "label": "dateHistogramInterval", + "description": [], + "signature": [ + "(interval: string, shouldForceFixed?: boolean | undefined) => Interval" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.dateHistogramInterval.$1", + "type": "string", + "tags": [], + "label": "interval", + "description": [], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.dateHistogramInterval.$2", + "type": "CompoundType", + "tags": [], + "label": "shouldForceFixed", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.intervalOptions", + "type": "Array", + "tags": [], + "label": "intervalOptions", + "description": [], + "signature": [ + "({ display: any; val: string; enabled(agg: ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IBucketAggConfig", + "text": "IBucketAggConfig" + }, + "): boolean; } | { display: any; val: string; })[]" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.InvalidEsCalendarIntervalError", + "type": "Object", + "tags": [], + "label": "InvalidEsCalendarIntervalError", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.InvalidEsCalendarIntervalError", + "text": "InvalidEsCalendarIntervalError" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.InvalidEsIntervalFormatError", + "type": "Object", + "tags": [], + "label": "InvalidEsIntervalFormatError", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.InvalidEsIntervalFormatError", + "text": "InvalidEsIntervalFormatError" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.IpAddress", + "type": "Object", + "tags": [], + "label": "IpAddress", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IpAddress", + "text": "IpAddress" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isDateHistogramBucketAggConfig", + "type": "Function", + "tags": [], + "label": "isDateHistogramBucketAggConfig", + "description": [], + "signature": [ + "(agg: any) => agg is ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IBucketDateHistogramAggConfig", + "text": "IBucketDateHistogramAggConfig" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isDateHistogramBucketAggConfig.$1", + "type": "Any", + "tags": [], + "label": "agg", + "description": [], + "signature": [ + "any" + ], + "path": "src/plugins/data/common/search/aggs/buckets/date_histogram.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, - ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" - ], - "path": "src/plugins/data/server/index.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ { "parentPluginId": "data", - "id": "def-server.exporters.datatableToCSV.$1", - "type": "Object", + "id": "def-public.search.aggs.isNumberType", + "type": "Function", "tags": [], - "label": "__0", + "label": "isNumberType", "description": [], "signature": [ + "(agg: ", { - "pluginId": "expressions", + "pluginId": "data", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - } + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + }, + ") => boolean" ], - "path": "src/plugins/data/common/exports/export_csv.tsx", + "path": "src/plugins/data/public/index.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isNumberType.$1", + "type": "Object", + "tags": [], + "label": "agg", + "description": [], + "signature": [ + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + } + ], + "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { "parentPluginId": "data", - "id": "def-server.exporters.datatableToCSV.$2", - "type": "Object", + "id": "def-public.search.aggs.isStringType", + "type": "Function", "tags": [], - "label": "__1", + "label": "isStringType", "description": [], "signature": [ - "CSVOptions" + "(agg: ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + }, + ") => boolean" ], - "path": "src/plugins/data/common/exports/export_csv.tsx", + "path": "src/plugins/data/public/index.ts", "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-server.exporters.CSV_MIME_TYPE", - "type": "string", - "tags": [], - "label": "CSV_MIME_TYPE", - "description": [], - "path": "src/plugins/data/server/index.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [], - "path": "src/plugins/data/server/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.search.aggs", - "type": "Object", - "tags": [], - "label": "aggs", - "description": [], - "path": "src/plugins/data/server/index.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isStringType.$1", + "type": "Object", + "tags": [], + "label": "agg", + "description": [], + "signature": [ + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + } + ], + "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", + "deprecated": false, + "trackAdoption": false + } + ] + }, { "parentPluginId": "data", - "id": "def-server.search.aggs.CidrMask", - "type": "Object", + "id": "def-public.search.aggs.isType", + "type": "Function", "tags": [], - "label": "CidrMask", + "label": "isType", "description": [], "signature": [ - "typeof ", + "(...types: string[]) => (agg: ", { "pluginId": "data", "scope": "common", "docId": "kibDataSearchPluginApi", - "section": "def-common.CidrMask", - "text": "CidrMask" - } + "section": "def-common.AggConfig", + "text": "AggConfig" + }, + ") => boolean" ], - "path": "src/plugins/data/server/index.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isType.$1", + "type": "Array", + "tags": [], + "label": "types", + "description": [], + "signature": [ + "string[]" + ], + "path": "src/plugins/data/common/search/aggs/buckets/migrate_include_exclude_format.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { "parentPluginId": "data", - "id": "def-server.search.aggs.dateHistogramInterval", + "id": "def-public.search.aggs.isValidEsInterval", "type": "Function", "tags": [], - "label": "dateHistogramInterval", + "label": "isValidEsInterval", "description": [], "signature": [ - "(interval: string, shouldForceFixed?: boolean | undefined) => Interval" + "(interval: string) => boolean" ], - "path": "src/plugins/data/server/index.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-server.search.aggs.dateHistogramInterval.$1", + "id": "def-public.search.aggs.isValidEsInterval.$1", "type": "string", "tags": [], "label": "interval", "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_es_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isValidInterval", + "type": "Function", + "tags": [], + "label": "isValidInterval", + "description": [], + "signature": [ + "(value: string, baseInterval?: string | undefined) => boolean" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.isValidInterval.$1", + "type": "string", + "tags": [], + "label": "value", + "description": [], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_interval.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-server.search.aggs.dateHistogramInterval.$2", - "type": "CompoundType", + "id": "def-public.search.aggs.isValidInterval.$2", + "type": "string", "tags": [], - "label": "shouldForceFixed", + "label": "baseInterval", "description": [], "signature": [ - "boolean | undefined" + "string | undefined" ], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/is_valid_interval.ts", "deprecated": false, "trackAdoption": false } @@ -21007,48 +12392,49 @@ }, { "parentPluginId": "data", - "id": "def-server.search.aggs.IpAddress", - "type": "Object", + "id": "def-public.search.aggs.parentPipelineType", + "type": "Any", "tags": [], - "label": "IpAddress", + "label": "parentPipelineType", "description": [], "signature": [ - "typeof ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IpAddress", - "text": "IpAddress" - } + "any" ], - "path": "src/plugins/data/server/index.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-server.search.aggs.parseInterval", + "id": "def-public.search.aggs.parseEsInterval", "type": "Function", "tags": [], - "label": "parseInterval", + "label": "parseEsInterval", "description": [], "signature": [ - "(interval: string) => moment.Duration | null" + "(interval: string) => { value: number; unit: ", + { + "pluginId": "@kbn/datemath", + "scope": "common", + "docId": "kibKbnDatemathPluginApi", + "section": "def-common.Unit", + "text": "Unit" + }, + "; type: \"fixed\" | \"calendar\"; }" ], - "path": "src/plugins/data/server/index.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-server.search.aggs.parseInterval.$1", + "id": "def-public.search.aggs.parseEsInterval.$1", "type": "string", "tags": [], "label": "interval", "description": [], - "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_es_interval.ts", "deprecated": false, "trackAdoption": false } @@ -21056,833 +12442,871 @@ }, { "parentPluginId": "data", - "id": "def-server.search.aggs.calcAutoIntervalLessThan", + "id": "def-public.search.aggs.parseInterval", "type": "Function", "tags": [], - "label": "calcAutoIntervalLessThan", + "label": "parseInterval", "description": [], "signature": [ - "(maxBucketCount: number, duration: number) => moment.Duration" + "(interval: string) => moment.Duration | null" ], - "path": "src/plugins/data/server/index.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-server.search.aggs.calcAutoIntervalLessThan.$1", - "type": "number", - "tags": [], - "label": "maxBucketCount", - "description": [], - "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.search.aggs.calcAutoIntervalLessThan.$2", - "type": "number", + "id": "def-public.search.aggs.parseInterval.$1", + "type": "string", "tags": [], - "label": "duration", + "label": "interval", "description": [], - "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", "deprecated": false, "trackAdoption": false } ] - } - ] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-server.UI_SETTINGS", - "type": "Object", - "tags": [], - "label": "UI_SETTINGS", - "description": [], - "signature": [ - "{ readonly META_FIELDS: \"metaFields\"; readonly DOC_HIGHLIGHT: \"doc_table:highlight\"; readonly QUERY_STRING_OPTIONS: \"query:queryString:options\"; readonly QUERY_ALLOW_LEADING_WILDCARDS: \"query:allowLeadingWildcards\"; readonly SEARCH_QUERY_LANGUAGE: \"search:queryLanguage\"; readonly SORT_OPTIONS: \"sort:options\"; readonly COURIER_IGNORE_FILTER_IF_FIELD_NOT_IN_INDEX: \"courier:ignoreFilterIfFieldNotInIndex\"; readonly COURIER_SET_REQUEST_PREFERENCE: \"courier:setRequestPreference\"; readonly COURIER_CUSTOM_REQUEST_PREFERENCE: \"courier:customRequestPreference\"; readonly COURIER_MAX_CONCURRENT_SHARD_REQUESTS: \"courier:maxConcurrentShardRequests\"; readonly SEARCH_INCLUDE_FROZEN: \"search:includeFrozen\"; readonly SEARCH_TIMEOUT: \"search:timeout\"; readonly HISTOGRAM_BAR_TARGET: \"histogram:barTarget\"; readonly HISTOGRAM_MAX_BARS: \"histogram:maxBars\"; readonly HISTORY_LIMIT: \"history:limit\"; readonly TIMEPICKER_REFRESH_INTERVAL_DEFAULTS: \"timepicker:refreshIntervalDefaults\"; readonly TIMEPICKER_QUICK_RANGES: \"timepicker:quickRanges\"; readonly TIMEPICKER_TIME_DEFAULTS: \"timepicker:timeDefaults\"; readonly FILTERS_PINNED_BY_DEFAULT: \"filters:pinnedByDefault\"; readonly FILTERS_EDITOR_SUGGEST_VALUES: \"filterEditor:suggestValues\"; readonly AUTOCOMPLETE_USE_TIMERANGE: \"autocomplete:useTimeRange\"; readonly AUTOCOMPLETE_VALUE_SUGGESTION_METHOD: \"autocomplete:valueSuggestionMethod\"; readonly DATE_FORMAT: \"dateFormat\"; readonly DATEFORMAT_TZ: \"dateFormat:tz\"; }" - ], - "path": "src/plugins/data/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "setup": { - "parentPluginId": "data", - "id": "def-server.DataPluginSetup", - "type": "Interface", - "tags": [], - "label": "DataPluginSetup", - "description": [], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataPluginSetup.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [], - "signature": [ - "ISearchSetup" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataPluginSetup.query", - "type": "Object", - "tags": [], - "label": "query", - "description": [], - "signature": [ - "QuerySetup" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataPluginSetup.fieldFormats", - "type": "Object", - "tags": [ - "deprecated" - ], - "label": "fieldFormats", - "description": [], - "signature": [ - { - "pluginId": "fieldFormats", - "scope": "server", - "docId": "kibFieldFormatsPluginApi", - "section": "def-server.FieldFormatsSetup", - "text": "FieldFormatsSetup" - } - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": true, - "trackAdoption": false, - "references": [] - } - ], - "lifecycle": "setup", - "initialIsOpen": true - }, - "start": { - "parentPluginId": "data", - "id": "def-server.DataPluginStart", - "type": "Interface", - "tags": [], - "label": "DataPluginStart", - "description": [], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-server.DataPluginStart.search", - "type": "Object", - "tags": [], - "label": "search", - "description": [], - "signature": [ - "ISearchStart", - "<", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IEsSearchRequest", - "text": "IEsSearchRequest" - }, - ", ", - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.IEsSearchResponse", - "text": "IEsSearchResponse" - }, - ">" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataPluginStart.fieldFormats", - "type": "Object", - "tags": [ - "deprecated" - ], - "label": "fieldFormats", - "description": [], - "signature": [ - { - "pluginId": "fieldFormats", - "scope": "server", - "docId": "kibFieldFormatsPluginApi", - "section": "def-server.FieldFormatsStart", - "text": "FieldFormatsStart" - } - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": true, - "trackAdoption": false, - "references": [] - }, - { - "parentPluginId": "data", - "id": "def-server.DataPluginStart.indexPatterns", - "type": "Object", - "tags": [], - "label": "indexPatterns", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "server", - "docId": "kibDataViewsPluginApi", - "section": "def-server.DataViewsServerPluginStart", - "text": "DataViewsServerPluginStart" - } - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-server.DataPluginStart.datatableUtilities", - "type": "Object", - "tags": [], - "label": "datatableUtilities", - "description": [ - "\nDatatable type utility functions." - ], - "signature": [ - "DatatableUtilitiesService" - ], - "path": "src/plugins/data/server/plugin.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "lifecycle": "start", - "initialIsOpen": true - } - }, - "common": { - "classes": [ - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService", - "type": "Class", - "tags": [], - "label": "DatatableUtilitiesService", - "description": [], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [], - "signature": [ - "any" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.Unnamed.$1", - "type": "Object", + "id": "def-public.search.aggs.propFilter", + "type": "Function", "tags": [], - "label": "aggs", + "label": "propFilter", "description": [], "signature": [ - { - "pluginId": "data", - "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggsCommonStart", - "text": "AggsCommonStart" - } + "

(prop: P) => (list: T[], filters?: string | string[] | FilterFunc) => T[]" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.propFilter.$1", + "type": "Uncategorized", + "tags": [], + "label": "prop", + "description": [], + "signature": [ + "P" + ], + "path": "src/plugins/data/common/search/aggs/utils/prop_filter.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.Unnamed.$2", - "type": "Object", + "id": "def-public.search.aggs.siblingPipelineType", + "type": "Any", "tags": [], - "label": "dataViews", + "label": "siblingPipelineType", "description": [], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewsContract", - "text": "DataViewsContract" - } + "any" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.Unnamed.$3", - "type": "Object", + "id": "def-public.search.aggs.termsAggFilter", + "type": "Array", "tags": [], - "label": "fieldFormats", + "label": "termsAggFilter", "description": [], "signature": [ - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormatsStartCommon", - "text": "FieldFormatsStartCommon" - } + "string[]" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.clearField", - "type": "Function", - "tags": [], - "label": "clearField", - "description": [], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "trackAdoption": false }, - ") => void" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.clearField.$1", - "type": "Object", + "id": "def-public.search.aggs.toAbsoluteDates", + "type": "Function", "tags": [], - "label": "column", + "label": "toAbsoluteDates", "description": [], "signature": [ + "(range: ", { - "pluginId": "expressions", + "pluginId": "@kbn/es-query", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.TimeRange", + "text": "TimeRange" + }, + ") => { from: Date; to: Date; } | undefined" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.clearFieldFormat", - "type": "Function", - "tags": [], - "label": "clearFieldFormat", - "description": [], - "signature": [ - "(column: ", + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.toAbsoluteDates.$1", + "type": "Object", + "tags": [], + "label": "range", + "description": [], + "signature": [ + "{ from: string; to: string; mode?: \"absolute\" | \"relative\" | undefined; }" + ], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/to_absolute_dates.ts", + "deprecated": false, + "trackAdoption": false + } + ] + }, { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "parentPluginId": "data", + "id": "def-public.search.aggs.boundsDescendingRaw", + "type": "Array", + "tags": [], + "label": "boundsDescendingRaw", + "description": [], + "signature": [ + "({ bound: number; interval: moment.Duration; boundLabel: any; intervalLabel: any; } | { bound: moment.Duration; interval: moment.Duration; boundLabel: any; intervalLabel: any; })[]" + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false }, - ") => void" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.clearFieldFormat.$1", - "type": "Object", + "id": "def-public.search.aggs.calcAutoIntervalLessThan", + "type": "Function", "tags": [], - "label": "column", + "label": "calcAutoIntervalLessThan", "description": [], "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "(maxBucketCount: number, duration: number) => moment.Duration" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.aggs.calcAutoIntervalLessThan.$1", + "type": "number", + "tags": [], + "label": "maxBucketCount", + "description": [], + "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.aggs.calcAutoIntervalLessThan.$2", + "type": "number", + "tags": [], + "label": "duration", + "description": [], + "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] } - ], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getAggConfig", + "id": "def-public.search.getResponseInspectorStats", "type": "Function", "tags": [], - "label": "getAggConfig", + "label": "getResponseInspectorStats", "description": [], "signature": [ - "(column: ", + "(resp?: ", + "SearchResponse", + "> | undefined, searchSource?: ", { - "pluginId": "expressions", + "pluginId": "data", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "docId": "kibDataSearchPluginApi", + "section": "def-common.ISearchSource", + "text": "ISearchSource" }, - ") => Promise<", + " | undefined) => ", { - "pluginId": "data", + "pluginId": "inspector", "scope": "common", - "docId": "kibDataSearchPluginApi", - "section": "def-common.AggConfig", - "text": "AggConfig" + "docId": "kibInspectorPluginApi", + "section": "def-common.RequestStatistics", + "text": "RequestStatistics" + } + ], + "path": "src/plugins/data/public/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-public.search.getResponseInspectorStats.$1", + "type": "Object", + "tags": [], + "label": "resp", + "description": [], + "signature": [ + "SearchResponse", + "> | undefined" + ], + "path": "src/plugins/data/common/search/search_source/inspect/inspector_stats.ts", + "deprecated": false, + "trackAdoption": false }, - " | undefined>" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getAggConfig.$1", + "id": "def-public.search.getResponseInspectorStats.$2", "type": "Object", "tags": [], - "label": "column", + "label": "searchSource", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "data", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "docId": "kibDataSearchPluginApi", + "section": "def-common.ISearchSource", + "text": "ISearchSource" + }, + " | undefined" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/common/search/search_source/inspect/inspector_stats.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } - ], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta", + "id": "def-public.search.tabifyAggResponse", "type": "Function", "tags": [], - "label": "getDateHistogramMeta", - "description": [ - "\nHelper function returning the used interval, used time zone and applied time filters for data table column created by the date_histogramm agg type.\n\"auto\" will get expanded to the actually used interval.\nIf the column is not a column created by a date_histogram aggregation of the esaggs data source,\nthis function will return undefined." - ], + "label": "tabifyAggResponse", + "description": [], "signature": [ - "(column: ", + "(aggConfigs: ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfigs", + "text": "AggConfigs" + }, + ", esResponse: Record, respOpts?: Partial<", + "TabbedResponseWriterOptions", + "> | undefined) => ", { "pluginId": "expressions", "scope": "common", "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ", defaults?: Partial<{ timeZone: string; }>) => DateHistogramMeta | undefined" + "section": "def-common.Datatable", + "text": "Datatable" + } ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, + "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta.$1", + "id": "def-public.search.tabifyAggResponse.$1", "type": "Object", "tags": [], - "label": "column", + "label": "aggConfigs", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "data", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfigs", + "text": "AggConfigs" } ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/common/search/tabify/tabify.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta.$2", + "id": "def-public.search.tabifyAggResponse.$2", "type": "Object", "tags": [], - "label": "defaults", + "label": "esResponse", "description": [], "signature": [ - "Partial<{ timeZone: string; }>" + "{ [x: string]: any; }" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/common/search/tabify/tabify.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getDataView", - "type": "Function", - "tags": [], - "label": "getDataView", - "description": [], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ") => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "trackAdoption": false }, - " | undefined>" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getDataView.$1", + "id": "def-public.search.tabifyAggResponse.$3", "type": "Object", "tags": [], - "label": "column", + "label": "respOpts", "description": [], "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "Partial<", + "TabbedResponseWriterOptions", + "> | undefined" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/common/search/tabify/tabify.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } - ], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getField", + "id": "def-public.search.tabifyGetColumns", "type": "Function", "tags": [], - "label": "getField", + "label": "tabifyGetColumns", "description": [], "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ") => Promise<", + "(aggs: ", { - "pluginId": "dataViews", + "pluginId": "data", "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" }, - " | undefined>" + "[], minimalColumns: boolean) => ", + "TabbedAggColumn", + "[]" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/public/index.ts", "deprecated": false, "trackAdoption": false, + "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getField.$1", - "type": "Object", + "id": "def-public.search.tabifyGetColumns.$1", + "type": "Array", "tags": [], - "label": "column", + "label": "aggs", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "data", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + }, + "[]" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/common/search/tabify/get_columns.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.search.tabifyGetColumns.$2", + "type": "boolean", + "tags": [], + "label": "minimalColumns", + "description": [], + "path": "src/plugins/data/common/search/tabify/get_columns.ts", + "deprecated": false, + "trackAdoption": false } - ], - "returnComment": [] - }, + ] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-public.UI_SETTINGS", + "type": "Object", + "tags": [], + "label": "UI_SETTINGS", + "description": [], + "signature": [ + "{ readonly META_FIELDS: \"metaFields\"; readonly DOC_HIGHLIGHT: \"doc_table:highlight\"; readonly QUERY_STRING_OPTIONS: \"query:queryString:options\"; readonly QUERY_ALLOW_LEADING_WILDCARDS: \"query:allowLeadingWildcards\"; readonly SEARCH_QUERY_LANGUAGE: \"search:queryLanguage\"; readonly SORT_OPTIONS: \"sort:options\"; readonly COURIER_IGNORE_FILTER_IF_FIELD_NOT_IN_INDEX: \"courier:ignoreFilterIfFieldNotInIndex\"; readonly COURIER_SET_REQUEST_PREFERENCE: \"courier:setRequestPreference\"; readonly COURIER_CUSTOM_REQUEST_PREFERENCE: \"courier:customRequestPreference\"; readonly COURIER_MAX_CONCURRENT_SHARD_REQUESTS: \"courier:maxConcurrentShardRequests\"; readonly SEARCH_INCLUDE_FROZEN: \"search:includeFrozen\"; readonly SEARCH_TIMEOUT: \"search:timeout\"; readonly HISTOGRAM_BAR_TARGET: \"histogram:barTarget\"; readonly HISTOGRAM_MAX_BARS: \"histogram:maxBars\"; readonly HISTORY_LIMIT: \"history:limit\"; readonly TIMEPICKER_REFRESH_INTERVAL_DEFAULTS: \"timepicker:refreshIntervalDefaults\"; readonly TIMEPICKER_QUICK_RANGES: \"timepicker:quickRanges\"; readonly TIMEPICKER_TIME_DEFAULTS: \"timepicker:timeDefaults\"; readonly FILTERS_PINNED_BY_DEFAULT: \"filters:pinnedByDefault\"; readonly FILTERS_EDITOR_SUGGEST_VALUES: \"filterEditor:suggestValues\"; readonly AUTOCOMPLETE_USE_TIMERANGE: \"autocomplete:useTimeRange\"; readonly AUTOCOMPLETE_VALUE_SUGGESTION_METHOD: \"autocomplete:valueSuggestionMethod\"; readonly DATE_FORMAT: \"dateFormat\"; readonly DATEFORMAT_TZ: \"dateFormat:tz\"; }" + ], + "path": "src/plugins/data/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + } + ], + "setup": { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginSetup", + "type": "Interface", + "tags": [], + "label": "DataPublicPluginSetup", + "description": [ + "\nData plugin public Setup contract" + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginSetup.search", + "type": "Object", + "tags": [], + "label": "search", + "description": [], + "signature": [ + { + "pluginId": "data", + "scope": "public", + "docId": "kibDataSearchPluginApi", + "section": "def-public.ISearchSetup", + "text": "ISearchSetup" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginSetup.query", + "type": "Object", + "tags": [], + "label": "query", + "description": [], + "signature": [ + { + "pluginId": "data", + "scope": "public", + "docId": "kibDataQueryPluginApi", + "section": "def-public.QuerySetup", + "text": "QuerySetup" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "lifecycle": "setup", + "initialIsOpen": true + }, + "start": { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart", + "type": "Interface", + "tags": [], + "label": "DataPublicPluginStart", + "description": [ + "\nData plugin public Start contract" + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.actions", + "type": "Object", + "tags": [], + "label": "actions", + "description": [ + "\nfilter creation utilities\n{@link DataPublicPluginStartActions}" + ], + "signature": [ + { + "pluginId": "data", + "scope": "public", + "docId": "kibDataPluginApi", + "section": "def-public.DataPublicPluginStartActions", + "text": "DataPublicPluginStartActions" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.dataViews", + "type": "Object", + "tags": [], + "label": "dataViews", + "description": [ + "\ndata views service\n{@link DataViewsContract}" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "public", + "docId": "kibDataViewsPluginApi", + "section": "def-public.DataViewsServicePublic", + "text": "DataViewsServicePublic" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.datatableUtilities", + "type": "Object", + "tags": [], + "label": "datatableUtilities", + "description": [ + "\nDatatable type utility functions." + ], + "signature": [ + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataPluginApi", + "section": "def-common.DatatableUtilitiesService", + "text": "DatatableUtilitiesService" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.indexPatterns", + "type": "Object", + "tags": [ + "deprecated" + ], + "label": "indexPatterns", + "description": [ + "\nindex patterns service\n{@link DataViewsContract}" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "public", + "docId": "kibDataViewsPluginApi", + "section": "def-public.DataViewsServicePublic", + "text": "DataViewsServicePublic" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/hooks/use_kibana_index_patterns.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/plugin.ts" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/components/editor/controls_tab.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/mock/endpoint/dependencies_start_mock.ts" + }, + { + "plugin": "savedObjects", + "path": "src/plugins/saved_objects/public/saved_object/saved_object.test.ts" + }, + { + "plugin": "savedObjects", + "path": "src/plugins/saved_objects/public/saved_object/saved_object.test.ts" + } + ] + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.search", + "type": "Object", + "tags": [], + "label": "search", + "description": [ + "\nsearch service\n{@link ISearchStart}" + ], + "signature": [ + { + "pluginId": "data", + "scope": "public", + "docId": "kibDataSearchPluginApi", + "section": "def-public.ISearchStart", + "text": "ISearchStart" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.fieldFormats", + "type": "CompoundType", + "tags": [ + "deprecated" + ], + "label": "fieldFormats", + "description": [], + "signature": [ + "Omit<", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormatsRegistry", + "text": "FieldFormatsRegistry" + }, + ", \"init\" | \"register\"> & { deserialize: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FormatFactory", + "text": "FormatFactory" + }, + "; }" + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "dashboard", + "path": "src/plugins/dashboard/public/services/data/types.ts" + }, + { + "plugin": "dashboard", + "path": "src/plugins/dashboard/public/services/data/data_service.ts" + }, + { + "plugin": "dataVisualizer", + "path": "x-pack/plugins/data_visualizer/public/application/common/components/stats_table/components/field_data_row/document_stats.tsx" + }, + { + "plugin": "dataVisualizer", + "path": "x-pack/plugins/data_visualizer/public/application/common/components/top_values/top_values.tsx" + }, + { + "plugin": "dataVisualizer", + "path": "x-pack/plugins/data_visualizer/public/application/common/components/stats_table/components/field_data_expanded_row/choropleth_map.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/threshold/expression.tsx" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + }, + { + "plugin": "expressionPartitionVis", + "path": "src/plugins/chart_expressions/expression_partition_vis/public/utils/layers/get_layers.test.ts" + } + ] + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.query", + "type": "Object", + "tags": [], + "label": "query", + "description": [ + "\nquery service\n{@link QueryStart}" + ], + "signature": [ + { + "pluginId": "data", + "scope": "public", + "docId": "kibDataQueryPluginApi", + "section": "def-public.QueryStart", + "text": "QueryStart" + } + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-public.DataPublicPluginStart.nowProvider", + "type": "Object", + "tags": [], + "label": "nowProvider", + "description": [], + "signature": [ + "{ get: () => Date; }" + ], + "path": "src/plugins/data/public/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "lifecycle": "start", + "initialIsOpen": true + } + }, + "server": { + "classes": [ + { + "parentPluginId": "data", + "id": "def-server.DataServerPlugin", + "type": "Class", + "tags": [], + "label": "DataServerPlugin", + "description": [], + "signature": [ { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getFieldFormat", - "type": "Function", - "tags": [], - "label": "getFieldFormat", - "description": [], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ") => ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - }, - " | undefined" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getFieldFormat.$1", - "type": "Object", - "tags": [], - "label": "column", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "pluginId": "data", + "scope": "server", + "docId": "kibDataPluginApi", + "section": "def-server.DataServerPlugin", + "text": "DataServerPlugin" }, + " implements ", { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getInterval", - "type": "Function", - "tags": [], - "label": "getInterval", - "description": [], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ") => string | undefined" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getInterval.$1", - "type": "Object", - "tags": [], - "label": "column", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "pluginId": "@kbn/core-plugins-server", + "scope": "common", + "docId": "kibKbnCorePluginsServerPluginApi", + "section": "def-common.Plugin", + "text": "Plugin" }, + "<", { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getNumberHistogramInterval", - "type": "Function", - "tags": [], - "label": "getNumberHistogramInterval", - "description": [ - "\nHelper function returning the used interval for data table column created by the histogramm agg type.\n\"auto\" will get expanded to the actually used interval.\nIf the column is not a column created by a histogram aggregation of the esaggs data source,\nthis function will return undefined." - ], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - ") => number | undefined" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getNumberHistogramInterval.$1", - "type": "Object", - "tags": [], - "label": "column", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "pluginId": "data", + "scope": "server", + "docId": "kibDataPluginApi", + "section": "def-server.DataPluginSetup", + "text": "DataPluginSetup" + }, + ", ", + { + "pluginId": "data", + "scope": "server", + "docId": "kibDataPluginApi", + "section": "def-server.DataPluginStart", + "text": "DataPluginStart" }, + ", ", + "DataPluginSetupDependencies", + ", ", + "DataPluginStartDependencies", + ">" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getTotalCount", + "id": "def-server.DataServerPlugin.Unnamed", "type": "Function", "tags": [], - "label": "getTotalCount", + "label": "Constructor", "description": [], "signature": [ - "(table: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - }, - ") => number | undefined" + "any" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.getTotalCount.$1", + "id": "def-server.DataServerPlugin.Unnamed.$1", "type": "Object", "tags": [], - "label": "table", + "label": "initializerContext", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "@kbn/core-plugins-server", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - } + "docId": "kibKbnCorePluginsServerPluginApi", + "section": "def-common.PluginInitializerContext", + "text": "PluginInitializerContext" + }, + "; }>; asyncSearch: Readonly<{ pollInterval?: number | undefined; } & { waitForCompletion: moment.Duration; keepAlive: moment.Duration; batchedReduceSize: number; }>; sessions: Readonly<{} & { enabled: boolean; notTouchedTimeout: moment.Duration; maxUpdateRetries: number; defaultExpiration: moment.Duration; management: Readonly<{} & { refreshInterval: moment.Duration; maxSessions: number; refreshTimeout: moment.Duration; expiresSoonWarning: moment.Duration; }>; }>; }>; }>>" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "isRequired": true @@ -21892,96 +13316,93 @@ }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.hasPrecisionError", + "id": "def-server.DataServerPlugin.setup", "type": "Function", "tags": [], - "label": "hasPrecisionError", + "label": "setup", "description": [], "signature": [ - "(column: ", + "(core: ", { - "pluginId": "expressions", + "pluginId": "@kbn/core-lifecycle-server", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "docId": "kibKbnCoreLifecycleServerPluginApi", + "section": "def-common.CoreSetup", + "text": "CoreSetup" }, - ") => ", + "<", + "DataPluginStartDependencies", + ", ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.Serializable", - "text": "Serializable" - } + "pluginId": "data", + "scope": "server", + "docId": "kibDataPluginApi", + "section": "def-server.DataPluginStart", + "text": "DataPluginStart" + }, + ">, { bfetch, expressions, usageCollection, fieldFormats, taskManager, security, }: ", + "DataPluginSetupDependencies", + ") => { search: ", + "ISearchSetup", + "; query: ", + "QuerySetup", + "; fieldFormats: ", + { + "pluginId": "fieldFormats", + "scope": "server", + "docId": "kibFieldFormatsPluginApi", + "section": "def-server.FieldFormatsSetup", + "text": "FieldFormatsSetup" + }, + "; }" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.hasPrecisionError.$1", + "id": "def-server.DataServerPlugin.setup.$1", "type": "Object", "tags": [], - "label": "column", + "label": "core", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "@kbn/core-lifecycle-server", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "docId": "kibKbnCoreLifecycleServerPluginApi", + "section": "def-common.CoreSetup", + "text": "CoreSetup" + }, + "<", + "DataPluginStartDependencies", + ", ", + { + "pluginId": "data", + "scope": "server", + "docId": "kibDataPluginApi", + "section": "def-server.DataPluginStart", + "text": "DataPluginStart" + }, + ">" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.isFilterable", - "type": "Function", - "tags": [], - "label": "isFilterable", - "description": [], - "signature": [ - "(column: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" }, - ") => boolean" - ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.isFilterable.$1", + "id": "def-server.DataServerPlugin.setup.$2", "type": "Object", "tags": [], - "label": "column", + "label": "{\n bfetch,\n expressions,\n usageCollection,\n fieldFormats,\n taskManager,\n security,\n }", "description": [], "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - } + "DataPluginSetupDependencies" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "isRequired": true @@ -21991,85 +13412,125 @@ }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.setFieldFormat", + "id": "def-server.DataServerPlugin.start", "type": "Function", "tags": [], - "label": "setFieldFormat", + "label": "start", "description": [], "signature": [ - "(column: ", + "(core: ", { - "pluginId": "expressions", + "pluginId": "@kbn/core-lifecycle-server", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "docId": "kibKbnCoreLifecycleServerPluginApi", + "section": "def-common.CoreStart", + "text": "CoreStart" }, - ", fieldFormat: ", + ", { fieldFormats, dataViews, taskManager }: ", + "DataPluginStartDependencies", + ") => { datatableUtilities: ", + "DatatableUtilitiesService", + "; search: ", + "ISearchStart", + "<", { - "pluginId": "fieldFormats", + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IEsSearchRequest", + "text": "IEsSearchRequest" + }, + ", ", + { + "pluginId": "data", "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IEsSearchResponse", + "text": "IEsSearchResponse" + }, + ">; fieldFormats: ", + { + "pluginId": "fieldFormats", + "scope": "server", "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" + "section": "def-server.FieldFormatsStart", + "text": "FieldFormatsStart" }, - ") => void" + "; indexPatterns: ", + { + "pluginId": "dataViews", + "scope": "server", + "docId": "kibDataViewsPluginApi", + "section": "def-server.DataViewsServerPluginStart", + "text": "DataViewsServerPluginStart" + }, + "; }" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.setFieldFormat.$1", + "id": "def-server.DataServerPlugin.start.$1", "type": "Object", "tags": [], - "label": "column", + "label": "core", "description": [], "signature": [ { - "pluginId": "expressions", + "pluginId": "@kbn/core-lifecycle-server", "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" + "docId": "kibKbnCoreLifecycleServerPluginApi", + "section": "def-common.CoreStart", + "text": "CoreStart" } ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "isRequired": true }, { "parentPluginId": "data", - "id": "def-common.DatatableUtilitiesService.setFieldFormat.$2", + "id": "def-server.DataServerPlugin.start.$2", "type": "Object", "tags": [], - "label": "fieldFormat", + "label": "{ fieldFormats, dataViews, taskManager }", "description": [], "signature": [ - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - } + "DataPluginStartDependencies" ], - "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "path": "src/plugins/data/server/plugin.ts", "deprecated": false, "trackAdoption": false, "isRequired": true } ], "returnComment": [] + }, + { + "parentPluginId": "data", + "id": "def-server.DataServerPlugin.stop", + "type": "Function", + "tags": [], + "label": "stop", + "description": [], + "signature": [ + "() => void" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] } ], "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.DataView", + "id": "def-server.DataView", "type": "Class", "tags": [], "label": "DataView", @@ -22099,7 +13560,7 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataView.id", + "id": "def-server.DataView.id", "type": "string", "tags": [], "label": "id", @@ -22115,7 +13576,7 @@ }, { "parentPluginId": "data", - "id": "def-common.DataView.title", + "id": "def-server.DataView.title", "type": "string", "tags": [ "deprecated" @@ -22646,1377 +14107,575 @@ }, { "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx" - }, - { - "plugin": "timelines", - "path": "x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" - }, - { - "plugin": "stackAlerts", - "path": "x-pack/plugins/stack_alerts/public/rule_types/components/data_view_select_popover.tsx" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/components/filter_term_form.tsx" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/hooks/use_search_items/common.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/services/es_index_service.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/server/routes/api/transforms.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/public/application/components/es_deprecation_logs/fix_deprecation_logs/external_links.tsx" - }, - { - "plugin": "ux", - "path": "x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/use_data_view.ts" - }, - { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "infra", - "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" - }, - { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts" - }, - { - "plugin": "ml", - "path": "x-pack/plugins/ml/public/application/services/new_job_capabilities/remove_nested_field_children.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/mobile_test_attribute.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_cwv.ts" - }, - { - "plugin": "transform", - "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts" - }, - { - "plugin": "controls", - "path": "src/plugins/controls/public/services/data_views/data_views.story.ts" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/field_editor/components/scripting_help/test_script.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" - }, - { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/create_edit_field/create_edit_field.tsx" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" - }, - { - "plugin": "unifiedFieldList", - "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" - }, - { - "plugin": "visDefaultEditor", - "path": "src/plugins/vis_default_editor/public/components/agg_select.tsx" - }, - { - "plugin": "inputControlVis", - "path": "src/plugins/input_control_vis/public/test_utils/get_index_pattern_mock.ts" - }, - { - "plugin": "presentationUtil", - "path": "src/plugins/presentation_util/public/services/data_views/data_views.story.ts" - }, - { - "plugin": "visTypeTimelion", - "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" - }, - { - "plugin": "visTypeTimelion", - "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.ts" - }, - { - "plugin": "visTypeVega", - "path": "src/plugins/vis_types/vega/public/data_model/search_api.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.test.ts" - }, - { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" }, { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts" }, { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx" }, { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx" }, { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" + "plugin": "timelines", + "path": "x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" }, { - "plugin": "discover", - "path": "src/plugins/discover/public/application/main/hooks/use_text_based_query_language.ts" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" }, { - "plugin": "infra", - "path": "x-pack/plugins/infra/public/pages/metrics/hosts/hooks/use_data_view.test.ts" - } - ] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.fieldFormatMap", - "type": "Object", - "tags": [], - "label": "fieldFormatMap", - "description": [ - "\nMap of field formats by field name" - ], - "signature": [ - "{ [x: string]: ", + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" }, - "<{}, ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" }, - ">; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.typeMeta", - "type": "Object", - "tags": [], - "label": "typeMeta", - "description": [ - "\nOnly used by rollup indices, used by rollup specific endpoint to load field list." - ], - "signature": [ { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TypeMeta", - "text": "TypeMeta" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.fields", - "type": "CompoundType", - "tags": [], - "label": "fields", - "description": [ - "\nField list, in extended array format" - ], - "signature": [ { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.IIndexPatternFieldList", - "text": "IIndexPatternFieldList" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" }, - " & { toSpec: () => ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" }, - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.timeFieldName", - "type": "string", - "tags": [], - "label": "timeFieldName", - "description": [ - "\nTimestamp field name" - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.type", - "type": "string", - "tags": [], - "label": "type", - "description": [ - "\nType is used to identify rollup index patterns." - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.flattenHit", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "flattenHit", - "description": [], - "signature": [ - "(hit: Record, deep?: boolean | undefined) => Record" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/components/data_view_select_popover.tsx" }, { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx" }, { - "plugin": "maps", - "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" - } - ], - "returnComment": [], - "children": [ + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx" + }, { - "parentPluginId": "data", - "id": "def-common.DataView.flattenHit.$1", - "type": "Object", - "tags": [], - "label": "hit", - "description": [], - "signature": [ - "{ [x: string]: unknown[]; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/components/filter_term_form.tsx" }, { - "parentPluginId": "data", - "id": "def-common.DataView.flattenHit.$2", - "type": "CompoundType", - "tags": [], - "label": "deep", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - } - ] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.metaFields", - "type": "Array", - "tags": [], - "label": "metaFields", - "description": [ - "\nList of meta fields by name" - ], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.version", - "type": "string", - "tags": [], - "label": "version", - "description": [ - "\nSavedObject version" - ], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.sourceFilters", - "type": "Array", - "tags": [], - "label": "sourceFilters", - "description": [ - "\nArray of filters - hides fields in discover" - ], - "signature": [ + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/hooks/use_search_items/common.ts" + }, { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.SourceFilter", - "text": "SourceFilter" + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/services/es_index_service.ts" }, - "[] | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.namespaces", - "type": "Array", - "tags": [], - "label": "namespaces", - "description": [ - "\nArray of namespace ids" - ], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.allowNoIndex", - "type": "boolean", - "tags": [], - "label": "allowNoIndex", - "description": [ - "\nPrevents errors when index pattern exists before indices" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.name", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "\nName of the data view. Human readable name used to differentiate data view." - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.matchedIndices", - "type": "Array", - "tags": [], - "label": "matchedIndices", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.Unnamed", - "type": "Function", - "tags": [], - "label": "Constructor", - "description": [ - "\nconstructor" - ], - "signature": [ - "any" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { - "parentPluginId": "data", - "id": "def-common.DataView.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "config", - "description": [ - "- config data and dependencies" - ], - "signature": [ - "DataViewDeps" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getName", - "type": "Function", - "tags": [], - "label": "getName", - "description": [ - "\nGet name of Data View" - ], - "signature": [ - "() => string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getIndexPattern", - "type": "Function", - "tags": [], - "label": "getIndexPattern", - "description": [ - "\nGet index pattern" - ], - "signature": [ - "() => string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [ - "index pattern string" - ] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.setIndexPattern", - "type": "Function", - "tags": [], - "label": "setIndexPattern", - "description": [ - "\nSet index pattern" - ], - "signature": [ - "(indexPattern: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + "plugin": "transform", + "path": "x-pack/plugins/transform/server/routes/api/transforms.ts" + }, { - "parentPluginId": "data", - "id": "def-common.DataView.setIndexPattern.$1", - "type": "string", - "tags": [], - "label": "indexPattern", - "description": [], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getOriginalSavedObjectBody", - "type": "Function", - "tags": [], - "label": "getOriginalSavedObjectBody", - "description": [ - "\nGet last saved saved object fields" - ], - "signature": [ - "() => { fieldAttrs?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; fields?: string | undefined; sourceFilters?: string | undefined; fieldFormatMap?: string | undefined; typeMeta?: string | undefined; type?: string | undefined; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.resetOriginalSavedObjectBody", - "type": "Function", - "tags": [], - "label": "resetOriginalSavedObjectBody", - "description": [ - "\nReset last saved saved object fields. Used after saving." - ], - "signature": [ - "() => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getFieldAttrs", - "type": "Function", - "tags": [], - "label": "getFieldAttrs", - "description": [ - "\nReturns field attributes map" - ], - "signature": [ - "() => { [x: string]: ", + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/public/application/components/es_deprecation_logs/fix_deprecation_logs/external_links.tsx" + }, + { + "plugin": "ux", + "path": "x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/use_data_view.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/services/new_job_capabilities/remove_nested_field_children.test.ts" + }, { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts" }, - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getComputedFields", - "type": "Function", - "tags": [], - "label": "getComputedFields", - "description": [ - "\nReturns scripted fields" - ], - "signature": [ - "() => { storedFields: string[]; scriptFields: Record; docvalueFields: { field: string; format: string; }[]; runtimeFields: ", - "MappingRuntimeFields", - "; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.isPersisted", - "type": "Function", - "tags": [], - "label": "isPersisted", - "description": [], - "signature": [ - "() => boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.toSpec", - "type": "Function", - "tags": [], - "label": "toSpec", - "description": [ - "\nCreates static representation of the data view." - ], - "signature": [ - "(includeFields?: boolean) => ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts" + }, { - "parentPluginId": "data", - "id": "def-common.DataView.toSpec.$1", - "type": "boolean", - "tags": [], - "label": "includeFields", - "description": [ - "Whether or not to include the `fields` list as part of this spec. If not included, the list\nwill be fetched from Elasticsearch when instantiating a new Data View with this spec." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getSourceFiltering", - "type": "Function", - "tags": [], - "label": "getSourceFiltering", - "description": [ - "\nGet the source filtering configuration for that index." - ], - "signature": [ - "() => { excludes: string[]; }" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.removeScriptedField", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "removeScriptedField", - "description": [ - "\nRemoves scripted field from field list." - ], - "signature": [ - "(fieldName: string) => void" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/mobile_test_attribute.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_cwv.ts" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts" + }, + { + "plugin": "controls", + "path": "src/plugins/controls/public/services/data_views/data_views.story.ts" + }, { "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/field_editor/components/scripting_help/test_script.tsx" }, { "plugin": "dataViewManagement", "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" - } - ], - "children": [ + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/create_edit_field/create_edit_field.tsx" + }, { - "parentPluginId": "data", - "id": "def-common.DataView.removeScriptedField.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of scripted field to remove" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getNonScriptedFields", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "getNonScriptedFields", - "description": [ - "\n" - ], - "signature": [ - "() => ", + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" + }, { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ { - "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/strategies/abstract_search_strategy.ts" + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" }, { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.ts" + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" }, { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" }, { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" }, { - "plugin": "graph", - "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/agg_select.tsx" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/test_utils/get_index_pattern_mock.ts" }, { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/source_filters_table/components/table/table.tsx" + "plugin": "presentationUtil", + "path": "src/plugins/presentation_util/public/services/data_views/data_views.story.ts" }, { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + "plugin": "visTypeTimelion", + "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" }, { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + "plugin": "visTypeTimelion", + "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" }, { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" }, { "plugin": "visTypeTimeseries", - "path": "src/plugins/vis_types/timeseries/public/application/lib/fetch_fields.ts" - } - ], - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.getScriptedFields", - "type": "Function", - "tags": [ - "deprecated" - ], - "label": "getScriptedFields", - "description": [ - "\n" - ], - "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" + "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.ts" }, - "[]" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": true, - "trackAdoption": false, - "references": [ { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" + "plugin": "visTypeVega", + "path": "src/plugins/vis_types/vega/public/data_model/search_api.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.test.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/register_index_pattern_usage_collection.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" }, { - "plugin": "dataViewManagement", - "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" }, { "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "plugin": "discover", + "path": "src/plugins/discover/public/application/main/hooks/use_text_based_query_language.ts" }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/metrics/hosts/hooks/use_data_view.test.ts" } - ], - "children": [], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.DataView.isTSDBMode", - "type": "Function", + "id": "def-server.DataView.fieldFormatMap", + "type": "Object", "tags": [], - "label": "isTSDBMode", + "label": "fieldFormatMap", "description": [ - "\nreturns true if dataview contains TSDB fields" + "\nMap of field formats by field name" ], "signature": [ - "() => boolean" + "{ [x: string]: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + ">; }" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.isTimeBased", - "type": "Function", + "id": "def-server.DataView.typeMeta", + "type": "Object", "tags": [], - "label": "isTimeBased", + "label": "typeMeta", "description": [ - "\nDoes the data view have a timestamp field?" + "\nOnly used by rollup indices, used by rollup specific endpoint to load field list." ], "signature": [ - "() => this is ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.TimeBasedDataView", - "text": "TimeBasedDataView" - } + "section": "def-common.TypeMeta", + "text": "TypeMeta" + }, + " | undefined" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.isTimeNanosBased", - "type": "Function", + "id": "def-server.DataView.fields", + "type": "CompoundType", "tags": [], - "label": "isTimeNanosBased", + "label": "fields", "description": [ - "\nDoes the data view have a timestamp field and is it a date nanos field?" + "\nField list, in extended array format" ], "signature": [ - "() => this is ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.TimeBasedDataView", - "text": "TimeBasedDataView" + "section": "def-common.IIndexPatternFieldList", + "text": "IIndexPatternFieldList" + }, + " & { toSpec: () => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" + }, + "; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.timeFieldName", + "type": "string", + "tags": [], + "label": "timeFieldName", + "description": [ + "\nTimestamp field name" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.type", + "type": "string", + "tags": [], + "label": "type", + "description": [ + "\nType is used to identify rollup index patterns." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.flattenHit", + "type": "Function", + "tags": [ + "deprecated" + ], + "label": "flattenHit", + "description": [], + "signature": [ + "(hit: Record, deep?: boolean | undefined) => Record" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" + } + ], + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.flattenHit.$1", + "type": "Object", + "tags": [], + "label": "hit", + "description": [], + "signature": [ + "{ [x: string]: unknown[]; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.flattenHit.$2", + "type": "CompoundType", + "tags": [], + "label": "deep", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.DataView.getTimeField", - "type": "Function", + "id": "def-server.DataView.metaFields", + "type": "Array", "tags": [], - "label": "getTimeField", + "label": "metaFields", "description": [ - "\nGet timestamp field as DataViewField or return undefined" + "\nList of meta fields by name" ], "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | undefined" + "string[]" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.getFieldByName", - "type": "Function", + "id": "def-server.DataView.version", + "type": "string", "tags": [], - "label": "getFieldByName", + "label": "version", "description": [ - "\nGet field by name." + "\nSavedObject version" ], "signature": [ - "(name: string) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | undefined" + "string | undefined" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.getFieldByName.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.getAggregationRestrictions", - "type": "Function", + "id": "def-server.DataView.sourceFilters", + "type": "Array", "tags": [], - "label": "getAggregationRestrictions", + "label": "sourceFilters", "description": [ - "\nGet aggregation restrictions. Rollup fields can only perform a subset of aggregations." + "\nArray of filters - hides fields in discover" ], "signature": [ - "() => Record | undefined" + "[] | undefined" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.getAsSavedObjectBody", - "type": "Function", + "id": "def-server.DataView.namespaces", + "type": "Array", "tags": [], - "label": "getAsSavedObjectBody", + "label": "namespaces", "description": [ - "\nReturns index pattern as saved object body for saving" + "\nArray of namespace ids" ], "signature": [ - "() => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" - } + "string[]" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.getFormatterForField", - "type": "Function", + "id": "def-server.DataView.allowNoIndex", + "type": "boolean", "tags": [], - "label": "getFormatterForField", + "label": "allowNoIndex", "description": [ - "\nProvide a field, get its formatter" - ], - "signature": [ - "(field: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - ") => ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - } + "\nPrevents errors when index pattern exists before indices" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.getFormatterForField.$1", - "type": "CompoundType", - "tags": [], - "label": "field", - "description": [ - "field to get formatter for" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.addRuntimeField", - "type": "Function", + "id": "def-server.DataView.name", + "type": "string", "tags": [], - "label": "addRuntimeField", + "label": "name", "description": [ - "\nAdd a runtime field - Appended to existing mapped field or a new field is\ncreated as appropriate." - ], - "signature": [ - "(name: string, runtimeField: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - }, - ") => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - "[]" + "\nName of the data view. Human readable name used to differentiate data view." ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.addRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "Field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.addRuntimeField.$2", - "type": "Object", - "tags": [], - "label": "runtimeField", - "description": [ - "Runtime field definition" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - } - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.matchedIndices", + "type": "Array", + "tags": [], + "label": "matchedIndices", + "description": [], + "signature": [ + "string[]" ], - "returnComment": [] + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataView.hasRuntimeField", + "id": "def-server.DataView.Unnamed", "type": "Function", "tags": [], - "label": "hasRuntimeField", + "label": "Constructor", "description": [ - "\nChecks if runtime field exists" + "\nconstructor" ], "signature": [ - "(name: string) => boolean" + "any" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24024,15 +14683,15 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataView.hasRuntimeField.$1", - "type": "string", + "id": "def-server.DataView.Unnamed.$1", + "type": "Object", "tags": [], - "label": "name", + "label": "config", "description": [ - "field name" + "- config data and dependencies" ], "signature": [ - "string" + "DataViewDeps" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24044,95 +14703,53 @@ }, { "parentPluginId": "data", - "id": "def-common.DataView.getRuntimeField", + "id": "def-server.DataView.getName", "type": "Function", "tags": [], - "label": "getRuntimeField", + "label": "getName", "description": [ - "\nReturns runtime field if exists" + "\nGet name of Data View" ], "signature": [ - "(name: string) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeField", - "text": "RuntimeField" - }, - " | null" + "() => string" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.getRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "Runtime field name" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.getAllRuntimeFields", + "id": "def-server.DataView.getIndexPattern", "type": "Function", "tags": [], - "label": "getAllRuntimeFields", + "label": "getIndexPattern", "description": [ - "\nGet all runtime field definitions.\nNOTE: this does not strip out runtime fields that match mapped field names" + "\nGet index pattern" ], "signature": [ - "() => Record" + "() => string" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, "children": [], "returnComment": [ - "map of runtime field definitions by field name" + "index pattern string" ] }, { "parentPluginId": "data", - "id": "def-common.DataView.getFieldsByRuntimeFieldName", + "id": "def-server.DataView.setIndexPattern", "type": "Function", "tags": [], - "label": "getFieldsByRuntimeFieldName", + "label": "setIndexPattern", "description": [ - "\nReturns data view fields backed by runtime fields." + "\nSet index pattern" ], "signature": [ - "(name: string) => Record | undefined" + "(indexPattern: string) => void" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24140,13 +14757,11 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataView.getFieldsByRuntimeFieldName.$1", + "id": "def-server.DataView.setIndexPattern.$1", "type": "string", "tags": [], - "label": "name", - "description": [ - "runtime field name" - ], + "label": "indexPattern", + "description": [], "signature": [ "string" ], @@ -24156,110 +14771,63 @@ "isRequired": true } ], - "returnComment": [ - "map of DataViewFields (that are runtime fields) by field name" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.replaceAllRuntimeFields", + "id": "def-server.DataView.getOriginalSavedObjectBody", "type": "Function", "tags": [], - "label": "replaceAllRuntimeFields", + "label": "getOriginalSavedObjectBody", "description": [ - "\nReplaces all existing runtime fields with new fields." + "\nGet last saved saved object fields" ], "signature": [ - "(newFields: Record) => void" + "() => { fieldAttrs?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; fields?: string | undefined; sourceFilters?: string | undefined; fieldFormatMap?: string | undefined; typeMeta?: string | undefined; type?: string | undefined; }" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.replaceAllRuntimeFields.$1", - "type": "Object", - "tags": [], - "label": "newFields", - "description": [ - "Map of runtime field definitions by field name" - ], - "signature": [ - "Record" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.removeRuntimeField", + "id": "def-server.DataView.resetOriginalSavedObjectBody", "type": "Function", "tags": [], - "label": "removeRuntimeField", + "label": "resetOriginalSavedObjectBody", "description": [ - "\nRemove a runtime field - removed from mapped field or removed unmapped\nfield as appropriate. Doesn't clear associated field attributes." + "\nReset last saved saved object fields. Used after saving." ], "signature": [ - "(name: string) => void" + "() => void" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.removeRuntimeField.$1", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "- Field name to remove" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.getRuntimeMappings", + "id": "def-server.DataView.getFieldAttrs", "type": "Function", "tags": [], - "label": "getRuntimeMappings", + "label": "getFieldAttrs", "description": [ - "\nReturn the \"runtime_mappings\" section of the ES search query." + "\nReturns field attributes map" ], "signature": [ - "() => ", - "MappingRuntimeFields" + "() => { [x: string]: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "; }" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24269,75 +14837,60 @@ }, { "parentPluginId": "data", - "id": "def-common.DataView.getFormatterForFieldNoDefault", + "id": "def-server.DataView.getComputedFields", "type": "Function", "tags": [], - "label": "getFormatterForFieldNoDefault", + "label": "getComputedFields", "description": [ - "\nGet formatter for a given field name. Return undefined if none exists." + "\nReturns scripted fields" ], "signature": [ - "(fieldname: string) => ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.FieldFormat", - "text": "FieldFormat" - }, - " | undefined" + "() => { storedFields: string[]; scriptFields: Record; docvalueFields: { field: string; format: string; }[]; runtimeFields: ", + "MappingRuntimeFields", + "; }" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.getFormatterForFieldNoDefault.$1", - "type": "string", - "tags": [], - "label": "fieldname", - "description": [ - "name of field to get formatter for" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } + "children": [], + "returnComment": [] + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.isPersisted", + "type": "Function", + "tags": [], + "label": "isPersisted", + "description": [], + "signature": [ + "() => boolean" ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.setFieldAttrs", + "id": "def-server.DataView.toSpec", "type": "Function", "tags": [], - "label": "setFieldAttrs", + "label": "toSpec", "description": [ - "\nSet field attribute" + "\nCreates static representation of the data view." ], "signature": [ - "(fieldName: string, attrName: K, value: ", + "(includeFields?: boolean) => ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" - }, - "[K]) => void" + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24345,56 +14898,15 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataView.setFieldAttrs.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set attribute on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldAttrs.$2", - "type": "Uncategorized", - "tags": [], - "label": "attrName", - "description": [ - "name of attribute to set" - ], - "signature": [ - "K" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldAttrs.$3", - "type": "Uncategorized", + "id": "def-server.DataView.toSpec.$1", + "type": "boolean", "tags": [], - "label": "value", + "label": "includeFields", "description": [ - "value of attribute" + "Whether or not to include the `fields` list as part of this spec. If not included, the list\nwill be fetched from Elasticsearch when instantiating a new Data View with this spec." ], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" - }, - "[K]" + "boolean" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, @@ -24406,81 +14918,62 @@ }, { "parentPluginId": "data", - "id": "def-common.DataView.setFieldCustomLabel", + "id": "def-server.DataView.getSourceFiltering", "type": "Function", "tags": [], - "label": "setFieldCustomLabel", + "label": "getSourceFiltering", "description": [ - "\nSet field custom label" + "\nGet the source filtering configuration for that index." ], "signature": [ - "(fieldName: string, customLabel: string | null | undefined) => void" + "() => { excludes: string[]; }" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldCustomLabel.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set custom label on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldCustomLabel.$2", - "type": "CompoundType", - "tags": [], - "label": "customLabel", - "description": [ - "custom label value. If undefined, custom label is removed" - ], - "signature": [ - "string | null | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false - } - ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.setFieldCount", + "id": "def-server.DataView.removeScriptedField", "type": "Function", - "tags": [], - "label": "setFieldCount", + "tags": [ + "deprecated" + ], + "label": "removeScriptedField", "description": [ - "\nSet field count" + "\nRemoves scripted field from field list." ], "signature": [ - "(fieldName: string, count: number | null | undefined) => void" + "(fieldName: string) => void" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, + "deprecated": true, "trackAdoption": false, + "references": [ + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + } + ], "children": [ { "parentPluginId": "data", - "id": "def-common.DataView.setFieldCount.$1", + "id": "def-server.DataView.removeScriptedField.$1", "type": "string", "tags": [], "label": "fieldName", "description": [ - "name of field to set count on" + "name of scripted field to remove" ], "signature": [ "string" @@ -24489,775 +14982,1383 @@ "deprecated": false, "trackAdoption": false, "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldCount.$2", - "type": "CompoundType", - "tags": [], - "label": "count", - "description": [ - "count value. If undefined, count is removed" - ], - "signature": [ - "number | null | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": false } ], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.setFieldFormat", + "id": "def-server.DataView.getNonScriptedFields", "type": "Function", - "tags": [], - "label": "setFieldFormat", + "tags": [ + "deprecated" + ], + "label": "getNonScriptedFields", "description": [ - "\nSet field formatter" + "\n" ], "signature": [ - "(fieldName: string, format: ", - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" - }, - "<{}, ", + "() => ", { - "pluginId": "@kbn/utility-types", + "pluginId": "dataViews", "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" }, - ">) => void" + "[]" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, + "deprecated": true, "trackAdoption": false, - "children": [ + "references": [ { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldFormat.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "name of field to set format on" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/strategies/abstract_search_strategy.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/source_filters_table/components/table/table.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" }, { - "parentPluginId": "data", - "id": "def-common.DataView.setFieldFormat.$2", - "type": "Object", - "tags": [], - "label": "format", - "description": [ - "field format in serialized form" - ], - "signature": [ - { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" - }, - "<{}, ", - { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/application/lib/fetch_fields.ts" } ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataView.deleteFieldFormat", + "id": "def-server.DataView.getScriptedFields", "type": "Function", - "tags": [], - "label": "deleteFieldFormat", + "tags": [ + "deprecated" + ], + "label": "getScriptedFields", "description": [ - "\nRemove field format from the field format map." + "\n" ], "signature": [ - "(fieldName: string) => void" + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + "[]" ], "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, + "deprecated": true, "trackAdoption": false, - "children": [ + "references": [ { - "parentPluginId": "data", - "id": "def-common.DataView.deleteFieldFormat.$1", - "type": "string", - "tags": [], - "label": "fieldName", - "description": [ - "field name associated with the format for removal" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_view.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField", - "type": "Class", - "tags": [], - "label": "DataViewField", - "description": [ - "\nData view field class" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - " implements ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.DataViewFieldBase", - "text": "DataViewFieldBase" - } - ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewField.spec", - "type": "CompoundType", - "tags": [], - "label": "spec", - "description": [], - "signature": [ + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.DataViewFieldBase", - "text": "DataViewFieldBase" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" }, - " & { count?: number | undefined; conflictDescriptions?: Record | undefined; format?: ", { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, - "<{}, ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" + "plugin": "dataViews", + "path": "src/plugins/data_views/server/register_index_pattern_usage_collection.ts" }, - "> | undefined; esTypes?: string[] | undefined; searchable: boolean; aggregatable: boolean; readFromDocValues?: boolean | undefined; indexed?: boolean | undefined; customLabel?: string | undefined; runtimeField?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeFieldSpec", - "text": "RuntimeFieldSpec" + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" }, - " | undefined; fixedInterval?: string[] | undefined; timeZone?: string[] | undefined; timeSeriesDimension?: boolean | undefined; timeSeriesMetric?: \"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined; shortDotsEnable?: boolean | undefined; isMapped?: boolean | undefined; parentName?: string | undefined; }" + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.Unnamed", + "id": "def-server.DataView.isTSDBMode", "type": "Function", - "tags": [ - "constructor" - ], - "label": "Constructor", + "tags": [], + "label": "isTSDBMode", "description": [ - "\nDataView constructor" + "\nreturns true if dataview contains TSDB fields" ], "signature": [ - "any" + "() => boolean" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewField.Unnamed.$1", - "type": "CompoundType", - "tags": [], - "label": "spec", - "description": [ - "Configuration for the field" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - } - ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], + "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.count", - "type": "number", + "id": "def-server.DataView.isTimeBased", + "type": "Function", "tags": [], - "label": "count", + "label": "isTimeBased", "description": [ - "\nCount is used for field popularity in discover." + "\nDoes the data view have a timestamp field?" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "() => this is ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TimeBasedDataView", + "text": "TimeBasedDataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.count", - "type": "number", + "id": "def-server.DataView.isTimeNanosBased", + "type": "Function", "tags": [], - "label": "count", + "label": "isTimeNanosBased", "description": [ - "\nSet count, which is used for field popularity in discover." + "\nDoes the data view have a timestamp field and is it a date nanos field?" + ], + "signature": [ + "() => this is ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TimeBasedDataView", + "text": "TimeBasedDataView" + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.runtimeField", - "type": "CompoundType", + "id": "def-server.DataView.getTimeField", + "type": "Function", "tags": [], - "label": "runtimeField", + "label": "getTimeField", "description": [ - "\nReturns runtime field definition or undefined if field is not runtime field." + "\nGet timestamp field as DataViewField or return undefined" ], "signature": [ + "() => ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeFieldSpec", - "text": "RuntimeFieldSpec" + "section": "def-common.DataViewField", + "text": "DataViewField" }, " | undefined" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.runtimeField", - "type": "CompoundType", + "id": "def-server.DataView.getFieldByName", + "type": "Function", "tags": [], - "label": "runtimeField", + "label": "getFieldByName", "description": [ - "\nSets runtime field definition or unsets if undefined is provided." + "\nGet field by name." ], "signature": [ + "(name: string) => ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeFieldSpec", - "text": "RuntimeFieldSpec" + "section": "def-common.DataViewField", + "text": "DataViewField" }, " | undefined" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.getFieldByName.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.script", - "type": "string", + "id": "def-server.DataView.getAggregationRestrictions", + "type": "Function", "tags": [], - "label": "script", + "label": "getAggregationRestrictions", "description": [ - "\nScript field code" + "\nGet aggregation restrictions. Rollup fields can only perform a subset of aggregations." ], "signature": [ - "string | undefined" + "() => Record | undefined" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.script", - "type": "string", + "id": "def-server.DataView.getAsSavedObjectBody", + "type": "Function", "tags": [], - "label": "script", + "label": "getAsSavedObjectBody", "description": [ - "\nSets scripted field painless code" + "\nReturns index pattern as saved object body for saving" ], "signature": [ - "string | undefined" + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.lang", - "type": "string", + "id": "def-server.DataView.getFormatterForField", + "type": "Function", "tags": [], - "label": "lang", + "label": "getFormatterForField", "description": [ - "\nScript field language" + "\nProvide a field, get its formatter" ], "signature": [ - "string | undefined" + "(field: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + ") => ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.getFormatterForField.$1", + "type": "CompoundType", + "tags": [], + "label": "field", + "description": [ + "field to get formatter for" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.lang", - "type": "string", + "id": "def-server.DataView.addRuntimeField", + "type": "Function", "tags": [], - "label": "lang", + "label": "addRuntimeField", "description": [ - "\nSets scripted field langauge." + "\nAdd a runtime field - Appended to existing mapped field or a new field is\ncreated as appropriate." ], "signature": [ - "string | undefined" + "(name: string, runtimeField: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + }, + ") => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + "[]" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.addRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "Field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.addRuntimeField.$2", + "type": "Object", + "tags": [], + "label": "runtimeField", + "description": [ + "Runtime field definition" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.customLabel", - "type": "string", + "id": "def-server.DataView.hasRuntimeField", + "type": "Function", "tags": [], - "label": "customLabel", + "label": "hasRuntimeField", "description": [ - "\nReturns custom label if set, otherwise undefined." + "\nChecks if runtime field exists" ], "signature": [ - "string | undefined" + "(name: string) => boolean" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.hasRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.customLabel", - "type": "string", + "id": "def-server.DataView.getRuntimeField", + "type": "Function", "tags": [], - "label": "customLabel", + "label": "getRuntimeField", "description": [ - "\nSets custom label for field, or unsets if passed undefined." + "\nReturns runtime field if exists" ], "signature": [ - "string | undefined" + "(name: string) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + }, + " | null" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.getRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "Runtime field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.conflictDescriptions", - "type": "Object", + "id": "def-server.DataView.getAllRuntimeFields", + "type": "Function", "tags": [], - "label": "conflictDescriptions", + "label": "getAllRuntimeFields", "description": [ - "\nDescription of field type conflicts across different indices in the same index pattern." + "\nGet all runtime field definitions.\nNOTE: this does not strip out runtime fields that match mapped field names" ], "signature": [ - "Record | undefined" + "() => Record" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [ + "map of runtime field definitions by field name" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.conflictDescriptions", - "type": "Object", + "id": "def-server.DataView.getFieldsByRuntimeFieldName", + "type": "Function", "tags": [], - "label": "conflictDescriptions", + "label": "getFieldsByRuntimeFieldName", "description": [ - "\nSets conflict descriptions for field." + "\nReturns data view fields backed by runtime fields." ], "signature": [ - "Record | undefined" + "(name: string) => Record | undefined" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField.name", - "type": "string", - "tags": [], - "label": "name", - "description": [ - "\nGet field name" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.getFieldsByRuntimeFieldName.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "runtime field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [ + "map of DataViewFields (that are runtime fields) by field name" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.displayName", - "type": "string", + "id": "def-server.DataView.replaceAllRuntimeFields", + "type": "Function", "tags": [], - "label": "displayName", + "label": "replaceAllRuntimeFields", "description": [ - "\nGets display name, calcualted based on name, custom label and shortDotsEnable." + "\nReplaces all existing runtime fields with new fields." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField.type", - "type": "string", - "tags": [], - "label": "type", - "description": [ - "\nGets field type" + "signature": [ + "(newFields: Record) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.replaceAllRuntimeFields.$1", + "type": "Object", + "tags": [], + "label": "newFields", + "description": [ + "Map of runtime field definitions by field name" + ], + "signature": [ + "Record" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.esTypes", - "type": "Array", + "id": "def-server.DataView.removeRuntimeField", + "type": "Function", "tags": [], - "label": "esTypes", + "label": "removeRuntimeField", "description": [ - "\nGets ES types as string array" + "\nRemove a runtime field - removed from mapped field or removed unmapped\nfield as appropriate. Doesn't clear associated field attributes." ], "signature": [ - "string[] | undefined" + "(name: string) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField.scripted", - "type": "boolean", - "tags": [], - "label": "scripted", - "description": [ - "\nReturns true if scripted field" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.removeRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "- Field name to remove" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.searchable", - "type": "boolean", + "id": "def-server.DataView.getRuntimeMappings", + "type": "Function", "tags": [], - "label": "searchable", + "label": "getRuntimeMappings", "description": [ - "\nReturns true if field is searchable" + "\nReturn the \"runtime_mappings\" section of the ES search query." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "() => ", + "MappingRuntimeFields" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.aggregatable", - "type": "boolean", + "id": "def-server.DataView.getFormatterForFieldNoDefault", + "type": "Function", "tags": [], - "label": "aggregatable", + "label": "getFormatterForFieldNoDefault", "description": [ - "\nReturns true if field is aggregatable" + "\nGet formatter for a given field name. Return undefined if none exists." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "(fieldname: string) => ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.getFormatterForFieldNoDefault.$1", + "type": "string", + "tags": [], + "label": "fieldname", + "description": [ + "name of field to get formatter for" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.timeSeriesDimension", - "type": "boolean", + "id": "def-server.DataView.setFieldAttrs", + "type": "Function", "tags": [], - "label": "timeSeriesDimension", + "label": "setFieldAttrs", "description": [ - "\nreturns true if field is a TSDB dimension field" + "\nSet field attribute" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "(fieldName: string, attrName: K, value: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "[K]) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldAttrs.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set attribute on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldAttrs.$2", + "type": "Uncategorized", + "tags": [], + "label": "attrName", + "description": [ + "name of attribute to set" + ], + "signature": [ + "K" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldAttrs.$3", + "type": "Uncategorized", + "tags": [], + "label": "value", + "description": [ + "value of attribute" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "[K]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.timeSeriesMetric", - "type": "CompoundType", + "id": "def-server.DataView.setFieldCustomLabel", + "type": "Function", "tags": [], - "label": "timeSeriesMetric", + "label": "setFieldCustomLabel", "description": [ - "\nreturns type of TSDB metric or undefined" + "\nSet field custom label" ], "signature": [ - "\"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined" + "(fieldName: string, customLabel: string | null | undefined) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldCustomLabel.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set custom label on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldCustomLabel.$2", + "type": "CompoundType", + "tags": [], + "label": "customLabel", + "description": [ + "custom label value. If undefined, custom label is removed" + ], + "signature": [ + "string | null | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.fixedInterval", - "type": "Array", + "id": "def-server.DataView.setFieldCount", + "type": "Function", "tags": [], - "label": "fixedInterval", + "label": "setFieldCount", "description": [ - "\nreturns list of alloeed fixed intervals" + "\nSet field count" ], "signature": [ - "string[] | undefined" + "(fieldName: string, count: number | null | undefined) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldCount.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set count on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldCount.$2", + "type": "CompoundType", + "tags": [], + "label": "count", + "description": [ + "count value. If undefined, count is removed" + ], + "signature": [ + "number | null | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isRolledUpField", - "type": "CompoundType", + "id": "def-server.DataView.setFieldFormat", + "type": "Function", "tags": [], - "label": "isRolledUpField", + "label": "setFieldFormat", "description": [ - "\nreturns true if the field is of rolled up type" + "\nSet field formatter" ], "signature": [ - "boolean | undefined" + "(fieldName: string, format: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + ">) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldFormat.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set format on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataView.setFieldFormat.$2", + "type": "Object", + "tags": [], + "label": "format", + "description": [ + "field format in serialized form" + ], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.timeZone", - "type": "Array", + "id": "def-server.DataView.deleteFieldFormat", + "type": "Function", "tags": [], - "label": "timeZone", + "label": "deleteFieldFormat", "description": [ - "\nreturn list of allowed time zones" + "\nRemove field format from the field format map." ], "signature": [ - "string[] | undefined" + "(fieldName: string) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField.readFromDocValues", - "type": "boolean", - "tags": [], - "label": "readFromDocValues", - "description": [ - "\nReturns true if field is available via doc values" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataView.deleteFieldFormat.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "field name associated with the format for removal" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false - }, + "returnComment": [] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService", + "type": "Class", + "tags": [], + "label": "DataViewsService", + "description": [ + "\nData views service, providing CRUD operations for data views." + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewField.subType", - "type": "CompoundType", + "id": "def-server.DataViewsService.getCanSave", + "type": "Function", "tags": [], - "label": "subType", + "label": "getCanSave", "description": [ - "\nReturns field subtype, multi, nested, or undefined if neither" + "\nCan the user save data views?" ], "signature": [ - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined" + "() => Promise" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "returnComment": [], + "children": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isMapped", - "type": "CompoundType", + "id": "def-server.DataViewsService.Unnamed", + "type": "Function", "tags": [], - "label": "isMapped", + "label": "Constructor", "description": [ - "\nIs the field part of the index mapping?" + "\nDataViewsService constructor" ], "signature": [ - "boolean | undefined" + "any" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.Unnamed.$1", + "type": "Object", + "tags": [], + "label": "deps", + "description": [ + "Service dependencies" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewsServiceDeps", + "text": "DataViewsServiceDeps" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isRuntimeField", - "type": "boolean", + "id": "def-server.DataViewsService.getIds", + "type": "Function", "tags": [], - "label": "isRuntimeField", + "label": "getIds", "description": [ - "\nReturns true if runtime field defined on data view" + "\nGets list of index pattern ids." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "(refresh?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewField.sortable", - "type": "boolean", - "tags": [], - "label": "sortable", - "description": [ - "\nReturns true if field is sortable" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getIds.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.filterable", - "type": "boolean", + "id": "def-server.DataViewsService.getTitles", + "type": "Function", "tags": [], - "label": "filterable", + "label": "getTitles", "description": [ - "\nReturns true if field is filterable" + "\nGets list of index pattern titles." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "(refresh?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getTitles.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.visualizable", - "type": "boolean", + "id": "def-server.DataViewsService.find", + "type": "Function", "tags": [], - "label": "visualizable", + "label": "find", "description": [ - "\nReturns true if field is visualizable" + "\nFind and load index patterns by title." ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "signature": [ + "(search: string, size?: number) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + "[]>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.find.$1", + "type": "string", + "tags": [], + "label": "search", + "description": [ + "Search string" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.find.$2", + "type": "number", + "tags": [], + "label": "size", + "description": [ + "Number of data views to return" + ], + "signature": [ + "number" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "DataView[]" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isSubtypeNested", + "id": "def-server.DataViewsService.getIdsWithTitle", "type": "Function", "tags": [], - "label": "isSubtypeNested", + "label": "getIdsWithTitle", "description": [ - "\nReturns true if field is subtype nested" + "\nGets list of index pattern ids with titles." ], "signature": [ - "() => boolean" + "(refresh?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewListItem", + "text": "DataViewListItem" + }, + "[]>" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "children": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getIdsWithTitle.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isSubtypeMulti", + "id": "def-server.DataViewsService.clearCache", "type": "Function", "tags": [], - "label": "isSubtypeMulti", + "label": "clearCache", "description": [ - "\nReturns true if field is subtype multi" + "\nClear index pattern saved objects cache." ], "signature": [ - "() => boolean" + "() => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [], @@ -25265,51 +16366,67 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewField.getSubtypeNested", + "id": "def-server.DataViewsService.clearInstanceCache", "type": "Function", "tags": [], - "label": "getSubtypeNested", + "label": "clearInstanceCache", "description": [ - "\nReturns subtype nested data if exists" + "\nClear index pattern instance cache" ], "signature": [ - "() => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeNested", - "text": "IFieldSubTypeNested" - }, - " | undefined" + "(id?: string | undefined) => void" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "children": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.clearInstanceCache.$1", + "type": "string", + "tags": [], + "label": "id", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.getSubtypeMulti", + "id": "def-server.DataViewsService.getCache", "type": "Function", "tags": [], - "label": "getSubtypeMulti", + "label": "getCache", "description": [ - "\nReturns subtype multi data if exists" + "\nGet cache, contains data view saved objects." ], "signature": [ - "() => ", + "() => Promise<", { - "pluginId": "@kbn/es-query", + "pluginId": "@kbn/core-saved-objects-common", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeMulti", - "text": "IFieldSubTypeMulti" + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" }, - " | undefined" + "<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSavedObjectAttrs", + "text": "DataViewSavedObjectAttrs" + }, + ">[] | null | undefined>" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [], @@ -25317,43 +16434,61 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewField.deleteCount", + "id": "def-server.DataViewsService.getDefault", "type": "Function", "tags": [], - "label": "deleteCount", + "label": "getDefault", "description": [ - "\nDeletes count value. Popularity as used by discover" + "\nGet default index pattern" ], "signature": [ - "() => void" + "(displayErrors?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | null>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getDefault.$1", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.toJSON", + "id": "def-server.DataViewsService.getDefaultId", "type": "Function", "tags": [], - "label": "toJSON", + "label": "getDefaultId", "description": [ - "\nJSON version of field" + "\nGet default index pattern id" ], "signature": [ - "() => { count: number; script: string | undefined; lang: string | undefined; conflictDescriptions: Record | undefined; name: string; type: string; esTypes: string[] | undefined; scripted: boolean; searchable: boolean; aggregatable: boolean; readFromDocValues: boolean; subType: ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" - }, - " | undefined; customLabel: string | undefined; }" + "() => Promise" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [], @@ -25361,188 +16496,178 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewField.toSpec", + "id": "def-server.DataViewsService.setDefault", "type": "Function", "tags": [], - "label": "toSpec", + "label": "setDefault", "description": [ - "\nGet field in serialized form - fieldspec." + "\nOptionally set default index pattern, unless force = true" ], "signature": [ - "(config?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.ToSpecConfig", - "text": "ToSpecConfig" - }, - ") => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - } + "(id: string | null, force?: boolean) => Promise" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewField.toSpec.$1", - "type": "Object", + "id": "def-server.DataViewsService.setDefault.$1", + "type": "CompoundType", "tags": [], - "label": "config", + "label": "id", "description": [ - "provide a method to get a field formatter" + "data view id" ], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.ToSpecConfig", - "text": "ToSpecConfig" - } + "string | null" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.setDefault.$2", + "type": "boolean", + "tags": [], + "label": "force", + "description": [ + "set default data view even if there's an existing default" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "isRequired": true } ], - "returnComment": [ - "field in serialized form - field spec" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewField.isRuntimeCompositeSubField", + "id": "def-server.DataViewsService.hasUserDataView", "type": "Function", "tags": [], - "label": "isRuntimeCompositeSubField", + "label": "hasUserDataView", "description": [ - "\nReturns true if composite runtime field" + "\nChecks if current user has a user created index pattern ignoring fleet's server default index patterns." ], "signature": [ - "() => boolean" + "() => Promise" ], - "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [], "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewSavedObjectConflictError", - "type": "Class", - "tags": [], - "label": "DataViewSavedObjectConflictError", - "description": [ - "\nError thrown when saved object has been changed when attempting to save." - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSavedObjectConflictError", - "text": "DataViewSavedObjectConflictError" }, - " extends Error" - ], - "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewSavedObjectConflictError.Unnamed", + "id": "def-server.DataViewsService.getFieldsForWildcard", "type": "Function", "tags": [], - "label": "Constructor", + "label": "getFieldsForWildcard", "description": [ - "\nconstructor" + "\nGet field list by providing { pattern }." ], "signature": [ - "any" + "(options: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + ") => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]>" ], - "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewSavedObjectConflictError.Unnamed.$1", - "type": "string", + "id": "def-server.DataViewsService.getFieldsForWildcard.$1", + "type": "Object", "tags": [], - "label": "savedObjectId", + "label": "options", "description": [ - "saved object id with conflict" + "options for getting field list" ], "signature": [ - "string" + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + } ], - "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", + "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "isRequired": true } ], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService", - "type": "Class", - "tags": [], - "label": "DataViewsService", - "description": [ - "\nData views service, providing CRUD operations for data views." - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.getCanSave", - "type": "Function", - "tags": [], - "label": "getCanSave", - "description": [ - "\nCan the user save data views?" - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [] + "returnComment": [ + "FieldSpec[]" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.Unnamed", + "id": "def-server.DataViewsService.getFieldsForIndexPattern", "type": "Function", "tags": [], - "label": "Constructor", + "label": "getFieldsForIndexPattern", "description": [ - "\nDataViewsService constructor" + "\nGet field list by providing an index patttern (or spec)." ], "signature": [ - "any" + "(indexPattern: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + }, + ", options?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + " | undefined) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]>" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25550,41 +16675,81 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.Unnamed.$1", + "id": "def-server.DataViewsService.getFieldsForIndexPattern.$1", + "type": "CompoundType", + "tags": [], + "label": "indexPattern", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getFieldsForIndexPattern.$2", "type": "Object", "tags": [], - "label": "deps", + "label": "options", "description": [ - "Service dependencies" + "options for getting field list" ], "signature": [ { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewsServiceDeps", - "text": "DataViewsServiceDeps" - } + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + " | undefined" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true + "isRequired": false } ], - "returnComment": [] + "returnComment": [ + "FieldSpec[]" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getIds", + "id": "def-server.DataViewsService.refreshFields", "type": "Function", "tags": [], - "label": "getIds", + "label": "refreshFields", "description": [ - "\nGets list of index pattern ids." + "\nRefresh field list for a given index pattern." ], "signature": [ - "(refresh?: boolean) => Promise" + "(dataView: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ", displayErrors?: boolean) => Promise" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25592,48 +16757,33 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getIds.$1", - "type": "boolean", + "id": "def-server.DataViewsService.refreshFields.$1", + "type": "Object", "tags": [], - "label": "refresh", - "description": [ - "Force refresh of index pattern list" - ], + "label": "dataView", + "description": [], "signature": [ - "boolean" + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + } ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.getTitles", - "type": "Function", - "tags": [], - "label": "getTitles", - "description": [ - "\nGets list of index pattern titles." - ], - "signature": [ - "(refresh?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getTitles.$1", + "id": "def-server.DataViewsService.refreshFields.$2", "type": "boolean", "tags": [], - "label": "refresh", + "label": "displayErrors", "description": [ - "Force refresh of index pattern list" + "- If set false, API consumer is responsible for displaying and handling errors." ], "signature": [ "boolean" @@ -25648,23 +16798,38 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.find", + "id": "def-server.DataViewsService.fieldArrayToMap", "type": "Function", "tags": [], - "label": "find", + "label": "fieldArrayToMap", "description": [ - "\nFind and load index patterns by title." + "\nConverts field array to map." ], "signature": [ - "(search: string, size?: number) => Promise<", + "(fields: ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, - "[]>" + "[], fieldAttrs?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" + }, + " | undefined) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" + } ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25672,15 +16837,22 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.find.$1", - "type": "string", + "id": "def-server.DataViewsService.fieldArrayToMap.$1", + "type": "Array", "tags": [], - "label": "search", + "label": "fields", "description": [ - "Search string" + ": FieldSpec[]" ], "signature": [ - "string" + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25689,45 +16861,67 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.find.$2", - "type": "number", + "id": "def-server.DataViewsService.fieldArrayToMap.$2", + "type": "Object", "tags": [], - "label": "size", + "label": "fieldAttrs", "description": [ - "Number of data views to return" + ": FieldAttrs" ], "signature": [ - "number" + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" + }, + " | undefined" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true + "isRequired": false } ], "returnComment": [ - "DataView[]" + "Record" ] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getIdsWithTitle", + "id": "def-server.DataViewsService.savedObjectToSpec", "type": "Function", "tags": [], - "label": "getIdsWithTitle", + "label": "savedObjectToSpec", "description": [ - "\nGets list of index pattern ids with titles." + "\nConverts data view saved object to data view spec." ], "signature": [ - "(refresh?: boolean) => Promise<", + "(savedObject: ", + { + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" + }, + "<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewListItem", - "text": "DataViewListItem" + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" }, - "[]>" + ">) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25735,15 +16929,28 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getIdsWithTitle.$1", - "type": "boolean", + "id": "def-server.DataViewsService.savedObjectToSpec.$1", + "type": "Object", "tags": [], - "label": "refresh", - "description": [ - "Force refresh of index pattern list" - ], + "label": "savedObject", + "description": [], "signature": [ - "boolean" + { + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" + }, + "<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" + }, + ">" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25751,37 +16958,29 @@ "isRequired": true } ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.clearCache", - "type": "Function", - "tags": [], - "label": "clearCache", - "description": [ - "\nClear index pattern saved objects cache." - ], - "signature": [ - "() => void" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "returnComment": [ + "DataViewSpec" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.clearInstanceCache", + "id": "def-server.DataViewsService.get", "type": "Function", "tags": [], - "label": "clearInstanceCache", + "label": "get", "description": [ - "\nClear index pattern instance cache" + "\nGet an index pattern by id, cache optimized." ], "signature": [ - "(id?: string | undefined) => void" + "(id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ">" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25789,67 +16988,75 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.clearInstanceCache.$1", + "id": "def-server.DataViewsService.get.$1", "type": "string", "tags": [], "label": "id", "description": [], "signature": [ - "string | undefined" + "string" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "isRequired": false + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.get.$2", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.get.$3", + "type": "boolean", + "tags": [], + "label": "refreshFields", + "description": [ + "- If set true, will fetch fields from the index pattern" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true } ], "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getCache", + "id": "def-server.DataViewsService.create", "type": "Function", "tags": [], - "label": "getCache", + "label": "create", "description": [ - "\nGet cache, contains data view saved objects." + "\nCreate data view instance." ], "signature": [ - "() => Promise<", - { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" - }, - "<", + "(spec: ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSavedObjectAttrs", - "text": "DataViewSavedObjectAttrs" + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, - ">[] | null | undefined>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.getDefault", - "type": "Function", - "tags": [], - "label": "getDefault", - "description": [ - "\nGet default index pattern" - ], - "signature": [ - "(displayErrors?: boolean) => Promise<", + ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -25857,7 +17064,7 @@ "section": "def-common.DataView", "text": "DataView" }, - " | null>" + ">" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -25865,83 +17072,52 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getDefault.$1", - "type": "boolean", + "id": "def-server.DataViewsService.create.$1", + "type": "Object", "tags": [], - "label": "displayErrors", + "label": "spec", "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." + "data view spec" ], "signature": [ - "boolean" + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.getDefaultId", - "type": "Function", - "tags": [], - "label": "getDefaultId", - "description": [ - "\nGet default index pattern id" - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.setDefault", - "type": "Function", - "tags": [], - "label": "setDefault", - "description": [ - "\nOptionally set default index pattern, unless force = true" - ], - "signature": [ - "(id: string | null, force?: boolean) => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.setDefault.$1", - "type": "CompoundType", + "id": "def-server.DataViewsService.create.$2", + "type": "boolean", "tags": [], - "label": "id", + "label": "skipFetchFields", "description": [ - "data view id" + "if true, will not fetch fields" ], "signature": [ - "string | null" + "boolean" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "isRequired": false + "isRequired": true }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.setDefault.$2", + "id": "def-server.DataViewsService.create.$3", "type": "boolean", "tags": [], - "label": "force", + "label": "displayErrors", "description": [ - "set default data view even if there's an existing default" + "- If set false, API consumer is responsible for displaying and handling errors." ], "signature": [ "boolean" @@ -25952,53 +17128,37 @@ "isRequired": true } ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.hasUserDataView", - "type": "Function", - "tags": [], - "label": "hasUserDataView", - "description": [ - "\nChecks if current user has a user created index pattern ignoring fleet's server default index patterns." - ], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "returnComment": [ + "DataView" + ] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getFieldsForWildcard", + "id": "def-server.DataViewsService.createAndSave", "type": "Function", "tags": [], - "label": "getFieldsForWildcard", + "label": "createAndSave", "description": [ - "\nGet field list by providing { pattern }." + "\nCreate a new data view and save it right away." ], "signature": [ - "(options: ", + "(spec: ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, - ") => Promise<", + ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "section": "def-common.DataView", + "text": "DataView" }, - "[]>" + ">" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -26006,21 +17166,72 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getFieldsForWildcard.$1", - "type": "Object", + "id": "def-server.DataViewsService.createAndSave.$1", + "type": "Object", + "tags": [], + "label": "spec", + "description": [ + "data view spec" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.createAndSave.$2", + "type": "boolean", + "tags": [], + "label": "override", + "description": [ + "Overwrite if existing index pattern exists." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.createAndSave.$3", + "type": "boolean", + "tags": [], + "label": "skipFetchFields", + "description": [ + "Whether to skip field refresh step." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.createAndSave.$4", + "type": "boolean", "tags": [], - "label": "options", + "label": "displayErrors", "description": [ - "options for getting field list" + "- If set false, API consumer is responsible for displaying and handling errors." ], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - } + "boolean" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -26028,21 +17239,19 @@ "isRequired": true } ], - "returnComment": [ - "FieldSpec[]" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getFieldsForIndexPattern", + "id": "def-server.DataViewsService.createSavedObject", "type": "Function", "tags": [], - "label": "getFieldsForIndexPattern", + "label": "createSavedObject", "description": [ - "\nGet field list by providing an index patttern (or spec)." + "\nSave a new data view." ], "signature": [ - "(indexPattern: ", + "(dataView: ", { "pluginId": "dataViews", "scope": "common", @@ -26050,31 +17259,15 @@ "section": "def-common.DataView", "text": "DataView" }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", options?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - }, - " | undefined) => Promise<", + ", override?: boolean, displayErrors?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "section": "def-common.DataView", + "text": "DataView" }, - "[]>" + ">" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -26082,11 +17275,13 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getFieldsForIndexPattern.$1", - "type": "CompoundType", + "id": "def-server.DataViewsService.createSavedObject.$1", + "type": "Object", "tags": [], - "label": "indexPattern", - "description": [], + "label": "dataView", + "description": [ + "data view instance" + ], "signature": [ { "pluginId": "dataViews", @@ -26094,14 +17289,6 @@ "docId": "kibDataViewsPluginApi", "section": "def-common.DataView", "text": "DataView" - }, - " | ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" } ], "path": "src/plugins/data_views/common/data_views/data_views.ts", @@ -26111,44 +17298,52 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.getFieldsForIndexPattern.$2", - "type": "Object", + "id": "def-server.DataViewsService.createSavedObject.$2", + "type": "boolean", "tags": [], - "label": "options", + "label": "override", "description": [ - "options for getting field list" + "Overwrite if existing index pattern exists" ], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - }, - " | undefined" + "boolean" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, "trackAdoption": false, - "isRequired": false + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.createSavedObject.$3", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true } ], - "returnComment": [ - "FieldSpec[]" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.refreshFields", + "id": "def-server.DataViewsService.updateSavedObject", "type": "Function", "tags": [], - "label": "refreshFields", + "label": "updateSavedObject", "description": [ - "\nRefresh field list for a given index pattern." + "\nSave existing data view. Will attempt to merge differences if there are conflicts." ], "signature": [ - "(dataView: ", + "(indexPattern: ", { "pluginId": "dataViews", "scope": "common", @@ -26156,7 +17351,15 @@ "section": "def-common.DataView", "text": "DataView" }, - ", displayErrors?: boolean) => Promise" + ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -26164,10 +17367,10 @@ "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.refreshFields.$1", + "id": "def-server.DataViewsService.updateSavedObject.$1", "type": "Object", "tags": [], - "label": "dataView", + "label": "indexPattern", "description": [], "signature": [ { @@ -26185,7 +17388,37 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.refreshFields.$2", + "id": "def-server.DataViewsService.updateSavedObject.$2", + "type": "number", + "tags": [], + "label": "saveAttempts", + "description": [], + "signature": [ + "number" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.updateSavedObject.$3", + "type": "boolean", + "tags": [], + "label": "ignoreErrors", + "description": [], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.updateSavedObject.$4", "type": "boolean", "tags": [], "label": "displayErrors", @@ -26205,359 +17438,523 @@ }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.fieldArrayToMap", + "id": "def-server.DataViewsService.delete", "type": "Function", "tags": [], - "label": "fieldArrayToMap", + "label": "delete", "description": [ - "\nConverts field array to map." + "\nDeletes an index pattern from .kibana index." ], "signature": [ - "(fields: ", + "(indexPatternId: string) => Promise<{}>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[], fieldAttrs?: ", + "parentPluginId": "data", + "id": "def-server.DataViewsService.delete.$1", + "type": "string", + "tags": [], + "label": "indexPatternId", + "description": [ + ": Id of kibana Index Pattern to delete" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + }, + { + "parentPluginId": "data", + "id": "def-server.DataViewsService.getDefaultDataView", + "type": "Function", + "tags": [], + "label": "getDefaultDataView", + "description": [ + "\nReturns the default data view as an object.\nIf no default is found, or it is missing\nanother data view is selected as default and returned.\nIf no possible data view found to become a default returns null.\n" + ], + "signature": [ + "(refreshFields?: boolean | undefined) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" + "section": "def-common.DataView", + "text": "DataView" }, - " | undefined) => ", + " | null>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" + "parentPluginId": "data", + "id": "def-server.DataViewsService.getDefaultDataView.$1", + "type": "CompoundType", + "tags": [], + "label": "refreshFields", + "description": [ + "- if true, will refresh the fields of the default data view" + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false } ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "returnComment": [ + "default data view" + ] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher", + "type": "Class", + "tags": [], + "label": "IndexPatternsFetcher", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.fieldArrayToMap.$1", - "type": "Array", + "id": "def-server.IndexPatternsFetcher.Unnamed.$1", + "type": "Object", "tags": [], - "label": "fields", - "description": [ - ": FieldSpec[]" - ], + "label": "elasticsearchClient", + "description": [], "signature": [ { - "pluginId": "dataViews", + "pluginId": "@kbn/core-elasticsearch-server", "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "[]" + "docId": "kibKbnCoreElasticsearchServerPluginApi", + "section": "def-common.ElasticsearchClient", + "text": "ElasticsearchClient" + } ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "isRequired": true }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.fieldArrayToMap.$2", - "type": "Object", + "id": "def-server.IndexPatternsFetcher.Unnamed.$2", + "type": "boolean", "tags": [], - "label": "fieldAttrs", - "description": [ - ": FieldAttrs" - ], + "label": "allowNoIndices", + "description": [], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" - }, - " | undefined" + "boolean" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, - "isRequired": false + "isRequired": true } ], - "returnComment": [ - "Record" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.savedObjectToSpec", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard", "type": "Function", - "tags": [], - "label": "savedObjectToSpec", + "tags": [ + "property", + "property", + "return" + ], + "label": "getFieldsForWildcard", "description": [ - "\nConverts data view saved object to data view spec." + "\n Get a list of field objects for an index pattern that may contain wildcards\n" ], "signature": [ - "(savedObject: ", - { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" - }, - "<", + "(options: { pattern: string | string[]; metaFields?: string[] | undefined; fieldCapsOptions?: { allow_no_indices: boolean; includeUnmapped?: boolean | undefined; } | undefined; type?: string | undefined; rollupIndex?: string | undefined; indexFilter?: ", + "QueryDslQueryContainer", + " | undefined; fields?: string[] | undefined; }) => Promise<{ fields: ", { "pluginId": "dataViews", - "scope": "common", + "scope": "server", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" + "section": "def-server.FieldDescriptor", + "text": "FieldDescriptor" }, - ">) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } + "[]; indices: string[]; }>" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.savedObjectToSpec.$1", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1", "type": "Object", "tags": [], - "label": "savedObject", + "label": "options", "description": [], - "signature": [ + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.pattern", + "type": "CompoundType", + "tags": [], + "label": "pattern", + "description": [], + "signature": [ + "string | string[]" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false }, - "<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.metaFields", + "type": "Array", + "tags": [], + "label": "metaFields", + "description": [], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false }, - ">" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.fieldCapsOptions", + "type": "Object", + "tags": [], + "label": "fieldCapsOptions", + "description": [], + "signature": [ + "{ allow_no_indices: boolean; includeUnmapped?: boolean | undefined; } | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.type", + "type": "string", + "tags": [], + "label": "type", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.rollupIndex", + "type": "string", + "tags": [], + "label": "rollupIndex", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.indexFilter", + "type": "Object", + "tags": [], + "label": "indexFilter", + "description": [], + "signature": [ + "QueryDslQueryContainer", + " | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.IndexPatternsFetcher.getFieldsForWildcard.$1.fields", + "type": "Array", + "tags": [], + "label": "fields", + "description": [], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + } + ] } ], - "returnComment": [ - "DataViewSpec" - ] + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.get", + "id": "def-server.IndexPatternsFetcher.validatePatternListActive", "type": "Function", - "tags": [], - "label": "get", - "description": [ - "\nGet an index pattern by id, cache optimized." + "tags": [ + "return" ], - "signature": [ - "(id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" + "label": "validatePatternListActive", + "description": [ + "\n Returns an index pattern list of only those index pattern strings in the given list that return indices\n" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "signature": [ + "(patternList: string[]) => Promise" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.get.$1", - "type": "string", - "tags": [], - "label": "id", - "description": [], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.get.$2", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.get.$3", - "type": "boolean", + "id": "def-server.IndexPatternsFetcher.validatePatternListActive.$1", + "type": "Array", "tags": [], - "label": "refreshFields", + "label": "patternList", "description": [ - "- If set true, will fetch fields from the index pattern" + "string[]" ], "signature": [ - "boolean" + "string[]" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "isRequired": true } ], "returnComment": [] - }, + } + ], + "initialIsOpen": false + } + ], + "functions": [ + { + "parentPluginId": "data", + "id": "def-server.getCapabilitiesForRollupIndices", + "type": "Function", + "tags": [], + "label": "getCapabilitiesForRollupIndices", + "description": [ + "\nGet rollup job capabilities" + ], + "signature": [ + "(indices: ", + "RollupGetRollupIndexCapsResponse", + ") => ", + { + "pluginId": "dataViews", + "scope": "server", + "docId": "kibDataViewsPluginApi", + "section": "def-server.RollupIndexCapability", + "text": "RollupIndexCapability" + } + ], + "path": "src/plugins/data_views/server/fetcher/lib/map_capabilities.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.create", - "type": "Function", + "id": "def-server.getCapabilitiesForRollupIndices.$1", + "type": "Object", "tags": [], - "label": "create", + "label": "indices", "description": [ - "\nCreate data view instance." + "rollup job index capabilites" ], "signature": [ - "(spec: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" + "RollupGetRollupIndexCapsResponse" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/fetcher/lib/map_capabilities.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.create.$1", - "type": "Object", - "tags": [], - "label": "spec", - "description": [ - "data view spec" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.create.$2", - "type": "boolean", - "tags": [], - "label": "skipFetchFields", - "description": [ - "if true, will not fetch fields" - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.create.$3", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.getEsQueryConfig", + "type": "Function", + "tags": [], + "label": "getEsQueryConfig", + "description": [], + "signature": [ + "(config: KibanaConfig) => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.EsQueryConfig", + "text": "EsQueryConfig" + } + ], + "path": "src/plugins/data/common/es_query/get_es_query_config.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.getEsQueryConfig.$1", + "type": "Object", + "tags": [], + "label": "config", + "description": [], + "signature": [ + "KibanaConfig" ], - "returnComment": [ - "DataView" - ] + "path": "src/plugins/data/common/es_query/get_es_query_config.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.getRequestAbortedSignal", + "type": "Function", + "tags": [], + "label": "getRequestAbortedSignal", + "description": [ + "\nA simple utility function that returns an `AbortSignal` corresponding to an `AbortController`\nwhich aborts when the given request is aborted." + ], + "signature": [ + "(aborted$: ", + "Observable", + ") => AbortSignal" + ], + "path": "src/plugins/data/server/lib/get_request_aborted_signal.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.getRequestAbortedSignal.$1", + "type": "Object", + "tags": [], + "label": "aborted$", + "description": [ + "The observable of abort events (usually `request.events.aborted$`)" + ], + "signature": [ + "Observable", + "" + ], + "path": "src/plugins/data/server/lib/get_request_aborted_signal.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.getTime", + "type": "Function", + "tags": [], + "label": "getTime", + "description": [], + "signature": [ + "(indexPattern: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | undefined, timeRange: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.TimeRange", + "text": "TimeRange" + }, + ", options: { forceNow?: Date | undefined; fieldName?: string | undefined; } | undefined) => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.RangeFilter", + "text": "RangeFilter" }, + " | ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.ScriptedRangeFilter", + "text": "ScriptedRangeFilter" + }, + " | ", + "MatchAllRangeFilter", + " | undefined" + ], + "path": "src/plugins/data/common/query/timefilter/get_time.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.createAndSave", - "type": "Function", + "id": "def-server.getTime.$1", + "type": "Object", "tags": [], - "label": "createAndSave", - "description": [ - "\nCreate a new data view and save it right away." - ], + "label": "indexPattern", + "description": [], "signature": [ - "(spec: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - }, - ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -26565,364 +17962,1431 @@ "section": "def-common.DataView", "text": "DataView" }, - ">" + " | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data/common/query/timefilter/get_time.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.createAndSave.$1", - "type": "Object", - "tags": [], - "label": "spec", - "description": [ - "data view spec" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.createAndSave.$2", - "type": "boolean", - "tags": [], - "label": "override", - "description": [ - "Overwrite if existing index pattern exists." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.createAndSave.$3", - "type": "boolean", - "tags": [], - "label": "skipFetchFields", - "description": [ - "Whether to skip field refresh step." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.createAndSave.$4", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "isRequired": false }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.createSavedObject", - "type": "Function", + "id": "def-server.getTime.$2", + "type": "Object", "tags": [], - "label": "createSavedObject", - "description": [ - "\nSave a new data view." - ], + "label": "timeRange", + "description": [], "signature": [ - "(dataView: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ", override?: boolean, displayErrors?: boolean) => Promise<", - { - "pluginId": "dataViews", + "pluginId": "@kbn/es-query", "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">" + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.TimeRange", + "text": "TimeRange" + } ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data/common/query/timefilter/get_time.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-server.getTime.$3", + "type": "Object", + "tags": [], + "label": "options", + "description": [], + "path": "src/plugins/data/common/query/timefilter/get_time.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.createSavedObject.$1", + "id": "def-server.getTime.$3.forceNow", "type": "Object", "tags": [], - "label": "dataView", - "description": [ - "data view instance" - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - } - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.createSavedObject.$2", - "type": "boolean", - "tags": [], - "label": "override", - "description": [ - "Overwrite if existing index pattern exists" - ], + "label": "forceNow", + "description": [], "signature": [ - "boolean" + "Date | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data/common/query/timefilter/get_time.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.createSavedObject.$3", - "type": "boolean", + "id": "def-server.getTime.$3.fieldName", + "type": "string", "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], + "label": "fieldName", + "description": [], "signature": [ - "boolean" + "string | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data/common/query/timefilter/get_time.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.parseInterval", + "type": "Function", + "tags": [], + "label": "parseInterval", + "description": [], + "signature": [ + "(interval: string) => moment.Duration | null" + ], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.parseInterval.$1", + "type": "string", + "tags": [], + "label": "interval", + "description": [], + "signature": [ + "string" ], - "returnComment": [] - }, + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + } + ], + "interfaces": [ + { + "parentPluginId": "data", + "id": "def-server.DataViewsServerPluginStart", + "type": "Interface", + "tags": [], + "label": "DataViewsServerPluginStart", + "description": [ + "\nDataViews server plugin start api" + ], + "path": "src/plugins/data_views/server/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.updateSavedObject", + "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory", "type": "Function", "tags": [], - "label": "updateSavedObject", + "label": "dataViewsServiceFactory", "description": [ - "\nSave existing data view. Will attempt to merge differences if there are conflicts." + "\nReturns a DataViews service instance" ], "signature": [ - "(indexPattern: ", + "(savedObjectsClient: ", { - "pluginId": "dataViews", + "pluginId": "@kbn/core-saved-objects-api-server", "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "docId": "kibKbnCoreSavedObjectsApiServerPluginApi", + "section": "def-common.SavedObjectsClientContract", + "text": "SavedObjectsClientContract" }, - ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise | undefined, byPassCapabilities?: boolean | undefined) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "section": "def-common.DataViewsService", + "text": "DataViewsService" }, ">" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/types.ts", "deprecated": false, "trackAdoption": false, + "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.updateSavedObject.$1", + "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$1", "type": "Object", "tags": [], - "label": "indexPattern", + "label": "savedObjectsClient", "description": [], "signature": [ { - "pluginId": "dataViews", + "pluginId": "@kbn/core-saved-objects-api-server", "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "docId": "kibKbnCoreSavedObjectsApiServerPluginApi", + "section": "def-common.SavedObjectsClientContract", + "text": "SavedObjectsClientContract" } ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.updateSavedObject.$2", - "type": "number", + "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$2", + "type": "Object", "tags": [], - "label": "saveAttempts", + "label": "elasticsearchClient", "description": [], "signature": [ - "number" + "{ name: string | symbol; get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", + "default", + "; search: { >(this: That, params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "SearchResponse", + ">; >(this: That, params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "SearchResponse", + ", unknown>>; >(this: That, params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "SearchResponse", + ">; }; create: { (this: That, params: ", + "CreateRequest", + " | ", + "CreateRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "CreateRequest", + " | ", + "CreateRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "CreateRequest", + " | ", + "CreateRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; monitoring: ", + "default", + "; security: ", + "default", + "; index: { (this: That, params: ", + "IndexRequest", + " | ", + "IndexRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "IndexRequest", + " | ", + "IndexRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "IndexRequest", + " | ", + "IndexRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; update: { (this: That, params: ", + "UpdateRequest", + " | ", + "UpdateRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "UpdateResponse", + ">; (this: That, params: ", + "UpdateRequest", + " | ", + "UpdateRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "UpdateResponse", + ", unknown>>; (this: That, params: ", + "UpdateRequest", + " | ", + "UpdateRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "UpdateResponse", + ">; }; asyncSearch: ", + "default", + "; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + "default", + "; helpers: ", + "default", + "; child: (opts: ", + "ClientOptions", + ") => ", + "default", + "; autoscaling: ", + "default", + "; bulk: { (this: That, params: ", + "BulkRequest", + " | ", + "BulkRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "BulkResponse", + ">; (this: That, params: ", + "BulkRequest", + " | ", + "BulkRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "BulkResponse", + ", unknown>>; (this: That, params: ", + "BulkRequest", + " | ", + "BulkRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "BulkResponse", + ">; }; cat: ", + "default", + "; ccr: ", + "default", + "; clearScroll: { (this: That, params?: ", + "ClearScrollRequest", + " | ", + "ClearScrollRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ClearScrollResponse", + ">; (this: That, params?: ", + "ClearScrollRequest", + " | ", + "ClearScrollRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ClearScrollResponse", + ", unknown>>; (this: That, params?: ", + "ClearScrollRequest", + " | ", + "ClearScrollRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ClearScrollResponse", + ">; }; closePointInTime: { (this: That, params: ", + "ClosePointInTimeRequest", + " | ", + "ClosePointInTimeRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ClosePointInTimeResponse", + ">; (this: That, params: ", + "ClosePointInTimeRequest", + " | ", + "ClosePointInTimeRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ClosePointInTimeResponse", + ", unknown>>; (this: That, params: ", + "ClosePointInTimeRequest", + " | ", + "ClosePointInTimeRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ClosePointInTimeResponse", + ">; }; count: { (this: That, params?: ", + "CountRequest", + " | ", + "CountRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "CountResponse", + ">; (this: That, params?: ", + "CountRequest", + " | ", + "CountRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "CountResponse", + ", unknown>>; (this: That, params?: ", + "CountRequest", + " | ", + "CountRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "CountResponse", + ">; }; danglingIndices: ", + "default", + "; deleteByQuery: { (this: That, params: ", + "DeleteByQueryRequest", + " | ", + "DeleteByQueryRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "DeleteByQueryResponse", + ">; (this: That, params: ", + "DeleteByQueryRequest", + " | ", + "DeleteByQueryRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "DeleteByQueryResponse", + ", unknown>>; (this: That, params: ", + "DeleteByQueryRequest", + " | ", + "DeleteByQueryRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "DeleteByQueryResponse", + ">; }; deleteByQueryRethrottle: { (this: That, params: ", + "DeleteByQueryRethrottleRequest", + " | ", + "DeleteByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "TasksTaskListResponseBase", + ">; (this: That, params: ", + "DeleteByQueryRethrottleRequest", + " | ", + "DeleteByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "TasksTaskListResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteByQueryRethrottleRequest", + " | ", + "DeleteByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "TasksTaskListResponseBase", + ">; }; deleteScript: { (this: That, params: ", + "DeleteScriptRequest", + " | ", + "DeleteScriptRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "AcknowledgedResponseBase", + ">; (this: That, params: ", + "DeleteScriptRequest", + " | ", + "DeleteScriptRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "AcknowledgedResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteScriptRequest", + " | ", + "DeleteScriptRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "AcknowledgedResponseBase", + ">; }; enrich: ", + "default", + "; exists: { (this: That, params: ", + "ExistsRequest", + " | ", + "ExistsRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise; (this: That, params: ", + "ExistsRequest", + " | ", + "ExistsRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + ">; (this: That, params: ", + "ExistsRequest", + " | ", + "ExistsRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise; }; existsSource: { (this: That, params: ", + "ExistsSourceRequest", + " | ", + "ExistsSourceRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise; (this: That, params: ", + "ExistsSourceRequest", + " | ", + "ExistsSourceRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + ">; (this: That, params: ", + "ExistsSourceRequest", + " | ", + "ExistsSourceRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise; }; explain: { (this: That, params: ", + "ExplainRequest", + " | ", + "ExplainRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ExplainResponse", + ">; (this: That, params: ", + "ExplainRequest", + " | ", + "ExplainRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ExplainResponse", + ", unknown>>; (this: That, params: ", + "ExplainRequest", + " | ", + "ExplainRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ExplainResponse", + ">; }; features: ", + "default", + "; fieldCaps: { (this: That, params: ", + "FieldCapsRequest", + " | ", + "FieldCapsRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "FieldCapsResponse", + ">; (this: That, params: ", + "FieldCapsRequest", + " | ", + "FieldCapsRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "FieldCapsResponse", + ", unknown>>; (this: That, params: ", + "FieldCapsRequest", + " | ", + "FieldCapsRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "FieldCapsResponse", + ">; }; fleet: ", + "default", + "; getScript: { (this: That, params: ", + "GetScriptRequest", + " | ", + "GetScriptRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetScriptResponse", + ">; (this: That, params: ", + "GetScriptRequest", + " | ", + "GetScriptRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetScriptResponse", + ", unknown>>; (this: That, params: ", + "GetScriptRequest", + " | ", + "GetScriptRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetScriptResponse", + ">; }; getScriptContext: { (this: That, params?: ", + "GetScriptContextRequest", + " | ", + "GetScriptContextRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetScriptContextResponse", + ">; (this: That, params?: ", + "GetScriptContextRequest", + " | ", + "GetScriptContextRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetScriptContextResponse", + ", unknown>>; (this: That, params?: ", + "GetScriptContextRequest", + " | ", + "GetScriptContextRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetScriptContextResponse", + ">; }; getScriptLanguages: { (this: That, params?: ", + "GetScriptLanguagesRequest", + " | ", + "GetScriptLanguagesRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetScriptLanguagesResponse", + ">; (this: That, params?: ", + "GetScriptLanguagesRequest", + " | ", + "GetScriptLanguagesRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetScriptLanguagesResponse", + ", unknown>>; (this: That, params?: ", + "GetScriptLanguagesRequest", + " | ", + "GetScriptLanguagesRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetScriptLanguagesResponse", + ">; }; getSource: { (this: That, params: ", + "GetSourceRequest", + " | ", + "GetSourceRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise; (this: That, params: ", + "GetSourceRequest", + " | ", + "GetSourceRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + ">; (this: That, params: ", + "GetSourceRequest", + " | ", + "GetSourceRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise; }; graph: ", + "default", + "; ilm: ", + "default", + "; indices: ", + "default", + "; info: { (this: That, params?: ", + "InfoRequest", + " | ", + "InfoRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "InfoResponse", + ">; (this: That, params?: ", + "InfoRequest", + " | ", + "InfoRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "InfoResponse", + ", unknown>>; (this: That, params?: ", + "InfoRequest", + " | ", + "InfoRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "InfoResponse", + ">; }; ingest: ", + "default", + "; knnSearch: { (this: That, params: ", + "KnnSearchRequest", + " | ", + "KnnSearchRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "KnnSearchResponse", + ">; (this: That, params: ", + "KnnSearchRequest", + " | ", + "KnnSearchRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "KnnSearchResponse", + ", unknown>>; (this: That, params: ", + "KnnSearchRequest", + " | ", + "KnnSearchRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "KnnSearchResponse", + ">; }; license: ", + "default", + "; logstash: ", + "default", + "; mget: { (this: That, params?: ", + "MgetRequest", + " | ", + "MgetRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "MgetResponse", + ">; (this: That, params?: ", + "MgetRequest", + " | ", + "MgetRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "MgetResponse", + ", unknown>>; (this: That, params?: ", + "MgetRequest", + " | ", + "MgetRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "MgetResponse", + ">; }; migration: ", + "default", + "; ml: ", + "default", + "; msearch: { >(this: That, params: ", + "MsearchRequest", + " | ", + "MsearchRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "MsearchResponse", + ">; >(this: That, params: ", + "MsearchRequest", + " | ", + "MsearchRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "MsearchResponse", + ", unknown>>; >(this: That, params: ", + "MsearchRequest", + " | ", + "MsearchRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "MsearchResponse", + ">; }; msearchTemplate: { >(this: That, params: ", + "MsearchTemplateRequest", + " | ", + "MsearchTemplateRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "MsearchTemplateResponse", + ">; >(this: That, params: ", + "MsearchTemplateRequest", + " | ", + "MsearchTemplateRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "MsearchTemplateResponse", + ", unknown>>; >(this: That, params: ", + "MsearchTemplateRequest", + " | ", + "MsearchTemplateRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "MsearchTemplateResponse", + ">; }; mtermvectors: { (this: That, params?: ", + "MtermvectorsRequest", + " | ", + "MtermvectorsRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "MtermvectorsResponse", + ">; (this: That, params?: ", + "MtermvectorsRequest", + " | ", + "MtermvectorsRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "MtermvectorsResponse", + ", unknown>>; (this: That, params?: ", + "MtermvectorsRequest", + " | ", + "MtermvectorsRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "MtermvectorsResponse", + ">; }; nodes: ", + "default", + "; openPointInTime: { (this: That, params: ", + "OpenPointInTimeRequest", + " | ", + "OpenPointInTimeRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "OpenPointInTimeResponse", + ">; (this: That, params: ", + "OpenPointInTimeRequest", + " | ", + "OpenPointInTimeRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "OpenPointInTimeResponse", + ", unknown>>; (this: That, params: ", + "OpenPointInTimeRequest", + " | ", + "OpenPointInTimeRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "OpenPointInTimeResponse", + ">; }; ping: { (this: That, params?: ", + "PingRequest", + " | ", + "PingRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise; (this: That, params?: ", + "PingRequest", + " | ", + "PingRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + ">; (this: That, params?: ", + "PingRequest", + " | ", + "PingRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise; }; putScript: { (this: That, params: ", + "PutScriptRequest", + " | ", + "PutScriptRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "AcknowledgedResponseBase", + ">; (this: That, params: ", + "PutScriptRequest", + " | ", + "PutScriptRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "AcknowledgedResponseBase", + ", unknown>>; (this: That, params: ", + "PutScriptRequest", + " | ", + "PutScriptRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "AcknowledgedResponseBase", + ">; }; rankEval: { (this: That, params: ", + "RankEvalRequest", + " | ", + "RankEvalRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "RankEvalResponse", + ">; (this: That, params: ", + "RankEvalRequest", + " | ", + "RankEvalRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "RankEvalResponse", + ", unknown>>; (this: That, params: ", + "RankEvalRequest", + " | ", + "RankEvalRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "RankEvalResponse", + ">; }; reindex: { (this: That, params: ", + "ReindexRequest", + " | ", + "ReindexRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ReindexResponse", + ">; (this: That, params: ", + "ReindexRequest", + " | ", + "ReindexRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ReindexResponse", + ", unknown>>; (this: That, params: ", + "ReindexRequest", + " | ", + "ReindexRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ReindexResponse", + ">; }; reindexRethrottle: { (this: That, params: ", + "ReindexRethrottleRequest", + " | ", + "ReindexRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ReindexRethrottleResponse", + ">; (this: That, params: ", + "ReindexRethrottleRequest", + " | ", + "ReindexRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ReindexRethrottleResponse", + ", unknown>>; (this: That, params: ", + "ReindexRethrottleRequest", + " | ", + "ReindexRethrottleRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ReindexRethrottleResponse", + ">; }; renderSearchTemplate: { (this: That, params?: ", + "RenderSearchTemplateRequest", + " | ", + "RenderSearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "RenderSearchTemplateResponse", + ">; (this: That, params?: ", + "RenderSearchTemplateRequest", + " | ", + "RenderSearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "RenderSearchTemplateResponse", + ", unknown>>; (this: That, params?: ", + "RenderSearchTemplateRequest", + " | ", + "RenderSearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "RenderSearchTemplateResponse", + ">; }; rollup: ", + "default", + "; scriptsPainlessExecute: { (this: That, params?: ", + "ScriptsPainlessExecuteRequest", + " | ", + "ScriptsPainlessExecuteRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ScriptsPainlessExecuteResponse", + ">; (this: That, params?: ", + "ScriptsPainlessExecuteRequest", + " | ", + "ScriptsPainlessExecuteRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ScriptsPainlessExecuteResponse", + ", unknown>>; (this: That, params?: ", + "ScriptsPainlessExecuteRequest", + " | ", + "ScriptsPainlessExecuteRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ScriptsPainlessExecuteResponse", + ">; }; scroll: { >(this: That, params: ", + "ScrollRequest", + " | ", + "ScrollRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "ScrollResponse", + ">; >(this: That, params: ", + "ScrollRequest", + " | ", + "ScrollRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "ScrollResponse", + ", unknown>>; >(this: That, params: ", + "ScrollRequest", + " | ", + "ScrollRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "ScrollResponse", + ">; }; searchMvt: { (this: That, params: ", + "SearchMvtRequest", + " | ", + "SearchMvtRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise; (this: That, params: ", + "SearchMvtRequest", + " | ", + "SearchMvtRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + ">; (this: That, params: ", + "SearchMvtRequest", + " | ", + "SearchMvtRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise; }; searchShards: { (this: That, params?: ", + "SearchShardsRequest", + " | ", + "SearchShardsRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "SearchShardsResponse", + ">; (this: That, params?: ", + "SearchShardsRequest", + " | ", + "SearchShardsRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "SearchShardsResponse", + ", unknown>>; (this: That, params?: ", + "SearchShardsRequest", + " | ", + "SearchShardsRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "SearchShardsResponse", + ">; }; searchTemplate: { (this: That, params?: ", + "SearchTemplateRequest", + " | ", + "SearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "SearchTemplateResponse", + ">; (this: That, params?: ", + "SearchTemplateRequest", + " | ", + "SearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "SearchTemplateResponse", + ", unknown>>; (this: That, params?: ", + "SearchTemplateRequest", + " | ", + "SearchTemplateRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "SearchTemplateResponse", + ">; }; searchableSnapshots: ", + "default", + "; shutdown: ", + "default", + "; slm: ", + "default", + "; snapshot: ", + "default", + "; sql: ", + "default", + "; ssl: ", + "default", + "; tasks: ", + "default", + "; termsEnum: { (this: That, params: ", + "TermsEnumRequest", + " | ", + "TermsEnumRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "TermsEnumResponse", + ">; (this: That, params: ", + "TermsEnumRequest", + " | ", + "TermsEnumRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "TermsEnumResponse", + ", unknown>>; (this: That, params: ", + "TermsEnumRequest", + " | ", + "TermsEnumRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "TermsEnumResponse", + ">; }; termvectors: { (this: That, params: ", + "TermvectorsRequest", + " | ", + "TermvectorsRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "TermvectorsResponse", + ">; (this: That, params: ", + "TermvectorsRequest", + " | ", + "TermvectorsRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "TermvectorsResponse", + ", unknown>>; (this: That, params: ", + "TermvectorsRequest", + " | ", + "TermvectorsRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "TermvectorsResponse", + ">; }; textStructure: ", + "default", + "; transform: ", + "default", + "; updateByQuery: { (this: That, params: ", + "UpdateByQueryRequest", + " | ", + "UpdateByQueryRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "UpdateByQueryResponse", + ">; (this: That, params: ", + "UpdateByQueryRequest", + " | ", + "UpdateByQueryRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "UpdateByQueryResponse", + ", unknown>>; (this: That, params: ", + "UpdateByQueryRequest", + " | ", + "UpdateByQueryRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "UpdateByQueryResponse", + ">; }; updateByQueryRethrottle: { (this: That, params: ", + "UpdateByQueryRethrottleRequest", + " | ", + "UpdateByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "UpdateByQueryRethrottleResponse", + ">; (this: That, params: ", + "UpdateByQueryRethrottleRequest", + " | ", + "UpdateByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "UpdateByQueryRethrottleResponse", + ", unknown>>; (this: That, params: ", + "UpdateByQueryRethrottleRequest", + " | ", + "UpdateByQueryRethrottleRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "UpdateByQueryRethrottleResponse", + ">; }; watcher: ", + "default", + "; xpack: ", + "default", + "; }" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataViewsService.updateSavedObject.$3", - "type": "boolean", + "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$3", + "type": "Object", "tags": [], - "label": "ignoreErrors", + "label": "request", "description": [], "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.updateSavedObject.$4", - "type": "boolean", - "tags": [], - "label": "displayErrors", - "description": [ - "- If set false, API consumer is responsible for displaying and handling errors." - ], - "signature": [ - "boolean" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.delete", - "type": "Function", - "tags": [], - "label": "delete", - "description": [ - "\nDeletes an index pattern from .kibana index." - ], - "signature": [ - "(indexPatternId: string) => Promise<{}>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.delete.$1", - "type": "string", - "tags": [], - "label": "indexPatternId", - "description": [ - ": Id of kibana Index Pattern to delete" - ], - "signature": [ - "string" + { + "pluginId": "@kbn/core-http-server", + "scope": "common", + "docId": "kibKbnCoreHttpServerPluginApi", + "section": "def-common.KibanaRequest", + "text": "KibanaRequest" + }, + " | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsService.getDefaultDataView", - "type": "Function", - "tags": [], - "label": "getDefaultDataView", - "description": [ - "\nReturns the default data view as an object.\nIf no default is found, or it is missing\nanother data view is selected as default and returned.\nIf no possible data view found to become a default returns null.\n" - ], - "signature": [ - "(refreshFields?: boolean | undefined) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "trackAdoption": false }, - " | null>" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewsService.getDefaultDataView.$1", + "id": "def-server.DataViewsServerPluginStart.dataViewsServiceFactory.$4", "type": "CompoundType", "tags": [], - "label": "refreshFields", - "description": [ - "- if true, will refresh the fields of the default data view" - ], + "label": "byPassCapabilities", + "description": [], "signature": [ "boolean | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/server/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": false + "trackAdoption": false } - ], - "returnComment": [ - "default data view" ] } ], @@ -26930,474 +19394,614 @@ }, { "parentPluginId": "data", - "id": "def-common.DuplicateDataViewError", - "type": "Class", + "id": "def-server.FieldDescriptor", + "type": "Interface", "tags": [], - "label": "DuplicateDataViewError", - "description": [ - "\nError thrown when attempting to create duplicate index pattern based on title." - ], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DuplicateDataViewError", - "text": "DuplicateDataViewError" - }, - " extends Error" - ], - "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", + "label": "FieldDescriptor", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DuplicateDataViewError.Unnamed", - "type": "Function", + "id": "def-server.FieldDescriptor.aggregatable", + "type": "boolean", "tags": [], - "label": "Constructor", - "description": [ - "\nconstructor" - ], - "signature": [ - "any" - ], - "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", + "label": "aggregatable", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DuplicateDataViewError.Unnamed.$1", - "type": "string", - "tags": [], - "label": "message", - "description": [ - "- Error message" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.KbnFieldType", - "type": "Class", - "tags": [], - "label": "KbnFieldType", - "description": [], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.name", + "type": "string", + "tags": [], + "label": "name", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.readFromDocValues", + "type": "boolean", + "tags": [], + "label": "readFromDocValues", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.searchable", + "type": "boolean", + "tags": [], + "label": "searchable", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.type", + "type": "string", + "tags": [], + "label": "type", + "description": [], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, { "parentPluginId": "data", - "id": "def-common.KbnFieldType.name", - "type": "string", + "id": "def-server.FieldDescriptor.esTypes", + "type": "Array", "tags": [], - "label": "name", + "label": "esTypes", "description": [], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "signature": [ + "string[]" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldType.sortable", - "type": "boolean", + "id": "def-server.FieldDescriptor.subType", + "type": "Object", "tags": [], - "label": "sortable", + "label": "subType", "description": [], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "signature": [ + "FieldSubType | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldType.filterable", - "type": "boolean", + "id": "def-server.FieldDescriptor.metadata_field", + "type": "CompoundType", "tags": [], - "label": "filterable", + "label": "metadata_field", "description": [], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldType.esTypes", - "type": "Object", + "id": "def-server.FieldDescriptor.fixedInterval", + "type": "Array", "tags": [], - "label": "esTypes", + "label": "fixedInterval", "description": [], "signature": [ - "readonly ", - { - "pluginId": "@kbn/field-types", - "scope": "common", - "docId": "kibKbnFieldTypesPluginApi", - "section": "def-common.ES_FIELD_TYPES", - "text": "ES_FIELD_TYPES" - }, - "[]" + "string[] | undefined" ], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldType.Unnamed", - "type": "Function", + "id": "def-server.FieldDescriptor.timeZone", + "type": "Array", "tags": [], - "label": "Constructor", + "label": "timeZone", "description": [], "signature": [ - "any" + "string[] | undefined" ], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.KbnFieldType.Unnamed.$1", - "type": "Object", - "tags": [], - "label": "options", - "description": [], - "signature": [ - "Partial<", - { - "pluginId": "@kbn/field-types", - "scope": "common", - "docId": "kibKbnFieldTypesPluginApi", - "section": "def-common.KbnFieldTypeOptions", - "text": "KbnFieldTypeOptions" - }, - ">" - ], - "path": "packages/kbn-field-types/src/kbn_field_type.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.timeSeriesMetric", + "type": "CompoundType", + "tags": [], + "label": "timeSeriesMetric", + "description": [], + "signature": [ + "\"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined" ], - "returnComment": [] + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.FieldDescriptor.timeSeriesDimension", + "type": "CompoundType", + "tags": [], + "label": "timeSeriesDimension", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts", + "deprecated": false, + "trackAdoption": false } ], "initialIsOpen": false - } - ], - "functions": [ + }, { "parentPluginId": "data", - "id": "def-common.cellHasFormulas", - "type": "Function", + "id": "def-server.IEsSearchRequest", + "type": "Interface", "tags": [], - "label": "cellHasFormulas", + "label": "IEsSearchRequest", "description": [], "signature": [ - "(val: string) => boolean" + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IEsSearchRequest", + "text": "IEsSearchRequest" + }, + " extends ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IKibanaSearchRequest", + "text": "IKibanaSearchRequest" + }, + "<", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.ISearchRequestParams", + "text": "ISearchRequestParams" + }, + ">" ], - "path": "src/plugins/data/common/exports/formula_checks.ts", + "path": "src/plugins/data/common/search/strategies/es_search/types.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.cellHasFormulas.$1", + "id": "def-server.IEsSearchRequest.indexType", "type": "string", "tags": [], - "label": "val", + "label": "indexType", "description": [], "signature": [ - "string" + "string | undefined" ], - "path": "src/plugins/data/common/exports/formula_checks.ts", + "path": "src/plugins/data/common/search/strategies/es_search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } ], - "returnComment": [], "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.createEscapeValue", - "type": "Function", + "id": "def-server.ISearchOptions", + "type": "Interface", "tags": [], - "label": "createEscapeValue", - "description": [ - "\nCreate a function that will escape CSV values like \"=\", \"@\" and \"+\" with a\n\"'\". This will also place CSV values in \"\" if contain non-alphanumeric chars.\n\nFor example:\n\nGiven: =1+1\nReturns: \"'=1+1\"\n\nSee OWASP: https://www.owasp.org/index.php/CSV_Injection." - ], - "signature": [ - "(quoteValues: boolean, escapeFormulas: boolean) => (val: RawValue) => string" - ], - "path": "src/plugins/data/common/exports/escape_value.ts", + "label": "ISearchOptions", + "description": [], + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.createEscapeValue.$1", - "type": "boolean", + "id": "def-server.ISearchOptions.abortSignal", + "type": "Object", "tags": [], - "label": "quoteValues", - "description": [], + "label": "abortSignal", + "description": [ + "\nAn `AbortSignal` that allows the caller of `search` to abort a search request." + ], + "signature": [ + "AbortSignal | undefined" + ], + "path": "src/plugins/data/common/search/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.ISearchOptions.strategy", + "type": "string", + "tags": [], + "label": "strategy", + "description": [ + "\nUse this option to force using a specific server side search strategy. Leave empty to use the default strategy." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data/common/search/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.ISearchOptions.legacyHitsTotal", + "type": "CompoundType", + "tags": [], + "label": "legacyHitsTotal", + "description": [ + "\nRequest the legacy format for the total number of hits. If sending `rest_total_hits_as_int` to\nsomething other than `true`, this should be set to `false`." + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data/common/search/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.ISearchOptions.sessionId", + "type": "string", + "tags": [], + "label": "sessionId", + "description": [ + "\nA session ID, grouping multiple search requests into a single session." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data/common/search/types.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.ISearchOptions.isStored", + "type": "CompoundType", + "tags": [], + "label": "isStored", + "description": [ + "\nWhether the session is already saved (i.e. sent to background)" + ], "signature": [ - "boolean" + "boolean | undefined" ], - "path": "src/plugins/data/common/exports/escape_value.ts", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.createEscapeValue.$2", - "type": "boolean", + "id": "def-server.ISearchOptions.isSearchStored", + "type": "CompoundType", "tags": [], - "label": "escapeFormulas", - "description": [], + "label": "isSearchStored", + "description": [ + "\nWhether the search was successfully polled after session was saved. Search was added to a session saved object and keepAlive extended." + ], "signature": [ - "boolean" + "boolean | undefined" ], - "path": "src/plugins/data/common/exports/escape_value.ts", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.datatableToCSV", - "type": "Function", - "tags": [], - "label": "datatableToCSV", - "description": [], - "signature": [ - "({ columns, rows }: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" + "trackAdoption": false }, - ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" - ], - "path": "src/plugins/data/common/exports/export_csv.tsx", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.datatableToCSV.$1", - "type": "Object", + "id": "def-server.ISearchOptions.isRestore", + "type": "CompoundType", "tags": [], - "label": "{ columns, rows }", - "description": [], + "label": "isRestore", + "description": [ + "\nWhether the session is restored (i.e. search requests should re-use the stored search IDs,\nrather than starting from scratch)" + ], "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.Datatable", - "text": "Datatable" - } + "boolean | undefined" ], - "path": "src/plugins/data/common/exports/export_csv.tsx", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.datatableToCSV.$2", + "id": "def-server.ISearchOptions.executionContext", "type": "Object", "tags": [], - "label": "{ csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }", - "description": [], + "label": "executionContext", + "description": [ + "\nRepresents a meta-information about a Kibana entity intitating a saerch request." + ], "signature": [ - "CSVOptions" + { + "pluginId": "@kbn/core-execution-context-common", + "scope": "common", + "docId": "kibKbnCoreExecutionContextCommonPluginApi", + "section": "def-common.KibanaExecutionContext", + "text": "KibanaExecutionContext" + }, + " | undefined" ], - "path": "src/plugins/data/common/exports/export_csv.tsx", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.fieldList", - "type": "Function", - "tags": [], - "label": "fieldList", - "description": [], - "signature": [ - "(specs?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "trackAdoption": false }, - "[], shortDotsEnable?: boolean) => ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.IIndexPatternFieldList", - "text": "IIndexPatternFieldList" - } - ], - "path": "src/plugins/data_views/common/fields/field_list.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.fieldList.$1", - "type": "Array", + "id": "def-server.ISearchOptions.indexPattern", + "type": "Object", "tags": [], - "label": "specs", - "description": [], + "label": "indexPattern", + "description": [ + "\nIndex pattern reference is used for better error messages" + ], "signature": [ { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "section": "def-common.DataView", + "text": "DataView" }, - "[]" + " | undefined" ], - "path": "src/plugins/data_views/common/fields/field_list.ts", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.fieldList.$2", - "type": "boolean", + "id": "def-server.ISearchOptions.transport", + "type": "Object", "tags": [], - "label": "shortDotsEnable", - "description": [], + "label": "transport", + "description": [ + "\nTransportRequestOptions, other than `signal`, to pass through to the ES client.\nTo pass an abort signal, use {@link ISearchOptions.abortSignal}" + ], "signature": [ - "boolean" + "Omit<", + "TransportRequestOptions", + ", \"signal\"> | undefined" ], - "path": "src/plugins/data_views/common/fields/field_list.ts", + "path": "src/plugins/data/common/search/types.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } ], - "returnComment": [], + "initialIsOpen": false + } + ], + "enums": [ + { + "parentPluginId": "data", + "id": "def-server.ES_FIELD_TYPES", + "type": "Enum", + "tags": [], + "label": "ES_FIELD_TYPES", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false, "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.getEsQueryConfig", - "type": "Function", + "id": "def-server.KBN_FIELD_TYPES", + "type": "Enum", "tags": [], - "label": "getEsQueryConfig", + "label": "KBN_FIELD_TYPES", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.METRIC_TYPES", + "type": "Enum", + "tags": [], + "label": "METRIC_TYPES", + "description": [], + "path": "src/plugins/data/common/search/aggs/metrics/metric_agg_types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + } + ], + "misc": [ + { + "parentPluginId": "data", + "id": "def-server.DEFAULT_QUERY_LANGUAGE", + "type": "string", + "tags": [], + "label": "DEFAULT_QUERY_LANGUAGE", + "description": [], + "signature": [ + "\"kuery\"" + ], + "path": "src/plugins/data/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.ES_SEARCH_STRATEGY", + "type": "string", + "tags": [], + "label": "ES_SEARCH_STRATEGY", + "description": [], + "signature": [ + "\"es\"" + ], + "path": "src/plugins/data/common/search/strategies/es_search/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-server.IEsSearchResponse", + "type": "Type", + "tags": [], + "label": "IEsSearchResponse", "description": [], "signature": [ - "(config: KibanaConfig) => ", { - "pluginId": "@kbn/es-query", + "pluginId": "data", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.EsQueryConfig", - "text": "EsQueryConfig" - } + "docId": "kibDataSearchPluginApi", + "section": "def-common.IKibanaSearchResponse", + "text": "IKibanaSearchResponse" + }, + "<", + "SearchResponse", + ">>" ], - "path": "src/plugins/data/common/es_query/get_es_query_config.ts", + "path": "src/plugins/data/common/search/strategies/es_search/types.ts", "deprecated": false, "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.getEsQueryConfig.$1", - "type": "Object", - "tags": [], - "label": "config", - "description": [], - "signature": [ - "KibanaConfig" - ], - "path": "src/plugins/data/common/es_query/get_es_query_config.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.getFieldSubtypeMulti", - "type": "Function", + "id": "def-server.ParsedInterval", + "type": "Type", "tags": [], - "label": "getFieldSubtypeMulti", + "label": "ParsedInterval", "description": [], "signature": [ - "(field: HasSubtype) => ", + "{ value: number; unit: ", { - "pluginId": "@kbn/es-query", + "pluginId": "@kbn/datemath", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeMulti", - "text": "IFieldSubTypeMulti" + "docId": "kibKbnDatemathPluginApi", + "section": "def-common.Unit", + "text": "Unit" }, - " | undefined" + "; type: \"fixed\" | \"calendar\"; }" ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_es_interval.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + } + ], + "objects": [ + { + "parentPluginId": "data", + "id": "def-server.exporters", + "type": "Object", + "tags": [], + "label": "exporters", + "description": [], + "path": "src/plugins/data/server/index.ts", "deprecated": false, "trackAdoption": false, - "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.getFieldSubtypeMulti.$1", - "type": "Object", + "id": "def-server.exporters.datatableToCSV", + "type": "Function", "tags": [], - "label": "field", + "label": "datatableToCSV", "description": [], "signature": [ - "{ subType?: ", + "({ columns, rows }: ", { - "pluginId": "@kbn/es-query", + "pluginId": "expressions", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" }, - " | undefined; }" + ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.exporters.datatableToCSV.$1", + "type": "Object", + "tags": [], + "label": "__0", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + } + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.exporters.datatableToCSV.$2", + "type": "Object", + "tags": [], + "label": "__1", + "description": [], + "signature": [ + "CSVOptions" + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false + } + ] + }, + { + "parentPluginId": "data", + "id": "def-server.exporters.CSV_MIME_TYPE", + "type": "string", + "tags": [], + "label": "CSV_MIME_TYPE", + "description": [], + "path": "src/plugins/data/server/index.ts", "deprecated": false, "trackAdoption": false } @@ -27406,242 +20010,564 @@ }, { "parentPluginId": "data", - "id": "def-common.getFieldSubtypeNested", - "type": "Function", + "id": "def-server.search", + "type": "Object", "tags": [], - "label": "getFieldSubtypeNested", + "label": "search", "description": [], - "signature": [ - "(field: HasSubtype) => ", - { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubTypeNested", - "text": "IFieldSubTypeNested" - }, - " | undefined" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/server/index.ts", "deprecated": false, "trackAdoption": false, - "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.getFieldSubtypeNested.$1", + "id": "def-server.search.aggs", "type": "Object", "tags": [], - "label": "field", + "label": "aggs", "description": [], - "signature": [ - "{ subType?: ", + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" + "parentPluginId": "data", + "id": "def-server.search.aggs.CidrMask", + "type": "Object", + "tags": [], + "label": "CidrMask", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.CidrMask", + "text": "CidrMask" + } + ], + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.search.aggs.dateHistogramInterval", + "type": "Function", + "tags": [], + "label": "dateHistogramInterval", + "description": [], + "signature": [ + "(interval: string, shouldForceFixed?: boolean | undefined) => Interval" + ], + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.search.aggs.dateHistogramInterval.$1", + "type": "string", + "tags": [], + "label": "interval", + "description": [], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.search.aggs.dateHistogramInterval.$2", + "type": "CompoundType", + "tags": [], + "label": "shouldForceFixed", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/date_histogram_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] + }, + { + "parentPluginId": "data", + "id": "def-server.search.aggs.IpAddress", + "type": "Object", + "tags": [], + "label": "IpAddress", + "description": [], + "signature": [ + "typeof ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IpAddress", + "text": "IpAddress" + } + ], + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.search.aggs.parseInterval", + "type": "Function", + "tags": [], + "label": "parseInterval", + "description": [], + "signature": [ + "(interval: string) => moment.Duration | null" + ], + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.search.aggs.parseInterval.$1", + "type": "string", + "tags": [], + "label": "interval", + "description": [], + "path": "src/plugins/data/common/search/aggs/utils/date_interval_utils/parse_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] }, - " | undefined; }" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false + { + "parentPluginId": "data", + "id": "def-server.search.aggs.calcAutoIntervalLessThan", + "type": "Function", + "tags": [], + "label": "calcAutoIntervalLessThan", + "description": [], + "signature": [ + "(maxBucketCount: number, duration: number) => moment.Duration" + ], + "path": "src/plugins/data/server/index.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "data", + "id": "def-server.search.aggs.calcAutoIntervalLessThan.$1", + "type": "number", + "tags": [], + "label": "maxBucketCount", + "description": [], + "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.search.aggs.calcAutoIntervalLessThan.$2", + "type": "number", + "tags": [], + "label": "duration", + "description": [], + "path": "src/plugins/data/common/search/aggs/buckets/lib/time_buckets/calc_auto_interval.ts", + "deprecated": false, + "trackAdoption": false + } + ] + } + ] } ], "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.getIndexPatternLoadMeta", - "type": "Function", + "id": "def-server.UI_SETTINGS", + "type": "Object", "tags": [], - "label": "getIndexPatternLoadMeta", + "label": "UI_SETTINGS", "description": [], "signature": [ - "() => Omit<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.IndexPatternLoadExpressionFunctionDefinition", - "text": "IndexPatternLoadExpressionFunctionDefinition" - }, - ", \"fn\">" + "{ readonly META_FIELDS: \"metaFields\"; readonly DOC_HIGHLIGHT: \"doc_table:highlight\"; readonly QUERY_STRING_OPTIONS: \"query:queryString:options\"; readonly QUERY_ALLOW_LEADING_WILDCARDS: \"query:allowLeadingWildcards\"; readonly SEARCH_QUERY_LANGUAGE: \"search:queryLanguage\"; readonly SORT_OPTIONS: \"sort:options\"; readonly COURIER_IGNORE_FILTER_IF_FIELD_NOT_IN_INDEX: \"courier:ignoreFilterIfFieldNotInIndex\"; readonly COURIER_SET_REQUEST_PREFERENCE: \"courier:setRequestPreference\"; readonly COURIER_CUSTOM_REQUEST_PREFERENCE: \"courier:customRequestPreference\"; readonly COURIER_MAX_CONCURRENT_SHARD_REQUESTS: \"courier:maxConcurrentShardRequests\"; readonly SEARCH_INCLUDE_FROZEN: \"search:includeFrozen\"; readonly SEARCH_TIMEOUT: \"search:timeout\"; readonly HISTOGRAM_BAR_TARGET: \"histogram:barTarget\"; readonly HISTOGRAM_MAX_BARS: \"histogram:maxBars\"; readonly HISTORY_LIMIT: \"history:limit\"; readonly TIMEPICKER_REFRESH_INTERVAL_DEFAULTS: \"timepicker:refreshIntervalDefaults\"; readonly TIMEPICKER_QUICK_RANGES: \"timepicker:quickRanges\"; readonly TIMEPICKER_TIME_DEFAULTS: \"timepicker:timeDefaults\"; readonly FILTERS_PINNED_BY_DEFAULT: \"filters:pinnedByDefault\"; readonly FILTERS_EDITOR_SUGGEST_VALUES: \"filterEditor:suggestValues\"; readonly AUTOCOMPLETE_USE_TIMERANGE: \"autocomplete:useTimeRange\"; readonly AUTOCOMPLETE_VALUE_SUGGESTION_METHOD: \"autocomplete:valueSuggestionMethod\"; readonly DATE_FORMAT: \"dateFormat\"; readonly DATEFORMAT_TZ: \"dateFormat:tz\"; }" ], - "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "path": "src/plugins/data/common/constants.ts", "deprecated": false, "trackAdoption": false, - "children": [], - "returnComment": [], "initialIsOpen": false - }, + } + ], + "setup": { + "parentPluginId": "data", + "id": "def-server.DataPluginSetup", + "type": "Interface", + "tags": [], + "label": "DataPluginSetup", + "description": [], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataPluginSetup.search", + "type": "Object", + "tags": [], + "label": "search", + "description": [], + "signature": [ + "ISearchSetup" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataPluginSetup.query", + "type": "Object", + "tags": [], + "label": "query", + "description": [], + "signature": [ + "QuerySetup" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataPluginSetup.fieldFormats", + "type": "Object", + "tags": [ + "deprecated" + ], + "label": "fieldFormats", + "description": [], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "server", + "docId": "kibFieldFormatsPluginApi", + "section": "def-server.FieldFormatsSetup", + "text": "FieldFormatsSetup" + } + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": true, + "trackAdoption": false, + "references": [] + } + ], + "lifecycle": "setup", + "initialIsOpen": true + }, + "start": { + "parentPluginId": "data", + "id": "def-server.DataPluginStart", + "type": "Interface", + "tags": [], + "label": "DataPluginStart", + "description": [], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-server.DataPluginStart.search", + "type": "Object", + "tags": [], + "label": "search", + "description": [], + "signature": [ + "ISearchStart", + "<", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IEsSearchRequest", + "text": "IEsSearchRequest" + }, + ", ", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.IEsSearchResponse", + "text": "IEsSearchResponse" + }, + ">" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataPluginStart.fieldFormats", + "type": "Object", + "tags": [ + "deprecated" + ], + "label": "fieldFormats", + "description": [], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "server", + "docId": "kibFieldFormatsPluginApi", + "section": "def-server.FieldFormatsStart", + "text": "FieldFormatsStart" + } + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": true, + "trackAdoption": false, + "references": [] + }, + { + "parentPluginId": "data", + "id": "def-server.DataPluginStart.indexPatterns", + "type": "Object", + "tags": [], + "label": "indexPatterns", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "server", + "docId": "kibDataViewsPluginApi", + "section": "def-server.DataViewsServerPluginStart", + "text": "DataViewsServerPluginStart" + } + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "data", + "id": "def-server.DataPluginStart.datatableUtilities", + "type": "Object", + "tags": [], + "label": "datatableUtilities", + "description": [ + "\nDatatable type utility functions." + ], + "signature": [ + "DatatableUtilitiesService" + ], + "path": "src/plugins/data/server/plugin.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "lifecycle": "start", + "initialIsOpen": true + } + }, + "common": { + "classes": [ { "parentPluginId": "data", - "id": "def-common.isFilterable", - "type": "Function", + "id": "def-common.DatatableUtilitiesService", + "type": "Class", "tags": [], - "label": "isFilterable", + "label": "DatatableUtilitiesService", "description": [], - "signature": [ - "(field: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - }, - ") => boolean" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.isFilterable.$1", - "type": "Object", + "id": "def-common.DatatableUtilitiesService.Unnamed", + "type": "Function", "tags": [], - "label": "field", + "label": "Constructor", "description": [], "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewField", - "text": "DataViewField" - } + "any" ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.isMultiField", - "type": "Function", - "tags": [], - "label": "isMultiField", - "description": [], - "signature": [ - "(field: HasSubtype) => boolean" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.Unnamed.$1", + "type": "Object", + "tags": [], + "label": "aggs", + "description": [], + "signature": [ + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggsCommonStart", + "text": "AggsCommonStart" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.Unnamed.$2", + "type": "Object", + "tags": [], + "label": "dataViews", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewsContract", + "text": "DataViewsContract" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.Unnamed.$3", + "type": "Object", + "tags": [], + "label": "fieldFormats", + "description": [], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormatsStartCommon", + "text": "FieldFormatsStartCommon" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + }, { "parentPluginId": "data", - "id": "def-common.isMultiField.$1", - "type": "Object", + "id": "def-common.DatatableUtilitiesService.clearField", + "type": "Function", "tags": [], - "label": "field", + "label": "clearField", "description": [], "signature": [ - "{ subType?: ", + "(column: ", { - "pluginId": "@kbn/es-query", + "pluginId": "expressions", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" }, - " | undefined; }" + ") => void" ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.isNestedField", - "type": "Function", - "tags": [], - "label": "isNestedField", - "description": [], - "signature": [ - "(field: HasSubtype) => boolean" - ], - "path": "src/plugins/data_views/common/fields/utils.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.clearField.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + }, { "parentPluginId": "data", - "id": "def-common.isNestedField.$1", - "type": "Object", + "id": "def-common.DatatableUtilitiesService.clearFieldFormat", + "type": "Function", "tags": [], - "label": "field", + "label": "clearFieldFormat", "description": [], "signature": [ - "{ subType?: ", + "(column: ", { - "pluginId": "@kbn/es-query", + "pluginId": "expressions", "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.IFieldSubType", - "text": "IFieldSubType" + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" }, - " | undefined; }" + ") => void" ], - "path": "src/plugins/data_views/common/fields/utils.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.tableHasFormulas", - "type": "Function", - "tags": [], - "label": "tableHasFormulas", - "description": [], - "signature": [ - "(columns: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableColumn", - "text": "DatatableColumn" - }, - "[], rows: ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableRow", - "text": "DatatableRow" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.clearFieldFormat.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "[]) => boolean" - ], - "path": "src/plugins/data/common/exports/formula_checks.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { "parentPluginId": "data", - "id": "def-common.tableHasFormulas.$1", - "type": "Array", + "id": "def-common.DatatableUtilitiesService.getAggConfig", + "type": "Function", "tags": [], - "label": "columns", + "label": "getAggConfig", "description": [], "signature": [ + "(column: ", { "pluginId": "expressions", "scope": "common", @@ -27649,618 +20575,1444 @@ "section": "def-common.DatatableColumn", "text": "DatatableColumn" }, - "[]" + ") => Promise<", + { + "pluginId": "data", + "scope": "common", + "docId": "kibDataSearchPluginApi", + "section": "def-common.AggConfig", + "text": "AggConfig" + }, + " | undefined>" ], - "path": "src/plugins/data/common/exports/formula_checks.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getAggConfig.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.tableHasFormulas.$2", - "type": "Array", + "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta", + "type": "Function", "tags": [], - "label": "rows", - "description": [], + "label": "getDateHistogramMeta", + "description": [ + "\nHelper function returning the used interval, used time zone and applied time filters for data table column created by the date_histogramm agg type.\n\"auto\" will get expanded to the actually used interval.\nIf the column is not a column created by a date_histogram aggregation of the esaggs data source,\nthis function will return undefined." + ], "signature": [ + "(column: ", { "pluginId": "expressions", "scope": "common", "docId": "kibExpressionsPluginApi", - "section": "def-common.DatatableRow", - "text": "DatatableRow" + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" }, - "[]" + ", defaults?: Partial<{ timeZone: string; }>) => DateHistogramMeta | undefined" ], - "path": "src/plugins/data/common/exports/formula_checks.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - } - ], - "interfaces": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewAttributes", - "type": "Interface", - "tags": [], - "label": "DataViewAttributes", - "description": [ - "\nInterface for the data view saved object" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewAttributes.fields", - "type": "string", - "tags": [], - "label": "fields", - "description": [ - "\nFields as a serialized array of field specs" + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getDateHistogramMeta.$2", + "type": "Object", + "tags": [], + "label": "defaults", + "description": [], + "signature": [ + "Partial<{ timeZone: string; }>" + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.title", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getDataView", + "type": "Function", "tags": [], - "label": "title", - "description": [ - "\nData view title" + "label": "getDataView", + "description": [], + "signature": [ + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | undefined>" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getDataView.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.type", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getField", + "type": "Function", "tags": [], - "label": "type", - "description": [ - "\nData view type, default or rollup" - ], + "label": "getField", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | undefined>" + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getField.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.typeMeta", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getFieldFormat", + "type": "Function", "tags": [], - "label": "typeMeta", - "description": [ - "\nType metadata information, serialized. Only used by rollup data views." - ], + "label": "getFieldFormat", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + }, + " | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getFieldFormat.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.timeFieldName", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getInterval", + "type": "Function", "tags": [], - "label": "timeFieldName", - "description": [ - "\nTime field name" - ], + "label": "getInterval", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => string | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getInterval.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.sourceFilters", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getNumberHistogramInterval", + "type": "Function", "tags": [], - "label": "sourceFilters", + "label": "getNumberHistogramInterval", "description": [ - "\nSerialized array of filters. Used by discover to hide fields." + "\nHelper function returning the used interval for data table column created by the histogramm agg type.\n\"auto\" will get expanded to the actually used interval.\nIf the column is not a column created by a histogram aggregation of the esaggs data source,\nthis function will return undefined." ], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => number | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getNumberHistogramInterval.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.fieldFormatMap", - "type": "string", + "id": "def-common.DatatableUtilitiesService.getTotalCount", + "type": "Function", "tags": [], - "label": "fieldFormatMap", - "description": [ - "\nSerialized map of field formats by field name" - ], + "label": "getTotalCount", + "description": [], "signature": [ - "string | undefined" + "(table: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + }, + ") => number | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.getTotalCount.$1", + "type": "Object", + "tags": [], + "label": "table", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.fieldAttrs", - "type": "string", + "id": "def-common.DatatableUtilitiesService.hasPrecisionError", + "type": "Function", "tags": [], - "label": "fieldAttrs", - "description": [ - "\nSerialized map of field attributes, currently field count and name" - ], + "label": "hasPrecisionError", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.Serializable", + "text": "Serializable" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.hasPrecisionError.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.runtimeFieldMap", - "type": "string", + "id": "def-common.DatatableUtilitiesService.isFilterable", + "type": "Function", "tags": [], - "label": "runtimeFieldMap", - "description": [ - "\nSerialized map of runtime field definitions, by field name" - ], + "label": "isFilterable", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ") => boolean" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewAttributes.allowNoIndex", - "type": "CompoundType", - "tags": [], - "label": "allowNoIndex", - "description": [ - "\nPrevents errors when index pattern exists before indices" - ], - "signature": [ - "boolean | undefined" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.isFilterable.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.DataViewAttributes.name", - "type": "string", + "id": "def-common.DatatableUtilitiesService.setFieldFormat", + "type": "Function", "tags": [], - "label": "name", - "description": [ - "\nName of the data view. Human readable name used to differentiate data view." - ], + "label": "setFieldFormat", + "description": [], "signature": [ - "string | undefined" + "(column: ", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + ", fieldFormat: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + }, + ") => void" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.setFieldFormat.$1", + "type": "Object", + "tags": [], + "label": "column", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DatatableUtilitiesService.setFieldFormat.$2", + "type": "Object", + "tags": [], + "label": "fieldFormat", + "description": [], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + } + ], + "path": "src/plugins/data/common/datatable_utilities/datatable_utilities_service.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] } ], "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.DataViewListItem", - "type": "Interface", + "id": "def-common.DataView", + "type": "Class", "tags": [], - "label": "DataViewListItem", + "label": "DataView", "description": [ - "\nResult from data view search - summary data." + "\nData view class. Central kibana abstraction around multiple indices." ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " implements ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.DataViewBase", + "text": "DataViewBase" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false, "children": [ { "parentPluginId": "data", - "id": "def-common.DataViewListItem.id", + "id": "def-common.DataView.id", "type": "string", "tags": [], "label": "id", "description": [ - "\nSaved object id (or generated id if in-memory only)" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewListItem.namespaces", - "type": "Array", - "tags": [], - "label": "namespaces", - "description": [ - "\nNamespace ids" + "\nSaved object id" ], "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewListItem.title", - "type": "string", - "tags": [], - "label": "title", - "description": [ - "\nData view title" + "string | undefined" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.DataViewListItem.type", + "id": "def-common.DataView.title", "type": "string", - "tags": [], - "label": "type", - "description": [ - "\nData view type" - ], - "signature": [ - "string | undefined" + "tags": [ + "deprecated" ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewListItem.typeMeta", - "type": "Object", - "tags": [], - "label": "typeMeta", + "label": "title", "description": [ - "\nData view type meta" + "\nTitle of data view" ], - "signature": [ + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/types.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/source/index.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/source/index.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_from_timeline.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/utils.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts" + }, + { + "plugin": "timelines", + "path": "x-pack/plugins/timelines/public/mock/index_pattern.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/mock/index_pattern.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "lists", + "path": "x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts" + }, + { + "plugin": "threatIntelligence", + "path": "x-pack/plugins/threat_intelligence/public/common/mocks/mock_security_context.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/components/flyout_components/alerts_actions/utils.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/build_es_query.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/from_combined_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/from_filters.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/from_filters.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/from_kuery.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/es_query/from_nested_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/build_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/exists_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/get_filter_field.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/phrase_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/phrase_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/build_filters/phrases_filter.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/filters/helpers/compare_filters.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/ast/ast.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/and.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/exists.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/is.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/nested.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/not.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/or.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/range.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/node_types/function.test.ts" + }, + { + "plugin": "@kbn/es-query", + "path": "packages/kbn-es-query/src/kuery/functions/utils/get_full_field_name_node.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "unifiedSearch", + "path": "src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts" + }, + { + "plugin": "unifiedSearch", + "path": "src/plugins/unified_search/public/query_string_input/fetch_index_patterns.ts" + }, + { + "plugin": "unifiedSearch", + "path": "src/plugins/unified_search/public/dataview_picker/change_dataview.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/server/rest_api_routes/update_data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/server/rest_api_routes/update_data_view.ts" + }, + { + "plugin": "triggersActionsUi", + "path": "x-pack/plugins/triggers_actions_ui/public/common/lib/data_apis.ts" + }, + { + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/public/management_section/objects_table/components/flyout.tsx" + }, + { + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/public/management_section/objects_table/components/flyout.tsx" + }, + { + "plugin": "controls", + "path": "src/plugins/controls/public/services/options_list/options_list_service.ts" + }, + { + "plugin": "controls", + "path": "src/plugins/controls/public/services/options_list/options_list_service.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/public/services/field_stats/load_field_stats.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/common/utils/field_existing_utils.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/public/hooks/use_existing_fields.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/public/hooks/use_existing_fields.ts" + }, + { + "plugin": "lens", + "path": "x-pack/plugins/lens/public/data_views_service/loader.ts" + }, + { + "plugin": "lens", + "path": "x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx" + }, + { + "plugin": "aiops", + "path": "x-pack/plugins/aiops/public/components/log_categorization/log_categorization_page.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/server/models/data_frame_analytics/index_patterns.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/server/models/job_service/new_job_caps/rollup.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/server/lib/alerts/alerting_service.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/server/models/data_recognizer/data_recognizer.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/common/log_views/resolved_log_view.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/get_fields.ts" + }, + { + "plugin": "apm", + "path": "x-pack/plugins/apm/server/routes/data_view/create_static_data_view.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/utils/observability_data_views/observability_data_views.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_definition_field.tsx" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/filter_value_btn.tsx" + }, + { + "plugin": "dataVisualizer", + "path": "x-pack/plugins/data_visualizer/public/application/index_data_visualizer/hooks/use_data_visualizer_grid_data.ts" + }, + { + "plugin": "dataVisualizer", + "path": "x-pack/plugins/data_visualizer/public/application/index_data_visualizer/components/index_data_visualizer_view/index_data_visualizer_view.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_details.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/datavisualizer/index_based/data_loader/data_loader.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/hooks/use_index_data.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/components/configuration_step/configuration_step_form.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_creation/page.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/action_clone/clone_action_name.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/common/job_creator/job_creator.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/common/results_loader/categorization_examples_loader.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/index_or_search/preconfigured_job_redirect.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/job_type/page.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/components/pick_fields_step/components/bucket_span_estimator/estimate_bucket_span.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/components/datafeed_step/components/data_view/change_data_view.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/jobs/new_job/pages/new_job/wizard_steps.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/outlier_exploration/use_outlier_data.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration_results_table/use_exploration_results.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/source_selection/source_selection.tsx" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/embeddables/anomaly_charts/anomaly_charts_embeddable.tsx" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/logs/settings/validation_errors.ts" + }, + { + "plugin": "fleet", + "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx" + }, + { + "plugin": "fleet", + "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx" + }, + { + "plugin": "fleet", + "path": "x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.component.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/es_data_view_select/es_data_view_select.tsx" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/services/kibana/data_views.ts" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/services/kibana/data_views.ts" + }, + { + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/datasource/datasource_component.js" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/datasource.sagas.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/persistence.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/persistence.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/sourcerer/create_sourcerer_data_view.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx" + }, + { + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx" + }, + { + "plugin": "timelines", + "path": "x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts" + }, { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TypeMeta", - "text": "TypeMeta" + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/boundary_index_expression.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/expressions/entity_index_expression.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/geo_containment/query_builder/index.tsx" + }, + { + "plugin": "stackAlerts", + "path": "x-pack/plugins/stack_alerts/public/rule_types/components/data_view_select_popover.tsx" + }, + { + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx" + }, + { + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/components/filter_term_form.tsx" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/hooks/use_search_items/common.ts" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/services/es_index_service.ts" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/server/routes/api/transforms.ts" + }, + { + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/public/application/components/es_deprecation_logs/fix_deprecation_logs/external_links.tsx" + }, + { + "plugin": "ux", + "path": "x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/use_data_view.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" }, - " | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewListItem.name", - "type": "string", - "tags": [], - "label": "name", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions", - "type": "Interface", - "tags": [], - "label": "GetFieldsOptions", - "description": [], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.pattern", - "type": "string", - "tags": [], - "label": "pattern", - "description": [], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.type", - "type": "string", - "tags": [], - "label": "type", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.lookBack", - "type": "CompoundType", - "tags": [], - "label": "lookBack", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.metaFields", - "type": "Array", - "tags": [], - "label": "metaFields", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.rollupIndex", - "type": "string", - "tags": [], - "label": "rollupIndex", - "description": [], - "signature": [ - "string | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.allowNoIndex", - "type": "CompoundType", - "tags": [], - "label": "allowNoIndex", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.indexFilter", - "type": "Object", - "tags": [], - "label": "indexFilter", - "description": [], - "signature": [ - "QueryDslQueryContainer", - " | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.includeUnmapped", - "type": "CompoundType", - "tags": [], - "label": "includeUnmapped", - "description": [], - "signature": [ - "boolean | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetFieldsOptions.fields", - "type": "Array", - "tags": [], - "label": "fields", - "description": [], - "signature": [ - "string[] | undefined" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.IDataViewsApiClient", - "type": "Interface", - "tags": [], - "label": "IDataViewsApiClient", - "description": [], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.IDataViewsApiClient.getFieldsForWildcard", - "type": "Function", - "tags": [], - "label": "getFieldsForWildcard", - "description": [], - "signature": [ - "(options: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" }, - ") => Promise<", - "FieldsForWildcardResponse", - ">" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ { - "parentPluginId": "data", - "id": "def-common.IDataViewsApiClient.getFieldsForWildcard.$1", - "type": "Object", - "tags": [], - "label": "options", - "description": [], - "signature": [ - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" - } - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts" + }, + { + "plugin": "ml", + "path": "x-pack/plugins/ml/public/application/services/new_job_capabilities/remove_nested_field_children.test.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/mobile_test_attribute.ts" + }, + { + "plugin": "observability", + "path": "x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_cwv.ts" + }, + { + "plugin": "transform", + "path": "x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts" + }, + { + "plugin": "controls", + "path": "src/plugins/controls/public/services/data_views/data_views.story.ts" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/field_editor/components/scripting_help/test_script.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/create_edit_field/create_edit_field.tsx" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/list_control_factory.ts" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/control/range_control_factory.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" + }, + { + "plugin": "unifiedFieldList", + "path": "src/plugins/unified_field_list/server/routes/field_stats.ts" + }, + { + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" + }, + { + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/controls/field.tsx" + }, + { + "plugin": "visDefaultEditor", + "path": "src/plugins/vis_default_editor/public/components/agg_select.tsx" + }, + { + "plugin": "inputControlVis", + "path": "src/plugins/input_control_vis/public/test_utils/get_index_pattern_mock.ts" + }, + { + "plugin": "presentationUtil", + "path": "src/plugins/presentation_util/public/services/data_views/data_views.story.ts" + }, + { + "plugin": "visTypeTimelion", + "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" + }, + { + "plugin": "visTypeTimelion", + "path": "src/plugins/vis_types/timelion/public/helpers/arg_value_suggestions.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/common/index_patterns_utils.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.ts" + }, + { + "plugin": "visTypeVega", + "path": "src/plugins/vis_types/vega/public/data_model/search_api.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_datatable.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/convert_to_lens/lib/datasource/datasource_info.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/lib/cached_index_pattern_fetcher.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" + }, + { + "plugin": "discover", + "path": "src/plugins/discover/public/application/main/hooks/use_text_based_query_language.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/pages/metrics/hosts/hooks/use_data_view.test.ts" } - ], - "returnComment": [] - }, - { - "parentPluginId": "data", - "id": "def-common.IDataViewsApiClient.hasUserDataView", - "type": "Function", - "tags": [], - "label": "hasUserDataView", - "description": [], - "signature": [ - "() => Promise" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.IndexPatternExpressionType", - "type": "Interface", - "tags": [], - "label": "IndexPatternExpressionType", - "description": [ - "\nIndex pattern expression interface" - ], - "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.IndexPatternExpressionType.type", - "type": "string", - "tags": [], - "label": "type", - "description": [ - "\nExpression type" - ], - "signature": [ - "\"index_pattern\"" - ], - "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", - "deprecated": false, - "trackAdoption": false + ] }, { "parentPluginId": "data", - "id": "def-common.IndexPatternExpressionType.value", + "id": "def-common.DataView.fieldFormatMap", "type": "Object", "tags": [], - "label": "value", + "label": "fieldFormatMap", "description": [ - "\nValue - DataViewSpec" + "\nMap of field formats by field name" ], "signature": [ - "{ id?: string | undefined; version?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; sourceFilters?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.SourceFilter", - "text": "SourceFilter" - }, - "[] | undefined; fields?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" - }, - " | undefined; typeMeta?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TypeMeta", - "text": "TypeMeta" - }, - " | undefined; type?: string | undefined; fieldFormats?: Record> | undefined; runtimeFieldMap?: Record | undefined; fieldAttrs?: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" - }, - " | undefined; allowNoIndex?: boolean | undefined; namespaces?: string[] | undefined; name?: string | undefined; }" + ">; }" ], - "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", - "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.KbnFieldTypeOptions", - "type": "Interface", - "tags": [], - "label": "KbnFieldTypeOptions", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.KbnFieldTypeOptions.sortable", - "type": "boolean", - "tags": [], - "label": "sortable", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false - }, - { - "parentPluginId": "data", - "id": "def-common.KbnFieldTypeOptions.filterable", - "type": "boolean", - "tags": [], - "label": "filterable", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldTypeOptions.name", - "type": "string", + "id": "def-common.DataView.typeMeta", + "type": "Object", "tags": [], - "label": "name", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", + "label": "typeMeta", + "description": [ + "\nOnly used by rollup indices, used by rollup specific endpoint to load field list." + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TypeMeta", + "text": "TypeMeta" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.KbnFieldTypeOptions.esTypes", - "type": "Array", + "id": "def-common.DataView.fields", + "type": "CompoundType", "tags": [], - "label": "esTypes", - "description": [], + "label": "fields", + "description": [ + "\nField list, in extended array format" + ], "signature": [ { - "pluginId": "@kbn/field-types", + "pluginId": "dataViews", "scope": "common", - "docId": "kibKbnFieldTypesPluginApi", - "section": "def-common.ES_FIELD_TYPES", - "text": "ES_FIELD_TYPES" + "docId": "kibDataViewsPluginApi", + "section": "def-common.IIndexPatternFieldList", + "text": "IIndexPatternFieldList" }, - "[]" + " & { toSpec: () => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" + }, + "; }" ], - "path": "packages/kbn-field-types/src/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.UiSettingsCommon", - "type": "Interface", - "tags": [], - "label": "UiSettingsCommon", - "description": [ - "\nInterface for UiSettings common interface {@link UiSettingsClient}" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "children": [ + }, { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.get", - "type": "Function", + "id": "def-common.DataView.timeFieldName", + "type": "string", "tags": [], - "label": "get", + "label": "timeFieldName", "description": [ - "\nGet a setting value" + "\nTimestamp field name" ], "signature": [ - "(key: string) => Promise" + "string | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.get.$1", - "type": "string", - "tags": [], - "label": "key", - "description": [ - "name of value" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.getAll", - "type": "Function", + "id": "def-common.DataView.type", + "type": "string", "tags": [], - "label": "getAll", + "label": "type", "description": [ - "\nGet all settings values" + "\nType is used to identify rollup index patterns." ], "signature": [ - "() => Promise>" + "string | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [] + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.set", + "id": "def-common.DataView.flattenHit", "type": "Function", - "tags": [], - "label": "set", - "description": [ - "\nSet a setting value" + "tags": [ + "deprecated" ], + "label": "flattenHit", + "description": [], "signature": [ - "(key: string, value: T) => Promise" + "(hit: Record, deep?: boolean | undefined) => Record" ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, "trackAdoption": false, + "references": [ + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" + }, + { + "plugin": "maps", + "path": "x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx" + } + ], + "returnComment": [], "children": [ { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.set.$1", - "type": "string", + "id": "def-common.DataView.flattenHit.$1", + "type": "Object", "tags": [], - "label": "key", - "description": [ - "name of value" - ], + "label": "hit", + "description": [], "signature": [ - "string" + "{ [x: string]: unknown[]; }" ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.set.$2", - "type": "Uncategorized", + "id": "def-common.DataView.flattenHit.$2", + "type": "CompoundType", "tags": [], - "label": "value", - "description": [ - "value to set" - ], + "label": "deep", + "description": [], "signature": [ - "T" + "boolean | undefined" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "isRequired": true + "trackAdoption": false } - ], - "returnComment": [] + ] }, { "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.remove", - "type": "Function", + "id": "def-common.DataView.metaFields", + "type": "Array", "tags": [], - "label": "remove", + "label": "metaFields", "description": [ - "\nRemove a setting value" + "\nList of meta fields by name" ], "signature": [ - "(key: string) => Promise" + "string[]" ], - "path": "src/plugins/data_views/common/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false, - "children": [ - { - "parentPluginId": "data", - "id": "def-common.UiSettingsCommon.remove.$1", - "type": "string", - "tags": [], - "label": "key", - "description": [ - "name of value" - ], - "signature": [ - "string" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "isRequired": true - } - ], - "returnComment": [] - } - ], - "initialIsOpen": false - } - ], - "enums": [ - { - "parentPluginId": "data", - "id": "def-common.DataViewType", - "type": "Enum", - "tags": [], - "label": "DataViewType", - "description": [ - "\nData View type. Default or rollup" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.ES_FIELD_TYPES", - "type": "Enum", - "tags": [], - "label": "ES_FIELD_TYPES", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.KBN_FIELD_TYPES", - "type": "Enum", - "tags": [], - "label": "KBN_FIELD_TYPES", - "description": [], - "path": "packages/kbn-field-types/src/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - } - ], - "misc": [ - { - "parentPluginId": "data", - "id": "def-common.AggregationRestrictions", - "type": "Type", - "tags": [], - "label": "AggregationRestrictions", - "description": [], - "signature": [ - "{ [x: string]: { agg?: string | undefined; interval?: number | undefined; fixed_interval?: string | undefined; calendar_interval?: string | undefined; delay?: string | undefined; time_zone?: string | undefined; }; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.CSV_FORMULA_CHARS", - "type": "Array", - "tags": [], - "label": "CSV_FORMULA_CHARS", - "description": [], - "signature": [ - "string[]" - ], - "path": "src/plugins/data/common/exports/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.CSV_MIME_TYPE", - "type": "string", - "tags": [], - "label": "CSV_MIME_TYPE", - "description": [], - "signature": [ - "\"text/plain;charset=utf-8\"" - ], - "path": "src/plugins/data/common/exports/export_csv.tsx", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DATA_VIEW_SAVED_OBJECT_TYPE", - "type": "string", - "tags": [], - "label": "DATA_VIEW_SAVED_OBJECT_TYPE", - "description": [ - "\nData view saved object type." - ], - "signature": [ - "\"index-pattern\"" - ], - "path": "src/plugins/data_views/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewFieldMap", - "type": "Type", - "tags": [], - "label": "DataViewFieldMap", - "description": [], - "signature": [ - "{ [x: string]: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" - }, - "; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewsContract", - "type": "Type", - "tags": [], - "label": "DataViewsContract", - "description": [ - "\nData views service interface" - ], - "signature": [ - "{ get: (id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" - }, - ">; delete: (indexPatternId: string) => Promise<{}>; create: (spec: ", - { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "trackAdoption": false }, - ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.version", + "type": "string", + "tags": [], + "label": "version", + "description": [ + "\nSavedObject version" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - ">; find: (search: string, size?: number) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.sourceFilters", + "type": "Array", + "tags": [], + "label": "sourceFilters", + "description": [ + "\nArray of filters - hides fields in discover" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.SourceFilter", + "text": "SourceFilter" + }, + "[] | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - "[]>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewListItem", - "text": "DataViewListItem" + "parentPluginId": "data", + "id": "def-common.DataView.namespaces", + "type": "Array", + "tags": [], + "label": "namespaces", + "description": [ + "\nArray of namespace ids" + ], + "signature": [ + "string[]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - "[]>; clearCache: () => void; clearInstanceCache: (id?: string | undefined) => void; getCache: () => Promise<", { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" + "parentPluginId": "data", + "id": "def-common.DataView.allowNoIndex", + "type": "boolean", + "tags": [], + "label": "allowNoIndex", + "description": [ + "\nPrevents errors when index pattern exists before indices" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - "<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSavedObjectAttrs", - "text": "DataViewSavedObjectAttrs" + "parentPluginId": "data", + "id": "def-common.DataView.name", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "\nName of the data view. Human readable name used to differentiate data view." + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - ">[] | null | undefined>; getDefault: (displayErrors?: boolean) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.matchedIndices", + "type": "Array", + "tags": [], + "label": "matchedIndices", + "description": [], + "signature": [ + "string[]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false }, - " | null>; getDefaultId: () => Promise; setDefault: (id: string | null, force?: boolean) => Promise; hasUserDataView: () => Promise; getFieldsForWildcard: (options: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" + "parentPluginId": "data", + "id": "def-common.DataView.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [ + "\nconstructor" + ], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.Unnamed.$1", + "type": "Object", + "tags": [], + "label": "config", + "description": [ + "- config data and dependencies" + ], + "signature": [ + "DataViewDeps" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ") => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "parentPluginId": "data", + "id": "def-common.DataView.getName", + "type": "Function", + "tags": [], + "label": "getName", + "description": [ + "\nGet name of Data View" + ], + "signature": [ + "() => string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - "[]>; getFieldsForIndexPattern: (indexPattern: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.getIndexPattern", + "type": "Function", + "tags": [], + "label": "getIndexPattern", + "description": [ + "\nGet index pattern" + ], + "signature": [ + "() => string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [ + "index pattern string" + ] }, - " | ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "parentPluginId": "data", + "id": "def-common.DataView.setIndexPattern", + "type": "Function", + "tags": [], + "label": "setIndexPattern", + "description": [ + "\nSet index pattern" + ], + "signature": [ + "(indexPattern: string) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.setIndexPattern.$1", + "type": "string", + "tags": [], + "label": "indexPattern", + "description": [], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ", options?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.GetFieldsOptions", - "text": "GetFieldsOptions" + "parentPluginId": "data", + "id": "def-common.DataView.getOriginalSavedObjectBody", + "type": "Function", + "tags": [], + "label": "getOriginalSavedObjectBody", + "description": [ + "\nGet last saved saved object fields" + ], + "signature": [ + "() => { fieldAttrs?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; fields?: string | undefined; sourceFilters?: string | undefined; fieldFormatMap?: string | undefined; typeMeta?: string | undefined; type?: string | undefined; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - " | undefined) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "parentPluginId": "data", + "id": "def-common.DataView.resetOriginalSavedObjectBody", + "type": "Function", + "tags": [], + "label": "resetOriginalSavedObjectBody", + "description": [ + "\nReset last saved saved object fields. Used after saving." + ], + "signature": [ + "() => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - "[]>; refreshFields: (dataView: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.getFieldAttrs", + "type": "Function", + "tags": [], + "label": "getFieldAttrs", + "description": [ + "\nReturns field attributes map" + ], + "signature": [ + "() => { [x: string]: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - ", displayErrors?: boolean) => Promise; fieldArrayToMap: (fields: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldSpec", - "text": "FieldSpec" + "parentPluginId": "data", + "id": "def-common.DataView.getComputedFields", + "type": "Function", + "tags": [], + "label": "getComputedFields", + "description": [ + "\nReturns scripted fields" + ], + "signature": [ + "() => { storedFields: string[]; scriptFields: Record; docvalueFields: { field: string; format: string; }[]; runtimeFields: ", + "MappingRuntimeFields", + "; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - "[], fieldAttrs?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" + "parentPluginId": "data", + "id": "def-common.DataView.isPersisted", + "type": "Function", + "tags": [], + "label": "isPersisted", + "description": [], + "signature": [ + "() => boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - " | undefined) => ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" + "parentPluginId": "data", + "id": "def-common.DataView.toSpec", + "type": "Function", + "tags": [], + "label": "toSpec", + "description": [ + "\nCreates static representation of the data view." + ], + "signature": [ + "(includeFields?: boolean) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.toSpec.$1", + "type": "boolean", + "tags": [], + "label": "includeFields", + "description": [ + "Whether or not to include the `fields` list as part of this spec. If not included, the list\nwill be fetched from Elasticsearch when instantiating a new Data View with this spec." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "; savedObjectToSpec: (savedObject: ", { - "pluginId": "@kbn/core-saved-objects-common", - "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" + "parentPluginId": "data", + "id": "def-common.DataView.getSourceFiltering", + "type": "Function", + "tags": [], + "label": "getSourceFiltering", + "description": [ + "\nGet the source filtering configuration for that index." + ], + "signature": [ + "() => { excludes: string[]; }" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - "<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewAttributes", - "text": "DataViewAttributes" + "parentPluginId": "data", + "id": "def-common.DataView.removeScriptedField", + "type": "Function", + "tags": [ + "deprecated" + ], + "label": "removeScriptedField", + "description": [ + "\nRemoves scripted field from field list." + ], + "signature": [ + "(fieldName: string) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/field_editor/field_editor.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + } + ], + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.removeScriptedField.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of scripted field to remove" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ">) => ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "parentPluginId": "data", + "id": "def-common.DataView.getNonScriptedFields", + "type": "Function", + "tags": [ + "deprecated" + ], + "label": "getNonScriptedFields", + "description": [ + "\n" + ], + "signature": [ + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + "[]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/server/lib/search_strategies/strategies/abstract_search_strategy.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/state_management/datasource.test.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + }, + { + "plugin": "graph", + "path": "x-pack/plugins/graph/public/services/persistence/deserialize.test.ts" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/source_filters_table/components/table/table.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/edit_index_pattern.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "visTypeTimeseries", + "path": "src/plugins/vis_types/timeseries/public/application/lib/fetch_fields.ts" + } + ], + "children": [], + "returnComment": [] }, - "; createAndSave: (spec: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "parentPluginId": "data", + "id": "def-common.DataView.getScriptedFields", + "type": "Function", + "tags": [ + "deprecated" + ], + "label": "getScriptedFields", + "description": [ + "\n" + ], + "signature": [ + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + "[]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/server/register_index_pattern_usage_collection.ts" + }, + { + "plugin": "dataViewManagement", + "path": "src/plugins/data_view_management/public/components/edit_index_pattern/scripted_fields_table/scripted_fields_table.tsx" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + }, + { + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_view.test.ts" + } + ], + "children": [], + "returnComment": [] }, - ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.isTSDBMode", + "type": "Function", + "tags": [], + "label": "isTSDBMode", + "description": [ + "\nreturns true if dataview contains TSDB fields" + ], + "signature": [ + "() => boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - ">; createSavedObject: (dataView: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.isTimeBased", + "type": "Function", + "tags": [], + "label": "isTimeBased", + "description": [ + "\nDoes the data view have a timestamp field?" + ], + "signature": [ + "() => this is ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TimeBasedDataView", + "text": "TimeBasedDataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - ", override?: boolean, displayErrors?: boolean) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.isTimeNanosBased", + "type": "Function", + "tags": [], + "label": "isTimeNanosBased", + "description": [ + "\nDoes the data view have a timestamp field and is it a date nanos field?" + ], + "signature": [ + "() => this is ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TimeBasedDataView", + "text": "TimeBasedDataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - ">; updateSavedObject: (indexPattern: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.getTimeField", + "type": "Function", + "tags": [], + "label": "getTimeField", + "description": [ + "\nGet timestamp field as DataViewField or return undefined" + ], + "signature": [ + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.getFieldByName.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ">; getDefaultDataView: (refreshFields?: boolean | undefined) => Promise<", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "parentPluginId": "data", + "id": "def-common.DataView.getAggregationRestrictions", + "type": "Function", + "tags": [], + "label": "getAggregationRestrictions", + "description": [ + "\nGet aggregation restrictions. Rollup fields can only perform a subset of aggregations." + ], + "signature": [ + "() => Record | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - " | null>; }" - ], - "path": "src/plugins/data_views/common/data_views/data_views.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DataViewSpec", - "type": "Type", - "tags": [], - "label": "DataViewSpec", - "description": [ - "\nStatic data view format\nSerialized data object, representing data view attributes and state" - ], - "signature": [ - "{ id?: string | undefined; version?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; sourceFilters?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.SourceFilter", - "text": "SourceFilter" + "parentPluginId": "data", + "id": "def-common.DataView.getAsSavedObjectBody", + "type": "Function", + "tags": [], + "label": "getAsSavedObjectBody", + "description": [ + "\nReturns index pattern as saved object body for saving" + ], + "signature": [ + "() => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - "[] | undefined; fields?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewFieldMap", - "text": "DataViewFieldMap" + "parentPluginId": "data", + "id": "def-common.DataView.getFormatterForField", + "type": "Function", + "tags": [], + "label": "getFormatterForField", + "description": [ + "\nProvide a field, get its formatter" + ], + "signature": [ + "(field: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + ") => ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.getFormatterForField.$1", + "type": "CompoundType", + "tags": [], + "label": "field", + "description": [ + "field to get formatter for" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - " | undefined; typeMeta?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.TypeMeta", - "text": "TypeMeta" + "parentPluginId": "data", + "id": "def-common.DataView.addRuntimeField", + "type": "Function", + "tags": [], + "label": "addRuntimeField", + "description": [ + "\nAdd a runtime field - Appended to existing mapped field or a new field is\ncreated as appropriate." + ], + "signature": [ + "(name: string, runtimeField: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + }, + ") => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + }, + "[]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.addRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "Field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.addRuntimeField.$2", + "type": "Object", + "tags": [], + "label": "runtimeField", + "description": [ + "Runtime field definition" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + } + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - " | undefined; type?: string | undefined; fieldFormats?: Record boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.hasRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "<{}, ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" + "parentPluginId": "data", + "id": "def-common.DataView.getRuntimeField", + "type": "Function", + "tags": [], + "label": "getRuntimeField", + "description": [ + "\nReturns runtime field if exists" + ], + "signature": [ + "(name: string) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeField", + "text": "RuntimeField" + }, + " | null" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.getRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "Runtime field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ">> | undefined; runtimeFieldMap?: Record Record" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [ + "map of runtime field definitions by field name" + ] }, - "> | undefined; fieldAttrs?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrs", - "text": "FieldAttrs" + "parentPluginId": "data", + "id": "def-common.DataView.getFieldsByRuntimeFieldName", + "type": "Function", + "tags": [], + "label": "getFieldsByRuntimeFieldName", + "description": [ + "\nReturns data view fields backed by runtime fields." + ], + "signature": [ + "(name: string) => Record | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.getFieldsByRuntimeFieldName.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "runtime field name" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "map of DataViewFields (that are runtime fields) by field name" + ] }, - " | undefined; allowNoIndex?: boolean | undefined; namespaces?: string[] | undefined; name?: string | undefined; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.DEFAULT_QUERY_LANGUAGE", - "type": "string", - "tags": [], - "label": "DEFAULT_QUERY_LANGUAGE", - "description": [], - "signature": [ - "\"kuery\"" - ], - "path": "src/plugins/data/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.FieldAttrs", - "type": "Type", - "tags": [], - "label": "FieldAttrs", - "description": [ - "\nSet of field attributes" - ], - "signature": [ - "{ [key: string]: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.FieldAttrSet", - "text": "FieldAttrSet" + "parentPluginId": "data", + "id": "def-common.DataView.replaceAllRuntimeFields", + "type": "Function", + "tags": [], + "label": "replaceAllRuntimeFields", + "description": [ + "\nReplaces all existing runtime fields with new fields." + ], + "signature": [ + "(newFields: Record) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.replaceAllRuntimeFields.$1", + "type": "Object", + "tags": [], + "label": "newFields", + "description": [ + "Map of runtime field definitions by field name" + ], + "signature": [ + "Record" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.removeRuntimeField", + "type": "Function", + "tags": [], + "label": "removeRuntimeField", + "description": [ + "\nRemove a runtime field - removed from mapped field or removed unmapped\nfield as appropriate. Doesn't clear associated field attributes." + ], + "signature": [ + "(name: string) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.removeRuntimeField.$1", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "- Field name to remove" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.FieldAttrSet", - "type": "Type", - "tags": [], - "label": "FieldAttrSet", - "description": [ - "\nField attributes that are stored on the data view" - ], - "signature": [ - "{ customLabel?: string | undefined; count?: number | undefined; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.FieldSpec", - "type": "Type", - "tags": [], - "label": "FieldSpec", - "description": [ - "\nSerialized version of DataViewField" - ], - "signature": [ { - "pluginId": "@kbn/es-query", - "scope": "common", - "docId": "kibKbnEsQueryPluginApi", - "section": "def-common.DataViewFieldBase", - "text": "DataViewFieldBase" + "parentPluginId": "data", + "id": "def-common.DataView.getRuntimeMappings", + "type": "Function", + "tags": [], + "label": "getRuntimeMappings", + "description": [ + "\nReturn the \"runtime_mappings\" section of the ES search query." + ], + "signature": [ + "() => ", + "MappingRuntimeFields" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, - " & { count?: number | undefined; conflictDescriptions?: Record | undefined; format?: ", { - "pluginId": "fieldFormats", - "scope": "common", - "docId": "kibFieldFormatsPluginApi", - "section": "def-common.SerializedFieldFormat", - "text": "SerializedFieldFormat" + "parentPluginId": "data", + "id": "def-common.DataView.getFormatterForFieldNoDefault", + "type": "Function", + "tags": [], + "label": "getFormatterForFieldNoDefault", + "description": [ + "\nGet formatter for a given field name. Return undefined if none exists." + ], + "signature": [ + "(fieldname: string) => ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.FieldFormat", + "text": "FieldFormat" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.getFormatterForFieldNoDefault.$1", + "type": "string", + "tags": [], + "label": "fieldname", + "description": [ + "name of field to get formatter for" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "<{}, ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" + "parentPluginId": "data", + "id": "def-common.DataView.setFieldAttrs", + "type": "Function", + "tags": [], + "label": "setFieldAttrs", + "description": [ + "\nSet field attribute" + ], + "signature": [ + "(fieldName: string, attrName: K, value: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "[K]) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldAttrs.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set attribute on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldAttrs.$2", + "type": "Uncategorized", + "tags": [], + "label": "attrName", + "description": [ + "name of attribute to set" + ], + "signature": [ + "K" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldAttrs.$3", + "type": "Uncategorized", + "tags": [], + "label": "value", + "description": [ + "value of attribute" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" + }, + "[K]" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - "> | undefined; esTypes?: string[] | undefined; searchable: boolean; aggregatable: boolean; readFromDocValues?: boolean | undefined; indexed?: boolean | undefined; customLabel?: string | undefined; runtimeField?: ", { - "pluginId": "dataViews", - "scope": "common", - "docId": "kibDataViewsPluginApi", - "section": "def-common.RuntimeFieldSpec", - "text": "RuntimeFieldSpec" + "parentPluginId": "data", + "id": "def-common.DataView.setFieldCustomLabel", + "type": "Function", + "tags": [], + "label": "setFieldCustomLabel", + "description": [ + "\nSet field custom label" + ], + "signature": [ + "(fieldName: string, customLabel: string | null | undefined) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldCustomLabel.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set custom label on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldCustomLabel.$2", + "type": "CompoundType", + "tags": [], + "label": "customLabel", + "description": [ + "custom label value. If undefined, custom label is removed" + ], + "signature": [ + "string | null | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [] }, - " | undefined; fixedInterval?: string[] | undefined; timeZone?: string[] | undefined; timeSeriesDimension?: boolean | undefined; timeSeriesMetric?: \"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined; shortDotsEnable?: boolean | undefined; isMapped?: boolean | undefined; parentName?: string | undefined; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.FieldSpecConflictDescriptions", - "type": "Type", - "tags": [], - "label": "FieldSpecConflictDescriptions", - "description": [], - "signature": [ - "{ [x: string]: string[]; }" - ], - "path": "src/plugins/data_views/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.GetConfigFn", - "type": "Type", - "tags": [], - "label": "GetConfigFn", - "description": [ - "\nIf a service is being shared on both the client and the server, and\nthe client code requires synchronous access to uiSettings, both client\nand server should wrap the core uiSettings services in a function\nmatching this signature.\n\nThis matches the signature of the public `core.uiSettings.get`, and\nshould only be used in scenarios where async access to uiSettings is\nnot possible." - ], - "signature": [ - "(key: string, defaultOverride?: T | undefined) => T" - ], - "path": "src/plugins/data/common/types.ts", - "deprecated": false, - "trackAdoption": false, - "returnComment": [], - "children": [ { "parentPluginId": "data", - "id": "def-common.GetConfigFn.$1", - "type": "string", + "id": "def-common.DataView.setFieldCount", + "type": "Function", "tags": [], - "label": "key", - "description": [], - "path": "src/plugins/data/common/types.ts", + "label": "setFieldCount", + "description": [ + "\nSet field count" + ], + "signature": [ + "(fieldName: string, count: number | null | undefined) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldCount.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set count on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldCount.$2", + "type": "CompoundType", + "tags": [], + "label": "count", + "description": [ + "count value. If undefined, count is removed" + ], + "signature": [ + "number | null | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [] }, { "parentPluginId": "data", - "id": "def-common.GetConfigFn.$2", - "type": "Uncategorized", + "id": "def-common.DataView.setFieldFormat", + "type": "Function", "tags": [], - "label": "defaultOverride", - "description": [], + "label": "setFieldFormat", + "description": [ + "\nSet field formatter" + ], "signature": [ - "T | undefined" + "(fieldName: string, format: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + ">) => void" ], - "path": "src/plugins/data/common/types.ts", + "path": "src/plugins/data_views/common/data_views/data_view.ts", "deprecated": false, - "trackAdoption": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.IndexPatternLoadExpressionFunctionDefinition", - "type": "Type", - "tags": [], - "label": "IndexPatternLoadExpressionFunctionDefinition", - "description": [], - "signature": [ - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.ExpressionFunctionDefinition", - "text": "ExpressionFunctionDefinition" - }, - "<\"indexPatternLoad\", null, Arguments, Output, ", - { - "pluginId": "expressions", - "scope": "common", - "docId": "kibExpressionsPluginApi", - "section": "def-common.ExecutionContext", - "text": "ExecutionContext" - }, - "<", - { - "pluginId": "inspector", - "scope": "common", - "docId": "kibInspectorPluginApi", - "section": "def-common.Adapters", - "text": "Adapters" + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldFormat.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "name of field to set format on" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataView.setFieldFormat.$2", + "type": "Object", + "tags": [], + "label": "format", + "description": [ + "field format in serialized form" + ], + "signature": [ + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, - ", ", { - "pluginId": "@kbn/utility-types", - "scope": "common", - "docId": "kibKbnUtilityTypesPluginApi", - "section": "def-common.SerializableRecord", - "text": "SerializableRecord" - }, - ">>" - ], - "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.KIBANA_USER_QUERY_LANGUAGE_KEY", - "type": "string", - "tags": [], - "label": "KIBANA_USER_QUERY_LANGUAGE_KEY", - "description": [], - "signature": [ - "\"kibana.userQueryLanguage\"" + "parentPluginId": "data", + "id": "def-common.DataView.deleteFieldFormat", + "type": "Function", + "tags": [], + "label": "deleteFieldFormat", + "description": [ + "\nRemove field format from the field format map." + ], + "signature": [ + "(fieldName: string) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataView.deleteFieldFormat.$1", + "type": "string", + "tags": [], + "label": "fieldName", + "description": [ + "field name associated with the format for removal" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_view.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + } ], - "path": "src/plugins/data/common/constants.ts", - "deprecated": false, - "trackAdoption": false, "initialIsOpen": false }, { "parentPluginId": "data", - "id": "def-common.META_FIELDS", - "type": "string", + "id": "def-common.DataViewField", + "type": "Class", "tags": [], - "label": "META_FIELDS", + "label": "DataViewField", "description": [ - "\nUiSettings key for metaFields list." - ], - "signature": [ - "\"metaFields\"" - ], - "path": "src/plugins/data_views/common/constants.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.Query", - "type": "Type", - "tags": [], - "label": "Query", - "description": [], - "signature": [ - "{ query: string | { [key: string]: any; }; language: string; }" - ], - "path": "packages/kbn-es-query/src/filters/build_filters/types.ts", - "deprecated": false, - "trackAdoption": false, - "initialIsOpen": false - }, - { - "parentPluginId": "data", - "id": "def-common.SavedObject", - "type": "Type", - "tags": [ - "deprecated" + "\nData view field class" ], - "label": "SavedObject", - "description": [], "signature": [ { - "pluginId": "@kbn/core-saved-objects-common", + "pluginId": "dataViews", "scope": "common", - "docId": "kibKbnCoreSavedObjectsCommonPluginApi", - "section": "def-common.SavedObject", - "text": "SavedObject" + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" }, - "" + " implements ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.DataViewFieldBase", + "text": "DataViewFieldBase" + } ], - "path": "packages/core/saved-objects/core-saved-objects-common/src/saved_objects.ts", - "deprecated": true, + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, "trackAdoption": false, - "references": [ - { - "plugin": "@kbn/core-saved-objects-common", - "path": "packages/core/saved-objects/core-saved-objects-common/index.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-browser", - "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/base.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/base.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/update.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/update.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/find.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/find.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server", - "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" - }, + "children": [ { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.spec", + "type": "CompoundType", + "tags": [], + "label": "spec", + "description": [], + "signature": [ + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.DataViewFieldBase", + "text": "DataViewFieldBase" + }, + " & { count?: number | undefined; conflictDescriptions?: Record | undefined; format?: ", + { + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" + }, + "<{}, ", + { + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" + }, + "> | undefined; esTypes?: string[] | undefined; searchable: boolean; aggregatable: boolean; readFromDocValues?: boolean | undefined; indexed?: boolean | undefined; customLabel?: string | undefined; runtimeField?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeFieldSpec", + "text": "RuntimeFieldSpec" + }, + " | undefined; fixedInterval?: string[] | undefined; timeZone?: string[] | undefined; timeSeriesDimension?: boolean | undefined; timeSeriesMetric?: \"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined; shortDotsEnable?: boolean | undefined; isMapped?: boolean | undefined; parentName?: string | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.Unnamed", + "type": "Function", + "tags": [ + "constructor" + ], + "label": "Constructor", + "description": [ + "\nDataView constructor" + ], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewField.Unnamed.$1", + "type": "CompoundType", + "tags": [], + "label": "spec", + "description": [ + "Configuration for the field" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + } + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.count", + "type": "number", + "tags": [], + "label": "count", + "description": [ + "\nCount is used for field popularity in discover." + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.count", + "type": "number", + "tags": [], + "label": "count", + "description": [ + "\nSet count, which is used for field popularity in discover." + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "core", - "path": "src/core/public/index.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.runtimeField", + "type": "CompoundType", + "tags": [], + "label": "runtimeField", + "description": [ + "\nReturns runtime field definition or undefined if field is not runtime field." + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeFieldSpec", + "text": "RuntimeFieldSpec" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "home", - "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.runtimeField", + "type": "CompoundType", + "tags": [], + "label": "runtimeField", + "description": [ + "\nSets runtime field definition or unsets if undefined is provided." + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeFieldSpec", + "text": "RuntimeFieldSpec" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "home", - "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.script", + "type": "string", + "tags": [], + "label": "script", + "description": [ + "\nScript field code" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "home", - "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.script", + "type": "string", + "tags": [], + "label": "script", + "description": [ + "\nSets scripted field painless code" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.lang", + "type": "string", + "tags": [], + "label": "lang", + "description": [ + "\nScript field language" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.lang", + "type": "string", + "tags": [], + "label": "lang", + "description": [ + "\nSets scripted field langauge." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.customLabel", + "type": "string", + "tags": [], + "label": "customLabel", + "description": [ + "\nReturns custom label if set, otherwise undefined." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.customLabel", + "type": "string", + "tags": [], + "label": "customLabel", + "description": [ + "\nSets custom label for field, or unsets if passed undefined." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.conflictDescriptions", + "type": "Object", + "tags": [], + "label": "conflictDescriptions", + "description": [ + "\nDescription of field type conflicts across different indices in the same index pattern." + ], + "signature": [ + "Record | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.conflictDescriptions", + "type": "Object", + "tags": [], + "label": "conflictDescriptions", + "description": [ + "\nSets conflict descriptions for field." + ], + "signature": [ + "Record | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/index.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.name", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "\nGet field name" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.displayName", + "type": "string", + "tags": [], + "label": "displayName", + "description": [ + "\nGets display name, calcualted based on name, custom label and shortDotsEnable." + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.type", + "type": "string", + "tags": [], + "label": "type", + "description": [ + "\nGets field type" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.esTypes", + "type": "Array", + "tags": [], + "label": "esTypes", + "description": [ + "\nGets ES types as string array" + ], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.scripted", + "type": "boolean", + "tags": [], + "label": "scripted", + "description": [ + "\nReturns true if scripted field" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.searchable", + "type": "boolean", + "tags": [], + "label": "searchable", + "description": [ + "\nReturns true if field is searchable" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.aggregatable", + "type": "boolean", + "tags": [], + "label": "aggregatable", + "description": [ + "\nReturns true if field is aggregatable" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.timeSeriesDimension", + "type": "boolean", + "tags": [], + "label": "timeSeriesDimension", + "description": [ + "\nreturns true if field is a TSDB dimension field" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.timeSeriesMetric", + "type": "CompoundType", + "tags": [], + "label": "timeSeriesMetric", + "description": [ + "\nreturns type of TSDB metric or undefined" + ], + "signature": [ + "\"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.fixedInterval", + "type": "Array", + "tags": [], + "label": "fixedInterval", + "description": [ + "\nreturns list of alloeed fixed intervals" + ], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/utils.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.isRolledUpField", + "type": "CompoundType", + "tags": [], + "label": "isRolledUpField", + "description": [ + "\nreturns true if the field is of rolled up type" + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/utils.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.timeZone", + "type": "Array", + "tags": [], + "label": "timeZone", + "description": [ + "\nreturn list of allowed time zones" + ], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/server/utils.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.readFromDocValues", + "type": "boolean", + "tags": [], + "label": "readFromDocValues", + "description": [ + "\nReturns true if field is available via doc values" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "discover", - "path": "src/plugins/discover/public/application/main/components/layout/__stories__/get_layout_props.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.subType", + "type": "CompoundType", + "tags": [], + "label": "subType", + "description": [ + "\nReturns field subtype, multi, nested, or undefined if neither" + ], + "signature": [ + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "discover", - "path": "src/plugins/discover/public/application/main/components/layout/__stories__/get_layout_props.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.isMapped", + "type": "CompoundType", + "tags": [], + "label": "isMapped", + "description": [ + "\nIs the field part of the index mapping?" + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.isRuntimeField", + "type": "boolean", + "tags": [], + "label": "isRuntimeField", + "description": [ + "\nReturns true if runtime field defined on data view" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.sortable", + "type": "boolean", + "tags": [], + "label": "sortable", + "description": [ + "\nReturns true if field is sortable" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.filterable", + "type": "boolean", + "tags": [], + "label": "filterable", + "description": [ + "\nReturns true if field is filterable" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.visualizable", + "type": "boolean", + "tags": [], + "label": "visualizable", + "description": [ + "\nReturns true if field is visualizable" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.test.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.isSubtypeNested", + "type": "Function", + "tags": [], + "label": "isSubtypeNested", + "description": [ + "\nReturns true if field is subtype nested" + ], + "signature": [ + "() => boolean" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_views/data_views.test.ts" + "parentPluginId": "data", + "id": "def-common.DataViewField.isSubtypeMulti", + "type": "Function", + "tags": [], + "label": "isSubtypeMulti", + "description": [ + "\nReturns true if field is subtype multi" + ], + "signature": [ + "() => boolean" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.getSubtypeNested", + "type": "Function", + "tags": [], + "label": "getSubtypeNested", + "description": [ + "\nReturns subtype nested data if exists" + ], + "signature": [ + "() => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeNested", + "text": "IFieldSubTypeNested" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.getSubtypeMulti", + "type": "Function", + "tags": [], + "label": "getSubtypeMulti", + "description": [ + "\nReturns subtype multi data if exists" + ], + "signature": [ + "() => ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeMulti", + "text": "IFieldSubTypeMulti" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.deleteCount", + "type": "Function", + "tags": [], + "label": "deleteCount", + "description": [ + "\nDeletes count value. Popularity as used by discover" + ], + "signature": [ + "() => void" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "savedObjectsFinder", - "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.toJSON", + "type": "Function", + "tags": [], + "label": "toJSON", + "description": [ + "\nJSON version of field" + ], + "signature": [ + "() => { count: number; script: string | undefined; lang: string | undefined; conflictDescriptions: Record | undefined; name: string; type: string; esTypes: string[] | undefined; scripted: boolean; searchable: boolean; aggregatable: boolean; readFromDocValues: boolean; subType: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; customLabel: string | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "savedObjectsFinder", - "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.toSpec", + "type": "Function", + "tags": [], + "label": "toSpec", + "description": [ + "\nGet field in serialized form - fieldspec." + ], + "signature": [ + "(config?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.ToSpecConfig", + "text": "ToSpecConfig" + }, + ") => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + } + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewField.toSpec.$1", + "type": "Object", + "tags": [], + "label": "config", + "description": [ + "provide a method to get a field formatter" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.ToSpecConfig", + "text": "ToSpecConfig" + } + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "field in serialized form - field spec" + ] }, { - "plugin": "savedObjectsFinder", - "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewField.isRuntimeCompositeSubField", + "type": "Function", + "tags": [], + "label": "isRuntimeCompositeSubField", + "description": [ + "\nReturns true if composite runtime field" + ], + "signature": [ + "() => boolean" + ], + "path": "src/plugins/data_views/common/fields/data_view_field.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewSavedObjectConflictError", + "type": "Class", + "tags": [], + "label": "DataViewSavedObjectConflictError", + "description": [ + "\nError thrown when saved object has been changed when attempting to save." + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSavedObjectConflictError", + "text": "DataViewSavedObjectConflictError" }, + " extends Error" + ], + "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/common/types/models/epm.ts" - }, + "parentPluginId": "data", + "id": "def-common.DataViewSavedObjectConflictError.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [ + "\nconstructor" + ], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewSavedObjectConflictError.Unnamed.$1", + "type": "string", + "tags": [], + "label": "savedObjectId", + "description": [ + "saved object id with conflict" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService", + "type": "Class", + "tags": [], + "label": "DataViewsService", + "description": [ + "\nData views service, providing CRUD operations for data views." + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/common/types/models/epm.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getCanSave", + "type": "Function", + "tags": [], + "label": "getCanSave", + "description": [ + "\nCan the user save data views?" + ], + "signature": [ + "() => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [] }, { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/common/types/models/epm.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [ + "\nDataViewsService constructor" + ], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.Unnamed.$1", + "type": "Object", + "tags": [], + "label": "deps", + "description": [ + "Service dependencies" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewsServiceDeps", + "text": "DataViewsServiceDeps" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/shareable_runtime/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getIds", + "type": "Function", + "tags": [], + "label": "getIds", + "description": [ + "\nGets list of index pattern ids." + ], + "signature": [ + "(refresh?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getIds.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/shareable_runtime/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getTitles", + "type": "Function", + "tags": [], + "label": "getTitles", + "description": [ + "\nGets list of index pattern titles." + ], + "signature": [ + "(refresh?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getTitles.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/services/kibana/workpad.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.find", + "type": "Function", + "tags": [], + "label": "find", + "description": [ + "\nFind and load index patterns by title." + ], + "signature": [ + "(search: string, size?: number) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + "[]>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.find.$1", + "type": "string", + "tags": [], + "label": "search", + "description": [ + "Search string" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.find.$2", + "type": "number", + "tags": [], + "label": "size", + "description": [ + "Number of data views to return" + ], + "signature": [ + "number" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "DataView[]" + ] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/services/kibana/workpad.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getIdsWithTitle", + "type": "Function", + "tags": [], + "label": "getIdsWithTitle", + "description": [ + "\nGets list of index pattern ids with titles." + ], + "signature": [ + "(refresh?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewListItem", + "text": "DataViewListItem" + }, + "[]>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getIdsWithTitle.$1", + "type": "boolean", + "tags": [], + "label": "refresh", + "description": [ + "Force refresh of index pattern list" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/home/hooks/use_upload_workpad.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.clearCache", + "type": "Function", + "tags": [], + "label": "clearCache", + "description": [ + "\nClear index pattern saved objects cache." + ], + "signature": [ + "() => void" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "canvas", - "path": "x-pack/plugins/canvas/public/components/home/hooks/use_upload_workpad.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.clearInstanceCache", + "type": "Function", + "tags": [], + "label": "clearInstanceCache", + "description": [ + "\nClear index pattern instance cache" + ], + "signature": [ + "(id?: string | undefined) => void" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.clearInstanceCache.$1", + "type": "string", + "tags": [], + "label": "id", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/packs/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getCache", + "type": "Function", + "tags": [], + "label": "getCache", + "description": [ + "\nGet cache, contains data view saved objects." + ], + "signature": [ + "() => Promise<", + { + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" + }, + "<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSavedObjectAttrs", + "text": "DataViewSavedObjectAttrs" + }, + ">[] | null | undefined>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/packs/types.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getDefault", + "type": "Function", + "tags": [], + "label": "getDefault", + "description": [ + "\nGet default index pattern" + ], + "signature": [ + "(displayErrors?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | null>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getDefault.$1", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getDefaultId", + "type": "Function", + "tags": [], + "label": "getDefaultId", + "description": [ + "\nGet default index pattern id" + ], + "signature": [ + "() => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.setDefault", + "type": "Function", + "tags": [], + "label": "setDefault", + "description": [ + "\nOptionally set default index pattern, unless force = true" + ], + "signature": [ + "(id: string | null, force?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.setDefault.$1", + "type": "CompoundType", + "tags": [], + "label": "id", + "description": [ + "data view id" + ], + "signature": [ + "string | null" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.setDefault.$2", + "type": "boolean", + "tags": [], + "label": "force", + "description": [ + "set default data view even if there's an existing default" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.hasUserDataView", + "type": "Function", + "tags": [], + "label": "hasUserDataView", + "description": [ + "\nChecks if current user has a user created index pattern ignoring fleet's server default index patterns." + ], + "signature": [ + "() => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getFieldsForWildcard", + "type": "Function", + "tags": [], + "label": "getFieldsForWildcard", + "description": [ + "\nGet field list by providing { pattern }." + ], + "signature": [ + "(options: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + ") => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getFieldsForWildcard.$1", + "type": "Object", + "tags": [], + "label": "options", + "description": [ + "options for getting field list" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "FieldSpec[]" + ] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.getFieldsForIndexPattern", + "type": "Function", + "tags": [], + "label": "getFieldsForIndexPattern", + "description": [ + "\nGet field list by providing an index patttern (or spec)." + ], + "signature": [ + "(indexPattern: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + }, + ", options?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + " | undefined) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getFieldsForIndexPattern.$1", + "type": "CompoundType", + "tags": [], + "label": "indexPattern", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getFieldsForIndexPattern.$2", + "type": "Object", + "tags": [], + "label": "options", + "description": [ + "options for getting field list" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [ + "FieldSpec[]" + ] }, { - "plugin": "osquery", - "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.refreshFields", + "type": "Function", + "tags": [], + "label": "refreshFields", + "description": [ + "\nRefresh field list for a given index pattern." + ], + "signature": [ + "(dataView: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ", displayErrors?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.refreshFields.$1", + "type": "Object", + "tags": [], + "label": "dataView", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.refreshFields.$2", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.fieldArrayToMap", + "type": "Function", + "tags": [], + "label": "fieldArrayToMap", + "description": [ + "\nConverts field array to map." + ], + "signature": [ + "(fields: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[], fieldAttrs?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" + }, + " | undefined) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.fieldArrayToMap.$1", + "type": "Array", + "tags": [], + "label": "fields", + "description": [ + ": FieldSpec[]" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.fieldArrayToMap.$2", + "type": "Object", + "tags": [], + "label": "fieldAttrs", + "description": [ + ": FieldAttrs" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [ + "Record" + ] }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.savedObjectToSpec", + "type": "Function", + "tags": [], + "label": "savedObjectToSpec", + "description": [ + "\nConverts data view saved object to data view spec." + ], + "signature": [ + "(savedObject: ", + { + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" + }, + "<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" + }, + ">) => ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.savedObjectToSpec.$1", + "type": "Object", + "tags": [], + "label": "savedObject", + "description": [], + "signature": [ + { + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" + }, + "<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "DataViewSpec" + ] }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/use_security_dashboards_table.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.get", + "type": "Function", + "tags": [], + "label": "get", + "description": [ + "\nGet an index pattern by id, cache optimized." + ], + "signature": [ + "(id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.get.$1", + "type": "string", + "tags": [], + "label": "id", + "description": [], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.get.$2", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.get.$3", + "type": "boolean", + "tags": [], + "label": "refreshFields", + "description": [ + "- If set true, will fetch fields from the index pattern" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/use_security_dashboards_table.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.create", + "type": "Function", + "tags": [], + "label": "create", + "description": [ + "\nCreate data view instance." + ], + "signature": [ + "(spec: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + }, + ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.create.$1", + "type": "Object", + "tags": [], + "label": "spec", + "description": [ + "data view spec" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.create.$2", + "type": "boolean", + "tags": [], + "label": "skipFetchFields", + "description": [ + "if true, will not fetch fields" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.create.$3", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [ + "DataView" + ] }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.createAndSave", + "type": "Function", + "tags": [], + "label": "createAndSave", + "description": [ + "\nCreate a new data view and save it right away." + ], + "signature": [ + "(spec: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + }, + ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createAndSave.$1", + "type": "Object", + "tags": [], + "label": "spec", + "description": [ + "data view spec" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createAndSave.$2", + "type": "boolean", + "tags": [], + "label": "override", + "description": [ + "Overwrite if existing index pattern exists." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createAndSave.$3", + "type": "boolean", + "tags": [], + "label": "skipFetchFields", + "description": [ + "Whether to skip field refresh step." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createAndSave.$4", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx" + "parentPluginId": "data", + "id": "def-common.DataViewsService.createSavedObject", + "type": "Function", + "tags": [], + "label": "createSavedObject", + "description": [ + "\nSave a new data view." + ], + "signature": [ + "(dataView: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ", override?: boolean, displayErrors?: boolean) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ">" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createSavedObject.$1", + "type": "Object", + "tags": [], + "label": "dataView", + "description": [ + "data view instance" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createSavedObject.$2", + "type": "boolean", + "tags": [], + "label": "override", + "description": [ + "Overwrite if existing index pattern exists" + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.createSavedObject.$3", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "savedObjects", - "path": "src/plugins/saved_objects/public/saved_object/helpers/find_object_by_title.test.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.updateSavedObject", + "type": "Function", + "tags": [], + "label": "updateSavedObject", + "description": [ + "\nSave existing data view. Will attempt to merge differences if there are conflicts." + ], + "signature": [ + "(indexPattern: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.updateSavedObject.$1", + "type": "Object", + "tags": [], + "label": "indexPattern", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + } + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.updateSavedObject.$2", + "type": "number", + "tags": [], + "label": "saveAttempts", + "description": [], + "signature": [ + "number" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.updateSavedObject.$3", + "type": "boolean", + "tags": [], + "label": "ignoreErrors", + "description": [], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.updateSavedObject.$4", + "type": "boolean", + "tags": [], + "label": "displayErrors", + "description": [ + "- If set false, API consumer is responsible for displaying and handling errors." + ], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "savedObjects", - "path": "src/plugins/saved_objects/public/saved_object/helpers/find_object_by_title.test.ts" + "parentPluginId": "data", + "id": "def-common.DataViewsService.delete", + "type": "Function", + "tags": [], + "label": "delete", + "description": [ + "\nDeletes an index pattern from .kibana index." + ], + "signature": [ + "(indexPatternId: string) => Promise<{}>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.delete.$1", + "type": "string", + "tags": [], + "label": "indexPatternId", + "description": [ + ": Id of kibana Index Pattern to delete" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-browser-mocks", - "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" - }, + "parentPluginId": "data", + "id": "def-common.DataViewsService.getDefaultDataView", + "type": "Function", + "tags": [], + "label": "getDefaultDataView", + "description": [ + "\nReturns the default data view as an object.\nIf no default is found, or it is missing\nanother data view is selected as default and returned.\nIf no possible data view found to become a default returns null.\n" + ], + "signature": [ + "(refreshFields?: boolean | undefined) => Promise<", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" + }, + " | null>" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewsService.getDefaultDataView.$1", + "type": "CompoundType", + "tags": [], + "label": "refreshFields", + "description": [ + "- if true, will refresh the fields of the default data view" + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": false + } + ], + "returnComment": [ + "default data view" + ] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DuplicateDataViewError", + "type": "Class", + "tags": [], + "label": "DuplicateDataViewError", + "description": [ + "\nError thrown when attempting to create duplicate index pattern based on title." + ], + "signature": [ { - "plugin": "@kbn/core-saved-objects-browser-mocks", - "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DuplicateDataViewError", + "text": "DuplicateDataViewError" }, + " extends Error" + ], + "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-browser-mocks", - "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" - }, + "parentPluginId": "data", + "id": "def-common.DuplicateDataViewError.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [ + "\nconstructor" + ], + "signature": [ + "any" + ], + "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.DuplicateDataViewError.Unnamed.$1", + "type": "string", + "tags": [], + "label": "message", + "description": [ + "- Error message" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/errors/duplicate_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.KbnFieldType", + "type": "Class", + "tags": [], + "label": "KbnFieldType", + "description": [], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldType.name", + "type": "string", + "tags": [], + "label": "name", + "description": [], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldType.sortable", + "type": "boolean", + "tags": [], + "label": "sortable", + "description": [], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldType.filterable", + "type": "boolean", + "tags": [], + "label": "filterable", + "description": [], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldType.esTypes", + "type": "Object", + "tags": [], + "label": "esTypes", + "description": [], + "signature": [ + "readonly ", + { + "pluginId": "@kbn/field-types", + "scope": "common", + "docId": "kibKbnFieldTypesPluginApi", + "section": "def-common.ES_FIELD_TYPES", + "text": "ES_FIELD_TYPES" + }, + "[]" + ], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, + "parentPluginId": "data", + "id": "def-common.KbnFieldType.Unnamed", + "type": "Function", + "tags": [], + "label": "Constructor", + "description": [], + "signature": [ + "any" + ], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.KbnFieldType.Unnamed.$1", + "type": "Object", + "tags": [], + "label": "options", + "description": [], + "signature": [ + "Partial<", + { + "pluginId": "@kbn/field-types", + "scope": "common", + "docId": "kibKbnFieldTypesPluginApi", + "section": "def-common.KbnFieldTypeOptions", + "text": "KbnFieldTypeOptions" + }, + ">" + ], + "path": "packages/kbn-field-types/src/kbn_field_type.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + } + ], + "initialIsOpen": false + } + ], + "functions": [ + { + "parentPluginId": "data", + "id": "def-common.cellHasFormulas", + "type": "Function", + "tags": [], + "label": "cellHasFormulas", + "description": [], + "signature": [ + "(val: string) => boolean" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, + "parentPluginId": "data", + "id": "def-common.cellHasFormulas.$1", + "type": "string", + "tags": [], + "label": "val", + "description": [], + "signature": [ + "string" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.createEscapeValue", + "type": "Function", + "tags": [], + "label": "createEscapeValue", + "description": [ + "\nCreate a function that will escape CSV values like \"=\", \"@\" and \"+\" with a\n\"'\". This will also place CSV values in \"\" if contain non-alphanumeric chars.\n\nFor example:\n\nGiven: =1+1\nReturns: \"'=1+1\"\n\nSee OWASP: https://www.owasp.org/index.php/CSV_Injection." + ], + "signature": [ + "(quoteValues: boolean, escapeFormulas: boolean) => (val: RawValue) => string" + ], + "path": "src/plugins/data/common/exports/escape_value.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "parentPluginId": "data", + "id": "def-common.createEscapeValue.$1", + "type": "boolean", + "tags": [], + "label": "quoteValues", + "description": [], + "signature": [ + "boolean" + ], + "path": "src/plugins/data/common/exports/escape_value.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, + "parentPluginId": "data", + "id": "def-common.createEscapeValue.$2", + "type": "boolean", + "tags": [], + "label": "escapeFormulas", + "description": [], + "signature": [ + "boolean" + ], + "path": "src/plugins/data/common/exports/escape_value.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.datatableToCSV", + "type": "Function", + "tags": [], + "label": "datatableToCSV", + "description": [], + "signature": [ + "({ columns, rows }: ", { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" }, + ", { csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }: CSVOptions) => string" + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "parentPluginId": "data", + "id": "def-common.datatableToCSV.$1", + "type": "Object", + "tags": [], + "label": "{ columns, rows }", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + } + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false, + "isRequired": true }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, + "parentPluginId": "data", + "id": "def-common.datatableToCSV.$2", + "type": "Object", + "tags": [], + "label": "{ csvSeparator, quoteValues, formatFactory, raw, escapeFormulaValues }", + "description": [], + "signature": [ + "CSVOptions" + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.fieldList", + "type": "Function", + "tags": [], + "label": "fieldList", + "description": [], + "signature": [ + "(specs?: ", { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, + "[], shortDotsEnable?: boolean) => ", { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.IIndexPatternFieldList", + "text": "IIndexPatternFieldList" + } + ], + "path": "src/plugins/data_views/common/fields/field_list.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "parentPluginId": "data", + "id": "def-common.fieldList.$1", + "type": "Array", + "tags": [], + "label": "specs", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" + }, + "[]" + ], + "path": "src/plugins/data_views/common/fields/field_list.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, + "parentPluginId": "data", + "id": "def-common.fieldList.$2", + "type": "boolean", + "tags": [], + "label": "shortDotsEnable", + "description": [], + "signature": [ + "boolean" + ], + "path": "src/plugins/data_views/common/fields/field_list.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.getEsQueryConfig", + "type": "Function", + "tags": [], + "label": "getEsQueryConfig", + "description": [], + "signature": [ + "(config: KibanaConfig) => ", { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.EsQueryConfig", + "text": "EsQueryConfig" + } + ], + "path": "src/plugins/data/common/es_query/get_es_query_config.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, + "parentPluginId": "data", + "id": "def-common.getEsQueryConfig.$1", + "type": "Object", + "tags": [], + "label": "config", + "description": [], + "signature": [ + "KibanaConfig" + ], + "path": "src/plugins/data/common/es_query/get_es_query_config.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.getFieldSubtypeMulti", + "type": "Function", + "tags": [], + "label": "getFieldSubtypeMulti", + "description": [], + "signature": [ + "(field: HasSubtype) => ", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeMulti", + "text": "IFieldSubTypeMulti" }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" - }, + "parentPluginId": "data", + "id": "def-common.getFieldSubtypeMulti.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.getFieldSubtypeNested", + "type": "Function", + "tags": [], + "label": "getFieldSubtypeNested", + "description": [], + "signature": [ + "(field: HasSubtype) => ", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubTypeNested", + "text": "IFieldSubTypeNested" }, + " | undefined" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" - }, + "parentPluginId": "data", + "id": "def-common.getFieldSubtypeNested.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.getIndexPatternLoadMeta", + "type": "Function", + "tags": [], + "label": "getIndexPatternLoadMeta", + "description": [], + "signature": [ + "() => Omit<", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.IndexPatternLoadExpressionFunctionDefinition", + "text": "IndexPatternLoadExpressionFunctionDefinition" }, + ", \"fn\">" + ], + "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.isFilterable", + "type": "Function", + "tags": [], + "label": "isFilterable", + "description": [], + "signature": [ + "(field: ", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" }, + ") => boolean" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, + "parentPluginId": "data", + "id": "def-common.isFilterable.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewField", + "text": "DataViewField" + } + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.isMultiField", + "type": "Function", + "tags": [], + "label": "isMultiField", + "description": [], + "signature": [ + "(field: HasSubtype) => boolean" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, + "parentPluginId": "data", + "id": "def-common.isMultiField.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.isNestedField", + "type": "Function", + "tags": [], + "label": "isNestedField", + "description": [], + "signature": [ + "(field: HasSubtype) => boolean" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, + "parentPluginId": "data", + "id": "def-common.isNestedField.$1", + "type": "Object", + "tags": [], + "label": "field", + "description": [], + "signature": [ + "{ subType?: ", + { + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.IFieldSubType", + "text": "IFieldSubType" + }, + " | undefined; }" + ], + "path": "src/plugins/data_views/common/fields/utils.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.tableHasFormulas", + "type": "Function", + "tags": [], + "label": "tableHasFormulas", + "description": [], + "signature": [ + "(columns: ", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" }, + "[], rows: ", { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableRow", + "text": "DatatableRow" }, + "[]) => boolean" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.tableHasFormulas.$1", + "type": "Array", + "tags": [], + "label": "columns", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableColumn", + "text": "DatatableColumn" + }, + "[]" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, + "parentPluginId": "data", + "id": "def-common.tableHasFormulas.$2", + "type": "Array", + "tags": [], + "label": "rows", + "description": [], + "signature": [ + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.DatatableRow", + "text": "DatatableRow" + }, + "[]" + ], + "path": "src/plugins/data/common/exports/formula_checks.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + } + ], + "interfaces": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewAttributes", + "type": "Interface", + "tags": [], + "label": "DataViewAttributes", + "description": [ + "\nInterface for the data view saved object" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.fields", + "type": "string", + "tags": [], + "label": "fields", + "description": [ + "\nFields as a serialized array of field specs" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.title", + "type": "string", + "tags": [], + "label": "title", + "description": [ + "\nData view title" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.type", + "type": "string", + "tags": [], + "label": "type", + "description": [ + "\nData view type, default or rollup" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.typeMeta", + "type": "string", + "tags": [], + "label": "typeMeta", + "description": [ + "\nType metadata information, serialized. Only used by rollup data views." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.timeFieldName", + "type": "string", + "tags": [], + "label": "timeFieldName", + "description": [ + "\nTime field name" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.sourceFilters", + "type": "string", + "tags": [], + "label": "sourceFilters", + "description": [ + "\nSerialized array of filters. Used by discover to hide fields." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.fieldFormatMap", + "type": "string", + "tags": [], + "label": "fieldFormatMap", + "description": [ + "\nSerialized map of field formats by field name" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.fieldAttrs", + "type": "string", + "tags": [], + "label": "fieldAttrs", + "description": [ + "\nSerialized map of field attributes, currently field count and name" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.runtimeFieldMap", + "type": "string", + "tags": [], + "label": "runtimeFieldMap", + "description": [ + "\nSerialized map of runtime field definitions, by field name" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.allowNoIndex", + "type": "CompoundType", + "tags": [], + "label": "allowNoIndex", + "description": [ + "\nPrevents errors when index pattern exists before indices" + ], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, + "parentPluginId": "data", + "id": "def-common.DataViewAttributes.name", + "type": "string", + "tags": [], + "label": "name", + "description": [ + "\nName of the data view. Human readable name used to differentiate data view." + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewListItem", + "type": "Interface", + "tags": [], + "label": "DataViewListItem", + "description": [ + "\nResult from data view search - summary data." + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewListItem.id", + "type": "string", + "tags": [], + "label": "id", + "description": [ + "\nSaved object id (or generated id if in-memory only)" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewListItem.namespaces", + "type": "Array", + "tags": [], + "label": "namespaces", + "description": [ + "\nNamespace ids" + ], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewListItem.title", + "type": "string", + "tags": [], + "label": "title", + "description": [ + "\nData view title" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "parentPluginId": "data", + "id": "def-common.DataViewListItem.type", + "type": "string", + "tags": [], + "label": "type", + "description": [ + "\nData view type" + ], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.DataViewListItem.typeMeta", + "type": "Object", + "tags": [], + "label": "typeMeta", + "description": [ + "\nData view type meta" + ], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TypeMeta", + "text": "TypeMeta" + }, + " | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, + "parentPluginId": "data", + "id": "def-common.DataViewListItem.name", + "type": "string", + "tags": [], + "label": "name", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions", + "type": "Interface", + "tags": [], + "label": "GetFieldsOptions", + "description": [], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.pattern", + "type": "string", + "tags": [], + "label": "pattern", + "description": [], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.type", + "type": "string", + "tags": [], + "label": "type", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.lookBack", + "type": "CompoundType", + "tags": [], + "label": "lookBack", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.metaFields", + "type": "Array", + "tags": [], + "label": "metaFields", + "description": [], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.rollupIndex", + "type": "string", + "tags": [], + "label": "rollupIndex", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.allowNoIndex", + "type": "CompoundType", + "tags": [], + "label": "allowNoIndex", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.indexFilter", + "type": "Object", + "tags": [], + "label": "indexFilter", + "description": [], + "signature": [ + "QueryDslQueryContainer", + " | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.includeUnmapped", + "type": "CompoundType", + "tags": [], + "label": "includeUnmapped", + "description": [], + "signature": [ + "boolean | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, + "parentPluginId": "data", + "id": "def-common.GetFieldsOptions.fields", + "type": "Array", + "tags": [], + "label": "fields", + "description": [], + "signature": [ + "string[] | undefined" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.IDataViewsApiClient", + "type": "Interface", + "tags": [], + "label": "IDataViewsApiClient", + "description": [], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" + "parentPluginId": "data", + "id": "def-common.IDataViewsApiClient.getFieldsForWildcard", + "type": "Function", + "tags": [], + "label": "getFieldsForWildcard", + "description": [], + "signature": [ + "(options: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + }, + ") => Promise<", + "FieldsForWildcardResponse", + ">" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.IDataViewsApiClient.getFieldsForWildcard.$1", + "type": "Object", + "tags": [], + "label": "options", + "description": [], + "signature": [ + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" + } + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" - }, + "parentPluginId": "data", + "id": "def-common.IDataViewsApiClient.hasUserDataView", + "type": "Function", + "tags": [], + "label": "hasUserDataView", + "description": [], + "signature": [ + "() => Promise" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.IndexPatternExpressionType", + "type": "Interface", + "tags": [], + "label": "IndexPatternExpressionType", + "description": [ + "\nIndex pattern expression interface" + ], + "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "parentPluginId": "data", + "id": "def-common.IndexPatternExpressionType.type", + "type": "string", + "tags": [], + "label": "type", + "description": [ + "\nExpression type" + ], + "signature": [ + "\"index_pattern\"" + ], + "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, + "parentPluginId": "data", + "id": "def-common.IndexPatternExpressionType.value", + "type": "Object", + "tags": [], + "label": "value", + "description": [ + "\nValue - DataViewSpec" + ], + "signature": [ + "{ id?: string | undefined; version?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; sourceFilters?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.SourceFilter", + "text": "SourceFilter" + }, + "[] | undefined; fields?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" + }, + " | undefined; typeMeta?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TypeMeta", + "text": "TypeMeta" + }, + " | undefined; type?: string | undefined; fieldFormats?: Record> | undefined; runtimeFieldMap?: Record | undefined; fieldAttrs?: ", + { + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" + }, + " | undefined; allowNoIndex?: boolean | undefined; namespaces?: string[] | undefined; name?: string | undefined; }" + ], + "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.KbnFieldTypeOptions", + "type": "Interface", + "tags": [], + "label": "KbnFieldTypeOptions", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldTypeOptions.sortable", + "type": "boolean", + "tags": [], + "label": "sortable", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldTypeOptions.filterable", + "type": "boolean", + "tags": [], + "label": "filterable", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "parentPluginId": "data", + "id": "def-common.KbnFieldTypeOptions.name", + "type": "string", + "tags": [], + "label": "name", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, + "parentPluginId": "data", + "id": "def-common.KbnFieldTypeOptions.esTypes", + "type": "Array", + "tags": [], + "label": "esTypes", + "description": [], + "signature": [ + { + "pluginId": "@kbn/field-types", + "scope": "common", + "docId": "kibKbnFieldTypesPluginApi", + "section": "def-common.ES_FIELD_TYPES", + "text": "ES_FIELD_TYPES" + }, + "[]" + ], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon", + "type": "Interface", + "tags": [], + "label": "UiSettingsCommon", + "description": [ + "\nInterface for UiSettings common interface {@link UiSettingsClient}" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.get", + "type": "Function", + "tags": [], + "label": "get", + "description": [ + "\nGet a setting value" + ], + "signature": [ + "(key: string) => Promise" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.get.$1", + "type": "string", + "tags": [], + "label": "key", + "description": [ + "name of value" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.getAll", + "type": "Function", + "tags": [], + "label": "getAll", + "description": [ + "\nGet all settings values" + ], + "signature": [ + "() => Promise>" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.set", + "type": "Function", + "tags": [], + "label": "set", + "description": [ + "\nSet a setting value" + ], + "signature": [ + "(key: string, value: T) => Promise" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.set.$1", + "type": "string", + "tags": [], + "label": "key", + "description": [ + "name of value" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + }, + { + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.set.$2", + "type": "Uncategorized", + "tags": [], + "label": "value", + "description": [ + "value to set" + ], + "signature": [ + "T" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.remove", + "type": "Function", + "tags": [], + "label": "remove", + "description": [ + "\nRemove a setting value" + ], + "signature": [ + "(key: string) => Promise" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "data", + "id": "def-common.UiSettingsCommon.remove.$1", + "type": "string", + "tags": [], + "label": "key", + "description": [ + "name of value" + ], + "signature": [ + "string" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [] + } + ], + "initialIsOpen": false + } + ], + "enums": [ + { + "parentPluginId": "data", + "id": "def-common.DataViewType", + "type": "Enum", + "tags": [], + "label": "DataViewType", + "description": [ + "\nData View type. Default or rollup" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.ES_FIELD_TYPES", + "type": "Enum", + "tags": [], + "label": "ES_FIELD_TYPES", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.KBN_FIELD_TYPES", + "type": "Enum", + "tags": [], + "label": "KBN_FIELD_TYPES", + "description": [], + "path": "packages/kbn-field-types/src/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + } + ], + "misc": [ + { + "parentPluginId": "data", + "id": "def-common.AggregationRestrictions", + "type": "Type", + "tags": [], + "label": "AggregationRestrictions", + "description": [], + "signature": [ + "{ [x: string]: { agg?: string | undefined; interval?: number | undefined; fixed_interval?: string | undefined; calendar_interval?: string | undefined; delay?: string | undefined; time_zone?: string | undefined; }; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.CSV_FORMULA_CHARS", + "type": "Array", + "tags": [], + "label": "CSV_FORMULA_CHARS", + "description": [], + "signature": [ + "string[]" + ], + "path": "src/plugins/data/common/exports/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.CSV_MIME_TYPE", + "type": "string", + "tags": [], + "label": "CSV_MIME_TYPE", + "description": [], + "signature": [ + "\"text/plain;charset=utf-8\"" + ], + "path": "src/plugins/data/common/exports/export_csv.tsx", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DATA_VIEW_SAVED_OBJECT_TYPE", + "type": "string", + "tags": [], + "label": "DATA_VIEW_SAVED_OBJECT_TYPE", + "description": [ + "\nData view saved object type." + ], + "signature": [ + "\"index-pattern\"" + ], + "path": "src/plugins/data_views/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewFieldMap", + "type": "Type", + "tags": [], + "label": "DataViewFieldMap", + "description": [], + "signature": [ + "{ [x: string]: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, + "; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewsContract", + "type": "Type", + "tags": [], + "label": "DataViewsContract", + "description": [ + "\nData views service interface" + ], + "signature": [ + "{ get: (id: string, displayErrors?: boolean, refreshFields?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ">; delete: (indexPatternId: string) => Promise<{}>; create: (spec: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, + ", skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ">; find: (search: string, size?: number) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + "[]>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewListItem", + "text": "DataViewListItem" }, + "[]>; clearCache: () => void; clearInstanceCache: (id?: string | undefined) => void; getCache: () => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" }, + "<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSavedObjectAttrs", + "text": "DataViewSavedObjectAttrs" }, + ">[] | null | undefined>; getDefault: (displayErrors?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + " | null>; getDefaultId: () => Promise; setDefault: (id: string | null, force?: boolean) => Promise; hasUserDataView: () => Promise; getFieldsForWildcard: (options: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" }, + ") => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, + "[]>; getFieldsForIndexPattern: (indexPattern: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + " | ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, + ", options?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.GetFieldsOptions", + "text": "GetFieldsOptions" }, + " | undefined) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, + "[]>; refreshFields: (dataView: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ", displayErrors?: boolean) => Promise; fieldArrayToMap: (fields: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldSpec", + "text": "FieldSpec" }, + "[], fieldAttrs?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" }, + " | undefined) => ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" }, + "; savedObjectToSpec: (savedObject: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" }, + "<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewAttributes", + "text": "DataViewAttributes" }, + ">) => ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, + "; createAndSave: (spec: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, + ", override?: boolean, skipFetchFields?: boolean, displayErrors?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ">; createSavedObject: (dataView: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ", override?: boolean, displayErrors?: boolean) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ">; updateSavedObject: (indexPattern: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + ", saveAttempts?: number, ignoreErrors?: boolean, displayErrors?: boolean) => Promise; getDefaultDataView: (refreshFields?: boolean | undefined) => Promise<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataView", + "text": "DataView" }, + " | null>; }" + ], + "path": "src/plugins/data_views/common/data_views/data_views.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DataViewSpec", + "type": "Type", + "tags": [], + "label": "DataViewSpec", + "description": [ + "\nStatic data view format\nSerialized data object, representing data view attributes and state" + ], + "signature": [ + "{ id?: string | undefined; version?: string | undefined; title?: string | undefined; timeFieldName?: string | undefined; sourceFilters?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.SourceFilter", + "text": "SourceFilter" }, + "[] | undefined; fields?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.DataViewFieldMap", + "text": "DataViewFieldMap" }, + " | undefined; typeMeta?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.TypeMeta", + "text": "TypeMeta" }, + " | undefined; type?: string | undefined; fieldFormats?: Record> | undefined; runtimeFieldMap?: Record | undefined; fieldAttrs?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrs", + "text": "FieldAttrs" }, + " | undefined; allowNoIndex?: boolean | undefined; namespaces?: string[] | undefined; name?: string | undefined; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.DEFAULT_QUERY_LANGUAGE", + "type": "string", + "tags": [], + "label": "DEFAULT_QUERY_LANGUAGE", + "description": [], + "signature": [ + "\"kuery\"" + ], + "path": "src/plugins/data/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.FieldAttrs", + "type": "Type", + "tags": [], + "label": "FieldAttrs", + "description": [ + "\nSet of field attributes" + ], + "signature": [ + "{ [key: string]: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.FieldAttrSet", + "text": "FieldAttrSet" }, + "; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.FieldAttrSet", + "type": "Type", + "tags": [], + "label": "FieldAttrSet", + "description": [ + "\nField attributes that are stored on the data view" + ], + "signature": [ + "{ customLabel?: string | undefined; count?: number | undefined; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.FieldSpec", + "type": "Type", + "tags": [], + "label": "FieldSpec", + "description": [ + "\nSerialized version of DataViewField" + ], + "signature": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "@kbn/es-query", + "scope": "common", + "docId": "kibKbnEsQueryPluginApi", + "section": "def-common.DataViewFieldBase", + "text": "DataViewFieldBase" }, + " & { count?: number | undefined; conflictDescriptions?: Record | undefined; format?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "fieldFormats", + "scope": "common", + "docId": "kibFieldFormatsPluginApi", + "section": "def-common.SerializedFieldFormat", + "text": "SerializedFieldFormat" }, + "<{}, ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" }, + "> | undefined; esTypes?: string[] | undefined; searchable: boolean; aggregatable: boolean; readFromDocValues?: boolean | undefined; indexed?: boolean | undefined; customLabel?: string | undefined; runtimeField?: ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "pluginId": "dataViews", + "scope": "common", + "docId": "kibDataViewsPluginApi", + "section": "def-common.RuntimeFieldSpec", + "text": "RuntimeFieldSpec" }, + " | undefined; fixedInterval?: string[] | undefined; timeZone?: string[] | undefined; timeSeriesDimension?: boolean | undefined; timeSeriesMetric?: \"gauge\" | \"histogram\" | \"summary\" | \"counter\" | undefined; shortDotsEnable?: boolean | undefined; isMapped?: boolean | undefined; parentName?: string | undefined; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.FieldSpecConflictDescriptions", + "type": "Type", + "tags": [], + "label": "FieldSpecConflictDescriptions", + "description": [], + "signature": [ + "{ [x: string]: string[]; }" + ], + "path": "src/plugins/data_views/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.GetConfigFn", + "type": "Type", + "tags": [], + "label": "GetConfigFn", + "description": [ + "\nIf a service is being shared on both the client and the server, and\nthe client code requires synchronous access to uiSettings, both client\nand server should wrap the core uiSettings services in a function\nmatching this signature.\n\nThis matches the signature of the public `core.uiSettings.get`, and\nshould only be used in scenarios where async access to uiSettings is\nnot possible." + ], + "signature": [ + "(key: string, defaultOverride?: T | undefined) => T" + ], + "path": "src/plugins/data/common/types.ts", + "deprecated": false, + "trackAdoption": false, + "returnComment": [], + "children": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "parentPluginId": "data", + "id": "def-common.GetConfigFn.$1", + "type": "string", + "tags": [], + "label": "key", + "description": [], + "path": "src/plugins/data/common/types.ts", + "deprecated": false, + "trackAdoption": false }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, + "parentPluginId": "data", + "id": "def-common.GetConfigFn.$2", + "type": "Uncategorized", + "tags": [], + "label": "defaultOverride", + "description": [], + "signature": [ + "T | undefined" + ], + "path": "src/plugins/data/common/types.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.IndexPatternLoadExpressionFunctionDefinition", + "type": "Type", + "tags": [], + "label": "IndexPatternLoadExpressionFunctionDefinition", + "description": [], + "signature": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.ExpressionFunctionDefinition", + "text": "ExpressionFunctionDefinition" }, + "<\"indexPatternLoad\", null, Arguments, Output, ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.ExecutionContext", + "text": "ExecutionContext" }, + "<", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "pluginId": "inspector", + "scope": "common", + "docId": "kibInspectorPluginApi", + "section": "def-common.Adapters", + "text": "Adapters" }, + ", ", { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "pluginId": "@kbn/utility-types", + "scope": "common", + "docId": "kibKbnUtilityTypesPluginApi", + "section": "def-common.SerializableRecord", + "text": "SerializableRecord" }, + ">>" + ], + "path": "src/plugins/data_views/common/expressions/load_index_pattern.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.KIBANA_USER_QUERY_LANGUAGE_KEY", + "type": "string", + "tags": [], + "label": "KIBANA_USER_QUERY_LANGUAGE_KEY", + "description": [], + "signature": [ + "\"kibana.userQueryLanguage\"" + ], + "path": "src/plugins/data/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.META_FIELDS", + "type": "string", + "tags": [], + "label": "META_FIELDS", + "description": [ + "\nUiSettings key for metaFields list." + ], + "signature": [ + "\"metaFields\"" + ], + "path": "src/plugins/data_views/common/constants.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.Query", + "type": "Type", + "tags": [], + "label": "Query", + "description": [], + "signature": [ + "{ query: string | { [key: string]: any; }; language: string; }" + ], + "path": "packages/kbn-es-query/src/filters/build_filters/types.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, + { + "parentPluginId": "data", + "id": "def-common.SavedObject", + "type": "Type", + "tags": [ + "deprecated" + ], + "label": "SavedObject", + "description": [], + "signature": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "pluginId": "@kbn/core-saved-objects-common", + "scope": "common", + "docId": "kibKbnCoreSavedObjectsCommonPluginApi", + "section": "def-common.SavedObject", + "text": "SavedObject" }, + "" + ], + "path": "packages/core/saved-objects/core-saved-objects-common/src/saved_objects.ts", + "deprecated": true, + "trackAdoption": false, + "references": [ { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "plugin": "@kbn/core-saved-objects-common", + "path": "packages/core/saved-objects/core-saved-objects-common/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-browser", + "path": "packages/core/saved-objects/core-saved-objects-api-browser/src/simple_saved_object.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/base.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/base.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/resolve.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/resolve.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/update.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/update.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/find.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/apis/find.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_repository.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" }, { - "plugin": "core", - "path": "src/core/types/index.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" }, { - "plugin": "apm", - "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" + "plugin": "@kbn/core-saved-objects-api-server", + "path": "packages/core/saved-objects/core-saved-objects-api-server/src/saved_objects_client.ts" }, { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" + }, + { + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts" }, { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/saved_objects_client.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" + "plugin": "core", + "path": "src/core/public/index.ts" }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" + "plugin": "home", + "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" + "plugin": "home", + "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" + "plugin": "home", + "path": "src/plugins/home/server/services/sample_data/sample_data_registry.ts" }, { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/types.ts" }, { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/index.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.ts" }, { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/server/utils.ts" }, { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/server/utils.ts" }, { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/server/utils.ts" }, { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" + "plugin": "discover", + "path": "src/plugins/discover/public/application/main/components/layout/__stories__/get_layout_props.ts" }, { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" + "plugin": "discover", + "path": "src/plugins/discover/public/application/main/components/layout/__stories__/get_layout_props.ts" }, { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/public/saved_objects_client_wrapper.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.test.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_views/data_views.test.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/ui_api/get_table_column_definition.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" + "plugin": "savedObjectsFinder", + "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" + "plugin": "savedObjectsFinder", + "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" + "plugin": "savedObjectsFinder", + "path": "src/plugins/saved_objects_finder/public/finder/saved_object_finder.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" + "plugin": "fleet", + "path": "x-pack/plugins/fleet/common/types/models/epm.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" + "plugin": "fleet", + "path": "x-pack/plugins/fleet/common/types/models/epm.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" + "plugin": "fleet", + "path": "x-pack/plugins/fleet/common/types/models/epm.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/shareable_runtime/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/shareable_runtime/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/services/kibana/workpad.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/services/kibana/workpad.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/home/hooks/use_upload_workpad.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" + "plugin": "canvas", + "path": "x-pack/plugins/canvas/public/components/home/hooks/use_upload_workpad.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/packs/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/packs/types.ts" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx" }, { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" + "plugin": "osquery", + "path": "x-pack/plugins/osquery/public/assets/use_assets_status.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/utils.ts" }, { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/use_security_dashboards_table.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/public/common/containers/dashboards/use_security_dashboards_table.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "savedObjects", + "path": "src/plugins/saved_objects/public/saved_object/helpers/find_object_by_title.test.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "savedObjects", + "path": "src/plugins/saved_objects/public/saved_object/helpers/find_object_by_title.test.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-browser-mocks", + "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-browser-mocks", + "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-browser-mocks", + "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "core", + "path": "src/core/types/index.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "apm", + "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" }, { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" } ], "initialIsOpen": false diff --git a/api_docs/data.mdx b/api_docs/data.mdx index a43a56d4e200e..659999cab2e6f 100644 --- a/api_docs/data.mdx +++ b/api_docs/data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data title: "data" image: https://source.unsplash.com/400x175/?github description: API docs for the data plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data'] --- import dataObj from './data.devdocs.json'; diff --git a/api_docs/data_query.mdx b/api_docs/data_query.mdx index 80957dc35eba3..ce765c4638bcf 100644 --- a/api_docs/data_query.mdx +++ b/api_docs/data_query.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-query title: "data.query" image: https://source.unsplash.com/400x175/?github description: API docs for the data.query plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.query'] --- import dataQueryObj from './data_query.devdocs.json'; diff --git a/api_docs/data_search.mdx b/api_docs/data_search.mdx index 160106ebd12b2..8a9e8aeaf97c2 100644 --- a/api_docs/data_search.mdx +++ b/api_docs/data_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-search title: "data.search" image: https://source.unsplash.com/400x175/?github description: API docs for the data.search plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.search'] --- import dataSearchObj from './data_search.devdocs.json'; diff --git a/api_docs/data_view_editor.mdx b/api_docs/data_view_editor.mdx index 0a1662e016651..296f7eec711c9 100644 --- a/api_docs/data_view_editor.mdx +++ b/api_docs/data_view_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewEditor title: "dataViewEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewEditor plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewEditor'] --- import dataViewEditorObj from './data_view_editor.devdocs.json'; diff --git a/api_docs/data_view_field_editor.mdx b/api_docs/data_view_field_editor.mdx index bb705e7ce002c..68c76dcbf5432 100644 --- a/api_docs/data_view_field_editor.mdx +++ b/api_docs/data_view_field_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewFieldEditor title: "dataViewFieldEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewFieldEditor plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewFieldEditor'] --- import dataViewFieldEditorObj from './data_view_field_editor.devdocs.json'; diff --git a/api_docs/data_view_management.mdx b/api_docs/data_view_management.mdx index 121b2e6cb87a5..f3e9481d405a1 100644 --- a/api_docs/data_view_management.mdx +++ b/api_docs/data_view_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewManagement title: "dataViewManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewManagement'] --- import dataViewManagementObj from './data_view_management.devdocs.json'; diff --git a/api_docs/data_views.devdocs.json b/api_docs/data_views.devdocs.json index eacda78b9debc..c90ac8ee9c636 100644 --- a/api_docs/data_views.devdocs.json +++ b/api_docs/data_views.devdocs.json @@ -26125,1296 +26125,384 @@ "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" + "plugin": "@kbn/core-saved-objects-import-export-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" + "plugin": "core", + "path": "src/core/types/index.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" + "plugin": "apm", + "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "core", - "path": "src/core/types/index.ts" - }, - { - "plugin": "apm", - "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" - }, - { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { "plugin": "@kbn/core-ui-settings-server-internal", "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" } ], "initialIsOpen": false diff --git a/api_docs/data_views.mdx b/api_docs/data_views.mdx index bd5619fd081db..c39ca202491c0 100644 --- a/api_docs/data_views.mdx +++ b/api_docs/data_views.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViews title: "dataViews" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViews plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViews'] --- import dataViewsObj from './data_views.devdocs.json'; diff --git a/api_docs/data_visualizer.mdx b/api_docs/data_visualizer.mdx index 8dec6a11d7920..021b887a6d3f4 100644 --- a/api_docs/data_visualizer.mdx +++ b/api_docs/data_visualizer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataVisualizer title: "dataVisualizer" image: https://source.unsplash.com/400x175/?github description: API docs for the dataVisualizer plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataVisualizer'] --- import dataVisualizerObj from './data_visualizer.devdocs.json'; diff --git a/api_docs/deprecations_by_api.mdx b/api_docs/deprecations_by_api.mdx index a05179486e88c..4966bf966649c 100644 --- a/api_docs/deprecations_by_api.mdx +++ b/api_docs/deprecations_by_api.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByApi slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-api title: Deprecated API usage by API description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by. -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -21,21 +21,16 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | visTypePie | - | | | alerting, discover, securitySolution | - | | | stackAlerts, alerting, securitySolution, inputControlVis | - | -| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, core, home, dataViews, discover, savedObjectsTagging, savedObjectsFinder, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-server, @kbn/core-saved-objects-api-server-internal, @kbn/core-saved-objects-import-export-server-internal, @kbn/core-saved-objects-server-internal, apm, savedObjectsTaggingOss, savedObjectsManagement, cases, lists, upgradeAssistant, security, encryptedSavedObjects, lens, alerting, observability, @kbn/core-ui-settings-server-internal, data, dashboard | - | -| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, core, home, dataViews, discover, savedObjectsTagging, savedObjectsFinder, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-server, @kbn/core-saved-objects-api-server-internal, @kbn/core-saved-objects-import-export-server-internal, @kbn/core-saved-objects-server-internal, apm, savedObjectsTaggingOss, savedObjectsManagement, cases, lists, upgradeAssistant, security, encryptedSavedObjects, lens, alerting, observability, @kbn/core-ui-settings-server-internal, data | - | | | alerting, discover, securitySolution | - | | | stackAlerts, alerting, securitySolution, inputControlVis | - | | | actions, alerting | - | -| | @kbn/core-saved-objects-common, advancedSettings, triggersActionsUi, visualizations, alerting | - | -| | @kbn/core-saved-objects-common, savedObjects, embeddable, visualizations, dashboard, fleet, infra, canvas, graph, ml, alerting, @kbn/core-saved-objects-server-internal | - | -| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-api-server, savedObjects, savedObjectsManagement, visualizations, savedObjectsTagging, lens, fleet, graph, dashboard, savedObjectsTaggingOss, @kbn/core-saved-objects-server, kibanaUtils, expressions, dataViews, data, embeddable, controls, uiActionsEnhanced, maps, canvas, cases, dashboardEnhanced, globalSearchProviders, alerting, @kbn/core-saved-objects-api-server-internal, @kbn/core-saved-objects-import-export-server-internal | - | -| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-server, actions, alerting, canvas, enterpriseSearch, securitySolution, taskManager, dashboard, savedSearch | - | +| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-server, actions, alerting, canvas, enterpriseSearch, securitySolution, taskManager, dashboard, savedSearch, @kbn/core-saved-objects-server-internal | - | | | @kbn/core-saved-objects-migration-server-internal, actions, dataViews, data, alerting, savedObjectsTagging, canvas, lens, cases, graph, lists, maps, securitySolution, dashboard, savedSearch, visualizations, @kbn/core-test-helpers-so-type-serializer | - | -| | core, advancedSettings, triggersActionsUi, visualizations, alerting | - | -| | core, savedObjects, embeddable, visualizations, dashboard, fleet, infra, canvas, graph, ml, alerting, @kbn/core-saved-objects-server-internal, @kbn/core-saved-objects-common, actions, enterpriseSearch, securitySolution, taskManager, savedSearch | - | -| | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-api-server, core, savedObjects, savedObjectsManagement, visualizations, savedObjectsTagging, lens, fleet, graph, dashboard, savedObjectsTaggingOss, @kbn/core-saved-objects-server, kibanaUtils, expressions, dataViews, data, embeddable, controls, uiActionsEnhanced, maps, canvas, cases, dashboardEnhanced, globalSearchProviders, alerting, @kbn/core-saved-objects-api-server-internal, @kbn/core-saved-objects-import-export-server-internal | - | | | @kbn/core-saved-objects-migration-server-internal, actions, dataViews, data, alerting, savedObjectsTagging, canvas, lens, cases, graph, lists, maps, securitySolution, dashboard, savedSearch, visualizations, @kbn/core-test-helpers-so-type-serializer | - | +| | @kbn/core-saved-objects-common, core, actions, alerting, canvas, enterpriseSearch, securitySolution, taskManager, dashboard, savedSearch, @kbn/core-saved-objects-server-internal, savedObjects, embeddable, visualizations, fleet, infra, graph, ml | - | | | discover, monitoring | - | +| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, core, home, dataViews, discover, savedObjectsTagging, savedObjectsFinder, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-import-export-server-internal, apm, savedObjectsTaggingOss, savedObjectsManagement, cases, lists, upgradeAssistant, @kbn/core-ui-settings-server-internal, data, dashboard | - | +| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-api-server, core, home, dataViews, discover, savedObjectsTagging, savedObjectsFinder, fleet, canvas, osquery, securitySolution, synthetics, savedObjects, @kbn/core-saved-objects-browser-mocks, @kbn/core-saved-objects-import-export-server-internal, apm, savedObjectsTaggingOss, savedObjectsManagement, cases, lists, upgradeAssistant, @kbn/core-ui-settings-server-internal, data | - | | | @kbn/es-query, securitySolution, timelines, lists, threatIntelligence, dataViews, unifiedSearch, triggersActionsUi, savedObjectsManagement, controls, unifiedFieldList, lens, aiops, ml, infra, visTypeTimeseries, apm, observability, dataVisualizer, fleet, canvas, graph, stackAlerts, synthetics, transform, upgradeAssistant, ux, maps, dataViewManagement, inputControlVis, visDefaultEditor, presentationUtil, visTypeTimelion, visTypeVega, discover, data | - | | | discover | - | | | @kbn/es-query, securitySolution, timelines, lists, threatIntelligence, dataViews, unifiedSearch, triggersActionsUi, savedObjectsManagement, controls, unifiedFieldList, lens, aiops, ml, infra, visTypeTimeseries, apm, observability, dataVisualizer, fleet, canvas, graph, stackAlerts, synthetics, transform, upgradeAssistant, ux, maps, dataViewManagement, inputControlVis, visDefaultEditor, presentationUtil, visTypeTimelion, visTypeVega, discover, data | - | @@ -68,7 +63,10 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | @kbn/core-saved-objects-browser-mocks, dataViews, savedObjects, presentationUtil, savedSearch, visualizations, dashboard, lens, savedObjectsFinder, cases, maps, ml, infra, cloudSecurityPosture, dashboardEnhanced, graph, securitySolution, synthetics, @kbn/core-saved-objects-browser-internal | - | | | @kbn/core-saved-objects-browser-internal, core, dataViews, savedObjects, embeddable, presentationUtil, visualizations, dashboard, lens, savedObjectsFinder, aiops, ml, cases, maps, dataVisualizer, infra, fleet, cloudSecurityPosture, dashboardEnhanced, graph, synthetics, securitySolution, @kbn/core-saved-objects-browser-mocks | - | | | dashboard, dataVisualizer, stackAlerts, expressionPartitionVis | - | +| | @kbn/core-saved-objects-common, advancedSettings, triggersActionsUi, visualizations | - | +| | @kbn/core-saved-objects-common, savedObjects, embeddable, visualizations, dashboard, fleet, infra, canvas, graph, ml | - | | | @kbn/core-saved-objects-common | - | +| | @kbn/core-saved-objects-common, @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-api-server, savedObjects, savedObjectsManagement, visualizations, savedObjectsTagging, lens, fleet, graph, dashboard, savedObjectsTaggingOss, kibanaUtils, expressions, dataViews, data, embeddable, controls, uiActionsEnhanced, maps, canvas, cases, dashboardEnhanced, globalSearchProviders, infra | - | | | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, dataViews, savedObjects, visualizations, infra | - | | | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal | - | | | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal, infra | - | @@ -81,6 +79,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | @kbn/core-saved-objects-api-browser | - | | | @kbn/core-saved-objects-api-browser | - | | | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-browser-internal | - | +| | @kbn/core-saved-objects-api-browser, @kbn/core-saved-objects-api-server, core, savedObjects, savedObjectsManagement, visualizations, savedObjectsTagging, lens, fleet, graph, dashboard, savedObjectsTaggingOss, kibanaUtils, expressions, dataViews, data, embeddable, controls, uiActionsEnhanced, maps, canvas, cases, dashboardEnhanced, globalSearchProviders, infra | - | | | @kbn/core-saved-objects-browser, @kbn/core-lifecycle-browser, @kbn/core-saved-objects-browser-internal, savedObjects, savedSearch, visualizations, dashboard, lens, savedObjectsFinder, observability, canvas, transform, @kbn/core-saved-objects-browser-mocks | - | | | @kbn/core-saved-objects-browser-internal, @kbn/core-saved-objects-browser-mocks, dataViews, savedObjects, savedSearch, visualizations, dashboard, lens, maps, infra, graph, synthetics | - | | | @kbn/core-saved-objects-browser-mocks, home, @kbn/core-saved-objects-browser-internal | - | @@ -124,6 +123,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | @kbn/core-lifecycle-browser-mocks, core, ml, dashboard, dataViews, savedSearch, @kbn/core-plugins-browser-internal | - | | | core, lens, savedObjects, visualizations | - | | | core | - | +| | core, advancedSettings, triggersActionsUi, visualizations | - | | | home, canvas, osquery | - | | | home, data, esUiShared, spaces, savedObjectsManagement, fleet, observability, ml, apm, indexLifecycleManagement, synthetics, upgradeAssistant, ux, kibanaOverview | - | | | dataViews, maps | - | @@ -150,8 +150,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | spaces, savedObjectsManagement | - | | | spaces, savedObjectsManagement | - | | | spaces, savedObjectsManagement | - | -| | encryptedSavedObjects | - | -| | encryptedSavedObjects | - | | | visTypeTimeseries, graph, dataViewManagement | - | | | unifiedSearch | - | | | unifiedSearch | - | @@ -159,6 +157,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | dataViewManagement | - | | | dataViewManagement | - | | | enterpriseSearch | - | +| | encryptedSavedObjects | - | +| | encryptedSavedObjects | - | | | @kbn/core-elasticsearch-server-internal, @kbn/core-plugins-server-internal, console | - | | | @kbn/core-elasticsearch-server-internal, @kbn/core-plugins-server-internal, console | - | | | @kbn/core-plugins-server-internal | - | diff --git a/api_docs/deprecations_by_plugin.mdx b/api_docs/deprecations_by_plugin.mdx index 8d4fc0def4565..0141b4f5e9adf 100644 --- a/api_docs/deprecations_by_plugin.mdx +++ b/api_docs/deprecations_by_plugin.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByPlugin slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-plugin title: Deprecated API usage by plugin description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by. -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -134,17 +134,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] -## @kbn/core-saved-objects-api-server-internal - -| Deprecated API | Reference location(s) | Remove By | -| ---------------|-----------|-----------| -| | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts#:~:text=SavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts#:~:text=SavedObject), [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=SavedObject), [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=SavedObject), [internal_bulk_resolve.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts#:~:text=SavedObject), [internal_bulk_resolve.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [update_objects_spaces.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts#:~:text=SavedObject)+ 80 more | - | -| | [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts#:~:text=SavedObject), [saved_objects_client.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts#:~:text=SavedObject), [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=SavedObject), [internal_utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts#:~:text=SavedObject), [internal_bulk_resolve.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts#:~:text=SavedObject), [internal_bulk_resolve.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [collect_multi_namespace_references.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts#:~:text=SavedObject), [update_objects_spaces.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts#:~:text=SavedObject)+ 125 more | - | -| | [repository.test.common.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts#:~:text=SavedObjectReference), [repository.test.common.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference) | - | -| | [repository.test.common.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts#:~:text=SavedObjectReference), [repository.test.common.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference), [repository.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts#:~:text=SavedObjectReference) | - | - - - ## @kbn/core-saved-objects-browser | Deprecated API | Reference location(s) | Remove By | @@ -277,10 +266,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject)+ 262 more | - | -| | [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject), [check_origin_conflicts.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts#:~:text=SavedObject)+ 398 more | - | -| | [resolve_import_errors.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts#:~:text=SavedObjectReference), [resolve_import_errors.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts#:~:text=SavedObjectReference), [check_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts#:~:text=SavedObjectReference), [check_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts#:~:text=SavedObjectReference), [check_origin_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts#:~:text=SavedObjectReference), [check_origin_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts#:~:text=SavedObjectReference) | - | -| | [resolve_import_errors.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts#:~:text=SavedObjectReference), [resolve_import_errors.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts#:~:text=SavedObjectReference), [check_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts#:~:text=SavedObjectReference), [check_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts#:~:text=SavedObjectReference), [check_origin_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts#:~:text=SavedObjectReference), [check_origin_conflicts.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts#:~:text=SavedObjectReference) | - | +| | [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject)+ 18 more | - | +| | [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [errors.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [regenerate_ids.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject), [apply_export_transforms.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts#:~:text=SavedObject)+ 32 more | - | @@ -297,11 +284,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [encryption.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts#:~:text=SavedObject), [encryption.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/import.ts#:~:text=SavedObject)+ 24 more | - | -| | [encryption.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts#:~:text=SavedObject), [encryption.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [security.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [export.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/export.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/import.ts#:~:text=SavedObject)+ 41 more | - | -| | [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference) | - | | | [index.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/index.ts#:~:text=SavedObjectAttributes) | - | -| | [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference), [serialization.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server/src/serialization.ts#:~:text=SavedObjectReference) | - | @@ -309,10 +292,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=SavedObject), [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts#:~:text=SavedObject), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObject)+ 16 more | - | -| | [utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [collect_references_deep.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts#:~:text=SavedObject), [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=SavedObject), [import_dashboards.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts#:~:text=SavedObject), [import.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts#:~:text=SavedObject), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObject)+ 29 more | - | -| | [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes) | - | -| | [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes) | - | +| | [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes) | - | +| | [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes), [collect_references_deep.test.ts](https://github.com/elastic/kibana/tree/main/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts#:~:text=SavedObjectAttributes) | - | @@ -423,22 +404,15 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | ---------------|-----------|-----------| | | [wrap_search_source_client.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.ts#:~:text=create) | - | | | [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch) | - | -| | [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject)+ 4 more | - | -| | [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [bulk_disable.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject), [test_helpers.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts#:~:text=SavedObject)+ 11 more | - | | | [wrap_search_source_client.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.ts#:~:text=create) | - | | | [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch), [wrap_search_source_client.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/wrap_search_source_client.test.ts#:~:text=fetch) | - | | | [plugin.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/plugin.test.ts#:~:text=getKibanaFeatures) | 8.8.0 | | | [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/plugin.ts#:~:text=license%24), [license_state.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/license_state.test.ts#:~:text=license%24), [license_state.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/lib/license_state.test.ts#:~:text=license%24) | 8.8.0 | | | [task.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/usage/task.ts#:~:text=index) | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectAttribute) | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttributes) | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference) | - | -| | [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes)+ 10 more | - | +| | [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes)+ 14 more | - | | | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/index.ts#:~:text=convertToMultiNamespaceTypeVersion) | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectAttribute), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectAttribute) | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttributes), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes)+ 14 more | - | -| | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts#:~:text=SavedObjectReference) | - | | | [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/index.ts#:~:text=convertToMultiNamespaceTypeVersion) | - | +| | [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [rule.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/common/rule.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes), [migrations.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/alerting/server/saved_objects/geo_containment/migrations.ts#:~:text=SavedObjectAttributes)+ 14 more | - | @@ -502,8 +476,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject)+ 42 more | - | -| | [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/utils.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject), [authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/authorization/authorization.ts#:~:text=SavedObject)+ 68 more | - | +| | [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject)+ 22 more | - | +| | [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [so_references.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/so_references.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [find.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/operations/find.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject), [test_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/server/services/user_actions/test_utils.ts#:~:text=SavedObject)+ 38 more | - | | | [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=find) | - | | | [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject), [saved_objects_finder.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/public/components/markdown_editor/plugins/lens/saved_objects_finder.tsx#:~:text=SimpleSavedObject)+ 1 more | - | | | [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/common/ui/types.ts#:~:text=ResolvedSimpleSavedObject), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/common/ui/types.ts#:~:text=ResolvedSimpleSavedObject), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/common/ui/types.ts#:~:text=ResolvedSimpleSavedObject), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/cases/common/ui/types.ts#:~:text=ResolvedSimpleSavedObject) | - | @@ -820,8 +794,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject) | - | -| | [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject), [saved_objects_encryption_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts#:~:text=SavedObject) | - | | | [encryption_key_rotation_service.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts#:~:text=authc), [index.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts#:~:text=authc) | - | | | [create_migration.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/create_migration.ts#:~:text=convertToMultiNamespaceTypeVersion), [create_migration.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/create_migration.ts#:~:text=convertToMultiNamespaceTypeVersion) | - | | | [create_migration.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/create_migration.ts#:~:text=convertToMultiNamespaceTypeVersion), [create_migration.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/encrypted_saved_objects/server/create_migration.ts#:~:text=convertToMultiNamespaceTypeVersion) | - | @@ -877,8 +849,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject)+ 4 more | - | -| | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [action.mock.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/server/services/agents/action.mock.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject)+ 11 more | - | +| | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject) | - | +| | [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject), [epm.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/common/types/models/epm.ts#:~:text=SavedObject) | - | | | [filter_dataset.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx#:~:text=title), [filter_log_level.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx#:~:text=title), [query_bar.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx#:~:text=title), [filter_dataset.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx#:~:text=title), [filter_log_level.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx#:~:text=title), [query_bar.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx#:~:text=title) | - | | | [filter_dataset.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx#:~:text=title), [filter_log_level.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx#:~:text=title), [query_bar.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx#:~:text=title), [filter_dataset.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx#:~:text=title), [filter_log_level.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx#:~:text=title), [query_bar.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx#:~:text=title) | - | | | [filter_dataset.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx#:~:text=title), [filter_log_level.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx#:~:text=title), [query_bar.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/query_bar.tsx#:~:text=title) | - | @@ -1002,6 +974,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectsCreateOptions) | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectsBatchResponse), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectsBatchResponse) | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectAttributes), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=SavedObjectAttributes), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes)+ 2 more | - | +| | [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/types.ts#:~:text=SavedObjectReference), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/types.ts#:~:text=SavedObjectReference), [cpu.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts#:~:text=SavedObjectReference), [cpu.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts#:~:text=SavedObjectReference), [load.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts#:~:text=SavedObjectReference), [load.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts#:~:text=SavedObjectReference), [memory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts#:~:text=SavedObjectReference), [memory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts#:~:text=SavedObjectReference), [rx.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts#:~:text=SavedObjectReference), [rx.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts#:~:text=SavedObjectReference)+ 6 more | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=savedObjects), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=savedObjects), [use_delete_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_delete_saved_object.tsx#:~:text=savedObjects), [use_delete_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_delete_saved_object.tsx#:~:text=savedObjects), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=savedObjects), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=savedObjects), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=savedObjects)+ 1 more | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=savedObjects), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=savedObjects), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=savedObjects), [use_delete_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_delete_saved_object.tsx#:~:text=savedObjects), [use_delete_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_delete_saved_object.tsx#:~:text=savedObjects), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=savedObjects), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=savedObjects), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=savedObjects)+ 1 more | - | | | [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=create) | - | @@ -1013,6 +986,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectsCreateOptions), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectsCreateOptions) | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectsBatchResponse), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectsBatchResponse) | - | | | [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectAttributes), [use_find_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_find_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_create_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_create_saved_object.tsx#:~:text=SavedObjectAttributes), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=SavedObjectAttributes), [use_get_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_get_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes), [use_update_saved_object.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/hooks/use_update_saved_object.tsx#:~:text=SavedObjectAttributes)+ 2 more | - | +| | [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/types.ts#:~:text=SavedObjectReference), [types.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/types.ts#:~:text=SavedObjectReference), [cpu.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts#:~:text=SavedObjectReference), [cpu.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts#:~:text=SavedObjectReference), [load.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts#:~:text=SavedObjectReference), [load.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts#:~:text=SavedObjectReference), [memory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts#:~:text=SavedObjectReference), [memory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts#:~:text=SavedObjectReference), [rx.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts#:~:text=SavedObjectReference), [rx.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts#:~:text=SavedObjectReference)+ 6 more | - | @@ -1052,8 +1026,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject) | - | -| | [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject), [make_lens_embeddable_factory.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts#:~:text=SavedObject) | - | | | [loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/data_views_service/loader.ts#:~:text=title), [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=title), [loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/data_views_service/loader.ts#:~:text=title), [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=title) | - | | | [loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/data_views_service/loader.ts#:~:text=title), [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=title), [loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/data_views_service/loader.ts#:~:text=title), [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=title) | - | | | [loader.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/data_views_service/loader.ts#:~:text=title), [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=title) | - | @@ -1208,8 +1180,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject) | - | -| | [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject), [slo.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/server/services/slo/fixtures/slo.ts#:~:text=SavedObject) | - | | | [observability_data_views.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/utils/observability_data_views/observability_data_views.ts#:~:text=title), [report_definition_field.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_definition_field.tsx#:~:text=title), [use_filter_values.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts#:~:text=title), [filter_value_btn.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/filter_value_btn.tsx#:~:text=title), [sample_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts#:~:text=title), [sample_attribute_kpi.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts#:~:text=title), [sample_attribute_with_reference_lines.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts#:~:text=title), [test_formula_metric_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title)+ 14 more | - | | | [observability_data_views.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/utils/observability_data_views/observability_data_views.ts#:~:text=title), [report_definition_field.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_definition_field.tsx#:~:text=title), [use_filter_values.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts#:~:text=title), [filter_value_btn.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/filter_value_btn.tsx#:~:text=title), [sample_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts#:~:text=title), [sample_attribute_kpi.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts#:~:text=title), [sample_attribute_with_reference_lines.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts#:~:text=title), [test_formula_metric_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title)+ 14 more | - | | | [observability_data_views.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/utils/observability_data_views/observability_data_views.ts#:~:text=title), [report_definition_field.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/report_definition_field.tsx#:~:text=title), [use_filter_values.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts#:~:text=title), [filter_value_btn.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/columns/filter_value_btn.tsx#:~:text=title), [sample_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts#:~:text=title), [sample_attribute_kpi.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_kpi.ts#:~:text=title), [sample_attribute_with_reference_lines.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts#:~:text=title), [test_formula_metric_attribute.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/test_formula_metric_attribute.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title), [single_metric_attributes.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts#:~:text=title)+ 2 more | - | @@ -1415,8 +1385,6 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject) | - | -| | [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject), [saved_objects_security_extension.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts#:~:text=SavedObject) | - | | | [elasticsearch_role.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts#:~:text=disabled), [role_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/lib/role_utils.ts#:~:text=disabled), [role_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/lib/role_utils.ts#:~:text=disabled), [primary_feature_privilege.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/management/roles/model/primary_feature_privilege.ts#:~:text=disabled), [elasticsearch_role.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts#:~:text=disabled), [kibana_features.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/management/roles/__fixtures__/kibana_features.ts#:~:text=disabled), [put.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts#:~:text=disabled), [put_payload.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts#:~:text=disabled), [put_payload.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts#:~:text=disabled) | 8.8.0 | | | [disable_ui_capabilities.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/disable_ui_capabilities.ts#:~:text=requiredRoles) | 8.8.0 @@ -1526,8 +1494,8 @@ migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/ | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject)+ 24 more | - | -| | [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject)+ 41 more | - | +| | [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject)+ 20 more | - | +| | [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [monitor_detail_flyout.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview/monitor_detail_flyout.tsx#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [api.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject), [effects.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts#:~:text=SavedObject)+ 35 more | - | | | [filter_group.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx#:~:text=title), [filters_expression_select.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx#:~:text=title), [filter_group.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx#:~:text=title), [filters_expression_select.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx#:~:text=title) | - | | | [filter_group.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx#:~:text=title), [filters_expression_select.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx#:~:text=title), [filter_group.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx#:~:text=title), [filters_expression_select.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx#:~:text=title) | - | | | [filter_group.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/filter_group/filter_group.tsx#:~:text=title), [filters_expression_select.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_expressions/filters_expression_select.tsx#:~:text=title) | - | diff --git a/api_docs/deprecations_by_team.mdx b/api_docs/deprecations_by_team.mdx index 3f35753b21bd7..a5b74c7cf6535 100644 --- a/api_docs/deprecations_by_team.mdx +++ b/api_docs/deprecations_by_team.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsDueByTeam slug: /kibana-dev-docs/api-meta/deprecations-due-by-team title: Deprecated APIs due to be removed, by team description: Lists the teams that are referencing deprecated APIs with a remove by date. -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -103,6 +103,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Plugin | Deprecated API | Reference location(s) | Remove By | | --------|-------|-----------|-----------| +| spaces | | [on_post_auth_interceptor.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.ts#:~:text=getKibanaFeatures), [spaces_usage_collector.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/usage_collection/spaces_usage_collector.ts#:~:text=getKibanaFeatures), [on_post_auth_interceptor.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.test.ts#:~:text=getKibanaFeatures), [app_authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/app_authorization.ts#:~:text=getKibanaFeatures), [privileges.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.ts#:~:text=getKibanaFeatures), [authorization_service.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/authorization_service.tsx#:~:text=getKibanaFeatures), [app_authorization.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/app_authorization.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures)+ 18 more | 8.8.0 | +| spaces | | [spaces_usage_collector.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/usage_collection/spaces_usage_collector.ts#:~:text=license%24), [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/plugin.ts#:~:text=license%24), [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/plugin.ts#:~:text=license%24), [spaces_usage_collector.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/usage_collection/spaces_usage_collector.test.ts#:~:text=license%24), [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/plugin.ts#:~:text=license%24) | 8.8.0 | | security | | [elasticsearch_role.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts#:~:text=disabled), [role_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/lib/role_utils.ts#:~:text=disabled), [role_utils.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/lib/role_utils.ts#:~:text=disabled), [primary_feature_privilege.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/management/roles/model/primary_feature_privilege.ts#:~:text=disabled), [elasticsearch_role.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts#:~:text=disabled), [kibana_features.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/management/roles/__fixtures__/kibana_features.ts#:~:text=disabled), [put.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts#:~:text=disabled), [put_payload.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts#:~:text=disabled), [put_payload.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts#:~:text=disabled) | 8.8.0 | | security | | [disable_ui_capabilities.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/disable_ui_capabilities.ts#:~:text=requiredRoles) | 8.8.0 @@ -114,12 +116,10 @@ migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/ This is relied on by the reporting feature, and should be removed once reporting migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/issues/19914 | -| security | | [app_authorization.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/app_authorization.ts#:~:text=getKibanaFeatures), [privileges.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.ts#:~:text=getKibanaFeatures), [authorization_service.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/authorization_service.tsx#:~:text=getKibanaFeatures), [app_authorization.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/app_authorization.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures), [privileges.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/privileges/privileges.test.ts#:~:text=getKibanaFeatures)+ 18 more | 8.8.0 | | security | | [authorization_service.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/authorization/authorization_service.tsx#:~:text=getElasticsearchFeatures) | 8.8.0 | | security | | [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode), [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode), [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode) | 8.8.0 | | security | | [plugin.tsx](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/plugin.tsx#:~:text=license%24) | 8.8.0 | | security | | [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode), [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode), [license_service.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/common/licensing/license_service.test.ts#:~:text=mode) | 8.8.0 | -| security | | [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/server/plugin.ts#:~:text=license%24), [spaces_usage_collector.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/usage_collection/spaces_usage_collector.ts#:~:text=license%24), [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/plugin.ts#:~:text=license%24), [plugin.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/plugin.ts#:~:text=license%24), [spaces_usage_collector.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/spaces/server/usage_collection/spaces_usage_collector.test.ts#:~:text=license%24) | 8.8.0 | | security | | [logout_app.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/authentication/logout/logout_app.test.ts#:~:text=appBasePath) | 8.8.0 | | security | | [logout_app.test.ts](https://github.com/elastic/kibana/tree/main/x-pack/plugins/security/public/authentication/logout/logout_app.test.ts#:~:text=appBasePath) | 8.8.0 | diff --git a/api_docs/dev_tools.mdx b/api_docs/dev_tools.mdx index 1c6e416374c86..e49115de734f9 100644 --- a/api_docs/dev_tools.mdx +++ b/api_docs/dev_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/devTools title: "devTools" image: https://source.unsplash.com/400x175/?github description: API docs for the devTools plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'devTools'] --- import devToolsObj from './dev_tools.devdocs.json'; diff --git a/api_docs/discover.mdx b/api_docs/discover.mdx index a0ac52e82c99d..ea0173bf90606 100644 --- a/api_docs/discover.mdx +++ b/api_docs/discover.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discover title: "discover" image: https://source.unsplash.com/400x175/?github description: API docs for the discover plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discover'] --- import discoverObj from './discover.devdocs.json'; diff --git a/api_docs/discover_enhanced.mdx b/api_docs/discover_enhanced.mdx index bae3c41163636..4bad0bdf70bca 100644 --- a/api_docs/discover_enhanced.mdx +++ b/api_docs/discover_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discoverEnhanced title: "discoverEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the discoverEnhanced plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discoverEnhanced'] --- import discoverEnhancedObj from './discover_enhanced.devdocs.json'; diff --git a/api_docs/embeddable.devdocs.json b/api_docs/embeddable.devdocs.json index a9b6f4421c811..a01a2e94f470d 100644 --- a/api_docs/embeddable.devdocs.json +++ b/api_docs/embeddable.devdocs.json @@ -5117,6 +5117,134 @@ ], "initialIsOpen": false }, + { + "parentPluginId": "embeddable", + "id": "def-public.isMultiValueClickTriggerContext", + "type": "Function", + "tags": [], + "label": "isMultiValueClickTriggerContext", + "description": [], + "signature": [ + "(context: ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.ChartActionContext", + "text": "ChartActionContext" + }, + "<", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.IEmbeddable", + "text": "IEmbeddable" + }, + "<", + { + "pluginId": "embeddable", + "scope": "common", + "docId": "kibEmbeddablePluginApi", + "section": "def-common.EmbeddableInput", + "text": "EmbeddableInput" + }, + ", ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.EmbeddableOutput", + "text": "EmbeddableOutput" + }, + ", any>>) => context is ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.MultiValueClickContext", + "text": "MultiValueClickContext" + }, + "<", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.IEmbeddable", + "text": "IEmbeddable" + }, + "<", + { + "pluginId": "embeddable", + "scope": "common", + "docId": "kibEmbeddablePluginApi", + "section": "def-common.EmbeddableInput", + "text": "EmbeddableInput" + }, + ", ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.EmbeddableOutput", + "text": "EmbeddableOutput" + }, + ", any>>" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "embeddable", + "id": "def-public.isMultiValueClickTriggerContext.$1", + "type": "CompoundType", + "tags": [], + "label": "context", + "description": [], + "signature": [ + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.ChartActionContext", + "text": "ChartActionContext" + }, + "<", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.IEmbeddable", + "text": "IEmbeddable" + }, + "<", + { + "pluginId": "embeddable", + "scope": "common", + "docId": "kibEmbeddablePluginApi", + "section": "def-common.EmbeddableInput", + "text": "EmbeddableInput" + }, + ", ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.EmbeddableOutput", + "text": "EmbeddableOutput" + }, + ", any>>" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, { "parentPluginId": "embeddable", "id": "def-public.isRangeSelectTriggerContext", @@ -9406,6 +9534,66 @@ ], "initialIsOpen": false }, + { + "parentPluginId": "embeddable", + "id": "def-public.MultiValueClickContext", + "type": "Interface", + "tags": [], + "label": "MultiValueClickContext", + "description": [], + "signature": [ + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.MultiValueClickContext", + "text": "MultiValueClickContext" + }, + "" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false, + "children": [ + { + "parentPluginId": "embeddable", + "id": "def-public.MultiValueClickContext.embeddable", + "type": "Uncategorized", + "tags": [], + "label": "embeddable", + "description": [], + "signature": [ + "T | undefined" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false + }, + { + "parentPluginId": "embeddable", + "id": "def-public.MultiValueClickContext.data", + "type": "Object", + "tags": [], + "label": "data", + "description": [], + "signature": [ + "{ data: { table: Pick<", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + }, + ", \"rows\" | \"columns\">; column: number; value: any[]; }; timeFieldName?: string | undefined; negate?: boolean | undefined; }" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false + } + ], + "initialIsOpen": false + }, { "parentPluginId": "embeddable", "id": "def-public.OutputSpec", @@ -9949,6 +10137,14 @@ "text": "ValueClickContext" }, " | ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.MultiValueClickContext", + "text": "MultiValueClickContext" + }, + " | ", { "pluginId": "embeddable", "scope": "public", @@ -10165,6 +10361,21 @@ "trackAdoption": false, "initialIsOpen": false }, + { + "parentPluginId": "embeddable", + "id": "def-public.MULTI_VALUE_CLICK_TRIGGER", + "type": "string", + "tags": [], + "label": "MULTI_VALUE_CLICK_TRIGGER", + "description": [], + "signature": [ + "\"MULTI_VALUE_CLICK_TRIGGER\"" + ], + "path": "src/plugins/embeddable/public/lib/triggers/triggers.ts", + "deprecated": false, + "trackAdoption": false, + "initialIsOpen": false + }, { "parentPluginId": "embeddable", "id": "def-public.PANEL_BADGE_TRIGGER", diff --git a/api_docs/embeddable.mdx b/api_docs/embeddable.mdx index f07dde4281915..21b082d057c2a 100644 --- a/api_docs/embeddable.mdx +++ b/api_docs/embeddable.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddable title: "embeddable" image: https://source.unsplash.com/400x175/?github description: API docs for the embeddable plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddable'] --- import embeddableObj from './embeddable.devdocs.json'; @@ -21,7 +21,7 @@ Contact [App Services](https://github.com/orgs/elastic/teams/kibana-app-services | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 522 | 8 | 421 | 4 | +| 528 | 8 | 427 | 4 | ## Client diff --git a/api_docs/embeddable_enhanced.mdx b/api_docs/embeddable_enhanced.mdx index 266aba87981f9..5baf12a1da7e2 100644 --- a/api_docs/embeddable_enhanced.mdx +++ b/api_docs/embeddable_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddableEnhanced title: "embeddableEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the embeddableEnhanced plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddableEnhanced'] --- import embeddableEnhancedObj from './embeddable_enhanced.devdocs.json'; diff --git a/api_docs/encrypted_saved_objects.mdx b/api_docs/encrypted_saved_objects.mdx index e1ed3d73e2249..64edf89638d41 100644 --- a/api_docs/encrypted_saved_objects.mdx +++ b/api_docs/encrypted_saved_objects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/encryptedSavedObjects title: "encryptedSavedObjects" image: https://source.unsplash.com/400x175/?github description: API docs for the encryptedSavedObjects plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'encryptedSavedObjects'] --- import encryptedSavedObjectsObj from './encrypted_saved_objects.devdocs.json'; diff --git a/api_docs/enterprise_search.mdx b/api_docs/enterprise_search.mdx index 7c27689e45745..4d10f95a1d2f2 100644 --- a/api_docs/enterprise_search.mdx +++ b/api_docs/enterprise_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/enterpriseSearch title: "enterpriseSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the enterpriseSearch plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'enterpriseSearch'] --- import enterpriseSearchObj from './enterprise_search.devdocs.json'; diff --git a/api_docs/es_ui_shared.mdx b/api_docs/es_ui_shared.mdx index e2635f2590748..3474fae8f0f67 100644 --- a/api_docs/es_ui_shared.mdx +++ b/api_docs/es_ui_shared.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/esUiShared title: "esUiShared" image: https://source.unsplash.com/400x175/?github description: API docs for the esUiShared plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'esUiShared'] --- import esUiSharedObj from './es_ui_shared.devdocs.json'; diff --git a/api_docs/event_annotation.mdx b/api_docs/event_annotation.mdx index e6a8142bdc1db..9df311b38644c 100644 --- a/api_docs/event_annotation.mdx +++ b/api_docs/event_annotation.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventAnnotation title: "eventAnnotation" image: https://source.unsplash.com/400x175/?github description: API docs for the eventAnnotation plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventAnnotation'] --- import eventAnnotationObj from './event_annotation.devdocs.json'; diff --git a/api_docs/event_log.mdx b/api_docs/event_log.mdx index af7f549d9b42b..db6c1374b0697 100644 --- a/api_docs/event_log.mdx +++ b/api_docs/event_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventLog title: "eventLog" image: https://source.unsplash.com/400x175/?github description: API docs for the eventLog plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventLog'] --- import eventLogObj from './event_log.devdocs.json'; diff --git a/api_docs/expression_error.mdx b/api_docs/expression_error.mdx index f0723f37b1ba6..efe4e42f17782 100644 --- a/api_docs/expression_error.mdx +++ b/api_docs/expression_error.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionError title: "expressionError" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionError plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionError'] --- import expressionErrorObj from './expression_error.devdocs.json'; diff --git a/api_docs/expression_gauge.mdx b/api_docs/expression_gauge.mdx index 8abc539fa23b5..844b8925cffc5 100644 --- a/api_docs/expression_gauge.mdx +++ b/api_docs/expression_gauge.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionGauge title: "expressionGauge" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionGauge plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionGauge'] --- import expressionGaugeObj from './expression_gauge.devdocs.json'; diff --git a/api_docs/expression_heatmap.mdx b/api_docs/expression_heatmap.mdx index 4496774bec1f4..6c7cb3a7fa334 100644 --- a/api_docs/expression_heatmap.mdx +++ b/api_docs/expression_heatmap.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionHeatmap title: "expressionHeatmap" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionHeatmap plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionHeatmap'] --- import expressionHeatmapObj from './expression_heatmap.devdocs.json'; diff --git a/api_docs/expression_image.mdx b/api_docs/expression_image.mdx index 8adbc59645ee8..837fdc50bf5ef 100644 --- a/api_docs/expression_image.mdx +++ b/api_docs/expression_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionImage title: "expressionImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionImage plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionImage'] --- import expressionImageObj from './expression_image.devdocs.json'; diff --git a/api_docs/expression_legacy_metric_vis.mdx b/api_docs/expression_legacy_metric_vis.mdx index 119b574fe01ed..bae0f414dcee0 100644 --- a/api_docs/expression_legacy_metric_vis.mdx +++ b/api_docs/expression_legacy_metric_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionLegacyMetricVis title: "expressionLegacyMetricVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionLegacyMetricVis plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionLegacyMetricVis'] --- import expressionLegacyMetricVisObj from './expression_legacy_metric_vis.devdocs.json'; diff --git a/api_docs/expression_metric.mdx b/api_docs/expression_metric.mdx index ab318080e0972..284ee73c1625a 100644 --- a/api_docs/expression_metric.mdx +++ b/api_docs/expression_metric.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetric title: "expressionMetric" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionMetric plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetric'] --- import expressionMetricObj from './expression_metric.devdocs.json'; diff --git a/api_docs/expression_metric_vis.mdx b/api_docs/expression_metric_vis.mdx index 7357397cb3986..e400ac543adcf 100644 --- a/api_docs/expression_metric_vis.mdx +++ b/api_docs/expression_metric_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetricVis title: "expressionMetricVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionMetricVis plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetricVis'] --- import expressionMetricVisObj from './expression_metric_vis.devdocs.json'; diff --git a/api_docs/expression_partition_vis.mdx b/api_docs/expression_partition_vis.mdx index bb97b6edaae18..8b38dc5e8e042 100644 --- a/api_docs/expression_partition_vis.mdx +++ b/api_docs/expression_partition_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionPartitionVis title: "expressionPartitionVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionPartitionVis plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionPartitionVis'] --- import expressionPartitionVisObj from './expression_partition_vis.devdocs.json'; diff --git a/api_docs/expression_repeat_image.mdx b/api_docs/expression_repeat_image.mdx index d330de9bdc629..5a8734cb699a6 100644 --- a/api_docs/expression_repeat_image.mdx +++ b/api_docs/expression_repeat_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRepeatImage title: "expressionRepeatImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionRepeatImage plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRepeatImage'] --- import expressionRepeatImageObj from './expression_repeat_image.devdocs.json'; diff --git a/api_docs/expression_reveal_image.mdx b/api_docs/expression_reveal_image.mdx index ee84104475197..83b1463de2b17 100644 --- a/api_docs/expression_reveal_image.mdx +++ b/api_docs/expression_reveal_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRevealImage title: "expressionRevealImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionRevealImage plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRevealImage'] --- import expressionRevealImageObj from './expression_reveal_image.devdocs.json'; diff --git a/api_docs/expression_shape.mdx b/api_docs/expression_shape.mdx index c621072c2a427..68a7d8c9bf807 100644 --- a/api_docs/expression_shape.mdx +++ b/api_docs/expression_shape.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionShape title: "expressionShape" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionShape plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionShape'] --- import expressionShapeObj from './expression_shape.devdocs.json'; diff --git a/api_docs/expression_tagcloud.mdx b/api_docs/expression_tagcloud.mdx index f2f7f1510f045..36ccc50008eda 100644 --- a/api_docs/expression_tagcloud.mdx +++ b/api_docs/expression_tagcloud.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionTagcloud title: "expressionTagcloud" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionTagcloud plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionTagcloud'] --- import expressionTagcloudObj from './expression_tagcloud.devdocs.json'; diff --git a/api_docs/expression_x_y.mdx b/api_docs/expression_x_y.mdx index 1479ea52011e8..01e35aab3d006 100644 --- a/api_docs/expression_x_y.mdx +++ b/api_docs/expression_x_y.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionXY title: "expressionXY" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionXY plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionXY'] --- import expressionXYObj from './expression_x_y.devdocs.json'; diff --git a/api_docs/expressions.mdx b/api_docs/expressions.mdx index f2ac9095384e8..e41fd9cecf317 100644 --- a/api_docs/expressions.mdx +++ b/api_docs/expressions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressions title: "expressions" image: https://source.unsplash.com/400x175/?github description: API docs for the expressions plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressions'] --- import expressionsObj from './expressions.devdocs.json'; diff --git a/api_docs/features.mdx b/api_docs/features.mdx index fc9fe4e811353..8558fec80393d 100644 --- a/api_docs/features.mdx +++ b/api_docs/features.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/features title: "features" image: https://source.unsplash.com/400x175/?github description: API docs for the features plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'features'] --- import featuresObj from './features.devdocs.json'; diff --git a/api_docs/field_formats.mdx b/api_docs/field_formats.mdx index ffa55135e6635..9a0c20f6e61ad 100644 --- a/api_docs/field_formats.mdx +++ b/api_docs/field_formats.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fieldFormats title: "fieldFormats" image: https://source.unsplash.com/400x175/?github description: API docs for the fieldFormats plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fieldFormats'] --- import fieldFormatsObj from './field_formats.devdocs.json'; diff --git a/api_docs/file_upload.mdx b/api_docs/file_upload.mdx index 8c1a7ab843a44..7bbaf0a43523d 100644 --- a/api_docs/file_upload.mdx +++ b/api_docs/file_upload.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fileUpload title: "fileUpload" image: https://source.unsplash.com/400x175/?github description: API docs for the fileUpload plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fileUpload'] --- import fileUploadObj from './file_upload.devdocs.json'; diff --git a/api_docs/files.mdx b/api_docs/files.mdx index d39f390aba066..5f8657981aa32 100644 --- a/api_docs/files.mdx +++ b/api_docs/files.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/files title: "files" image: https://source.unsplash.com/400x175/?github description: API docs for the files plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'files'] --- import filesObj from './files.devdocs.json'; diff --git a/api_docs/files_management.mdx b/api_docs/files_management.mdx index 9877ee0c165c6..1c6e2446f0a72 100644 --- a/api_docs/files_management.mdx +++ b/api_docs/files_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/filesManagement title: "filesManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the filesManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'filesManagement'] --- import filesManagementObj from './files_management.devdocs.json'; diff --git a/api_docs/fleet.mdx b/api_docs/fleet.mdx index 7cb30073063ca..43b747678ecb0 100644 --- a/api_docs/fleet.mdx +++ b/api_docs/fleet.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fleet title: "fleet" image: https://source.unsplash.com/400x175/?github description: API docs for the fleet plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fleet'] --- import fleetObj from './fleet.devdocs.json'; diff --git a/api_docs/global_search.mdx b/api_docs/global_search.mdx index fe32a1154699a..9a1c7390b2829 100644 --- a/api_docs/global_search.mdx +++ b/api_docs/global_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/globalSearch title: "globalSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the globalSearch plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'globalSearch'] --- import globalSearchObj from './global_search.devdocs.json'; diff --git a/api_docs/guided_onboarding.mdx b/api_docs/guided_onboarding.mdx index 49e61881496a9..5473510e87f45 100644 --- a/api_docs/guided_onboarding.mdx +++ b/api_docs/guided_onboarding.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/guidedOnboarding title: "guidedOnboarding" image: https://source.unsplash.com/400x175/?github description: API docs for the guidedOnboarding plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'guidedOnboarding'] --- import guidedOnboardingObj from './guided_onboarding.devdocs.json'; diff --git a/api_docs/home.mdx b/api_docs/home.mdx index ed85f8fd99ca9..0665efab479e0 100644 --- a/api_docs/home.mdx +++ b/api_docs/home.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/home title: "home" image: https://source.unsplash.com/400x175/?github description: API docs for the home plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'home'] --- import homeObj from './home.devdocs.json'; diff --git a/api_docs/image_embeddable.mdx b/api_docs/image_embeddable.mdx index b1975215b7af4..449493199f83f 100644 --- a/api_docs/image_embeddable.mdx +++ b/api_docs/image_embeddable.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/imageEmbeddable title: "imageEmbeddable" image: https://source.unsplash.com/400x175/?github description: API docs for the imageEmbeddable plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'imageEmbeddable'] --- import imageEmbeddableObj from './image_embeddable.devdocs.json'; diff --git a/api_docs/index_lifecycle_management.mdx b/api_docs/index_lifecycle_management.mdx index 548addffb51d7..4784de06a647d 100644 --- a/api_docs/index_lifecycle_management.mdx +++ b/api_docs/index_lifecycle_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexLifecycleManagement title: "indexLifecycleManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the indexLifecycleManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexLifecycleManagement'] --- import indexLifecycleManagementObj from './index_lifecycle_management.devdocs.json'; diff --git a/api_docs/index_management.mdx b/api_docs/index_management.mdx index 495d32c780f2b..2d754438ee4d1 100644 --- a/api_docs/index_management.mdx +++ b/api_docs/index_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexManagement title: "indexManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the indexManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexManagement'] --- import indexManagementObj from './index_management.devdocs.json'; diff --git a/api_docs/infra.mdx b/api_docs/infra.mdx index 03c2e53777649..6620ca9b0af7b 100644 --- a/api_docs/infra.mdx +++ b/api_docs/infra.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/infra title: "infra" image: https://source.unsplash.com/400x175/?github description: API docs for the infra plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'infra'] --- import infraObj from './infra.devdocs.json'; diff --git a/api_docs/inspector.mdx b/api_docs/inspector.mdx index 931f22ae3d371..8b817a6d655a2 100644 --- a/api_docs/inspector.mdx +++ b/api_docs/inspector.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/inspector title: "inspector" image: https://source.unsplash.com/400x175/?github description: API docs for the inspector plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'inspector'] --- import inspectorObj from './inspector.devdocs.json'; diff --git a/api_docs/interactive_setup.mdx b/api_docs/interactive_setup.mdx index 8c0ec2245391e..f53bc0c6887b8 100644 --- a/api_docs/interactive_setup.mdx +++ b/api_docs/interactive_setup.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/interactiveSetup title: "interactiveSetup" image: https://source.unsplash.com/400x175/?github description: API docs for the interactiveSetup plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'interactiveSetup'] --- import interactiveSetupObj from './interactive_setup.devdocs.json'; diff --git a/api_docs/kbn_ace.mdx b/api_docs/kbn_ace.mdx index be1c284eec447..82713438dc480 100644 --- a/api_docs/kbn_ace.mdx +++ b/api_docs/kbn_ace.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ace title: "@kbn/ace" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ace plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ace'] --- import kbnAceObj from './kbn_ace.devdocs.json'; diff --git a/api_docs/kbn_aiops_components.mdx b/api_docs/kbn_aiops_components.mdx index 08667f5ffd983..2ac024f145330 100644 --- a/api_docs/kbn_aiops_components.mdx +++ b/api_docs/kbn_aiops_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-components title: "@kbn/aiops-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/aiops-components plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-components'] --- import kbnAiopsComponentsObj from './kbn_aiops_components.devdocs.json'; diff --git a/api_docs/kbn_aiops_utils.mdx b/api_docs/kbn_aiops_utils.mdx index 1d40055d1429f..965b1b2c0f690 100644 --- a/api_docs/kbn_aiops_utils.mdx +++ b/api_docs/kbn_aiops_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-utils title: "@kbn/aiops-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/aiops-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-utils'] --- import kbnAiopsUtilsObj from './kbn_aiops_utils.devdocs.json'; diff --git a/api_docs/kbn_alerts.mdx b/api_docs/kbn_alerts.mdx index ed85c5bdfaac0..04fbe059d7dec 100644 --- a/api_docs/kbn_alerts.mdx +++ b/api_docs/kbn_alerts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-alerts title: "@kbn/alerts" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/alerts plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/alerts'] --- import kbnAlertsObj from './kbn_alerts.devdocs.json'; diff --git a/api_docs/kbn_analytics.mdx b/api_docs/kbn_analytics.mdx index dcebd7dec001d..8af52b9c4636b 100644 --- a/api_docs/kbn_analytics.mdx +++ b/api_docs/kbn_analytics.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics title: "@kbn/analytics" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics'] --- import kbnAnalyticsObj from './kbn_analytics.devdocs.json'; diff --git a/api_docs/kbn_analytics_client.mdx b/api_docs/kbn_analytics_client.mdx index 18f8ee0e44a0e..c8ece2213c4f0 100644 --- a/api_docs/kbn_analytics_client.mdx +++ b/api_docs/kbn_analytics_client.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-client title: "@kbn/analytics-client" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-client plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-client'] --- import kbnAnalyticsClientObj from './kbn_analytics_client.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx index a2821ef8bca47..fbf0ba15025ed 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-browser title: "@kbn/analytics-shippers-elastic-v3-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-browser'] --- import kbnAnalyticsShippersElasticV3BrowserObj from './kbn_analytics_shippers_elastic_v3_browser.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx index 95b4d8f249599..b603e99d33e1a 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-common title: "@kbn/analytics-shippers-elastic-v3-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-common'] --- import kbnAnalyticsShippersElasticV3CommonObj from './kbn_analytics_shippers_elastic_v3_common.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx index 48c04d4834bea..baf5e2bca04b8 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-server title: "@kbn/analytics-shippers-elastic-v3-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-server'] --- import kbnAnalyticsShippersElasticV3ServerObj from './kbn_analytics_shippers_elastic_v3_server.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_fullstory.mdx b/api_docs/kbn_analytics_shippers_fullstory.mdx index 137bc7e8a99f5..409c247abaf95 100644 --- a/api_docs/kbn_analytics_shippers_fullstory.mdx +++ b/api_docs/kbn_analytics_shippers_fullstory.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-fullstory title: "@kbn/analytics-shippers-fullstory" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-fullstory plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-fullstory'] --- import kbnAnalyticsShippersFullstoryObj from './kbn_analytics_shippers_fullstory.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_gainsight.mdx b/api_docs/kbn_analytics_shippers_gainsight.mdx index f1c7ed247aea3..1c0021ab26eb8 100644 --- a/api_docs/kbn_analytics_shippers_gainsight.mdx +++ b/api_docs/kbn_analytics_shippers_gainsight.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-gainsight title: "@kbn/analytics-shippers-gainsight" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-gainsight plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-gainsight'] --- import kbnAnalyticsShippersGainsightObj from './kbn_analytics_shippers_gainsight.devdocs.json'; diff --git a/api_docs/kbn_apm_config_loader.mdx b/api_docs/kbn_apm_config_loader.mdx index ab07da2337de9..115bc03b1b37e 100644 --- a/api_docs/kbn_apm_config_loader.mdx +++ b/api_docs/kbn_apm_config_loader.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-config-loader title: "@kbn/apm-config-loader" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-config-loader plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-config-loader'] --- import kbnApmConfigLoaderObj from './kbn_apm_config_loader.devdocs.json'; diff --git a/api_docs/kbn_apm_synthtrace.mdx b/api_docs/kbn_apm_synthtrace.mdx index 14689a5a10b27..470d3034931c7 100644 --- a/api_docs/kbn_apm_synthtrace.mdx +++ b/api_docs/kbn_apm_synthtrace.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-synthtrace title: "@kbn/apm-synthtrace" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-synthtrace plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-synthtrace'] --- import kbnApmSynthtraceObj from './kbn_apm_synthtrace.devdocs.json'; diff --git a/api_docs/kbn_apm_synthtrace_client.mdx b/api_docs/kbn_apm_synthtrace_client.mdx index e390f2cecd7d4..80be12384347c 100644 --- a/api_docs/kbn_apm_synthtrace_client.mdx +++ b/api_docs/kbn_apm_synthtrace_client.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-synthtrace-client title: "@kbn/apm-synthtrace-client" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-synthtrace-client plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-synthtrace-client'] --- import kbnApmSynthtraceClientObj from './kbn_apm_synthtrace_client.devdocs.json'; diff --git a/api_docs/kbn_apm_utils.mdx b/api_docs/kbn_apm_utils.mdx index 0520c482b9c92..f38033d9550b3 100644 --- a/api_docs/kbn_apm_utils.mdx +++ b/api_docs/kbn_apm_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-utils title: "@kbn/apm-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-utils'] --- import kbnApmUtilsObj from './kbn_apm_utils.devdocs.json'; diff --git a/api_docs/kbn_axe_config.mdx b/api_docs/kbn_axe_config.mdx index 328180b31b8b7..669b33453d628 100644 --- a/api_docs/kbn_axe_config.mdx +++ b/api_docs/kbn_axe_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-axe-config title: "@kbn/axe-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/axe-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/axe-config'] --- import kbnAxeConfigObj from './kbn_axe_config.devdocs.json'; diff --git a/api_docs/kbn_cases_components.mdx b/api_docs/kbn_cases_components.mdx index 7c784b334d0e6..9d89fc9404002 100644 --- a/api_docs/kbn_cases_components.mdx +++ b/api_docs/kbn_cases_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cases-components title: "@kbn/cases-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/cases-components plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cases-components'] --- import kbnCasesComponentsObj from './kbn_cases_components.devdocs.json'; diff --git a/api_docs/kbn_cell_actions.mdx b/api_docs/kbn_cell_actions.mdx index a6c1fadf346ab..b0276eea31563 100644 --- a/api_docs/kbn_cell_actions.mdx +++ b/api_docs/kbn_cell_actions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cell-actions title: "@kbn/cell-actions" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/cell-actions plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cell-actions'] --- import kbnCellActionsObj from './kbn_cell_actions.devdocs.json'; diff --git a/api_docs/kbn_chart_icons.mdx b/api_docs/kbn_chart_icons.mdx index b1bc0cd414a22..a6c989318bebf 100644 --- a/api_docs/kbn_chart_icons.mdx +++ b/api_docs/kbn_chart_icons.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-chart-icons title: "@kbn/chart-icons" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/chart-icons plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/chart-icons'] --- import kbnChartIconsObj from './kbn_chart_icons.devdocs.json'; diff --git a/api_docs/kbn_ci_stats_core.mdx b/api_docs/kbn_ci_stats_core.mdx index 7bfbac69c5e5f..4a011797f3b40 100644 --- a/api_docs/kbn_ci_stats_core.mdx +++ b/api_docs/kbn_ci_stats_core.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-core title: "@kbn/ci-stats-core" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-core plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-core'] --- import kbnCiStatsCoreObj from './kbn_ci_stats_core.devdocs.json'; diff --git a/api_docs/kbn_ci_stats_performance_metrics.mdx b/api_docs/kbn_ci_stats_performance_metrics.mdx index 6d0a4f53629d2..03e56cb0a3e73 100644 --- a/api_docs/kbn_ci_stats_performance_metrics.mdx +++ b/api_docs/kbn_ci_stats_performance_metrics.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-performance-metrics title: "@kbn/ci-stats-performance-metrics" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-performance-metrics plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-performance-metrics'] --- import kbnCiStatsPerformanceMetricsObj from './kbn_ci_stats_performance_metrics.devdocs.json'; diff --git a/api_docs/kbn_ci_stats_reporter.mdx b/api_docs/kbn_ci_stats_reporter.mdx index d8ca189536e96..c04a1b72be2a7 100644 --- a/api_docs/kbn_ci_stats_reporter.mdx +++ b/api_docs/kbn_ci_stats_reporter.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-reporter title: "@kbn/ci-stats-reporter" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-reporter plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-reporter'] --- import kbnCiStatsReporterObj from './kbn_ci_stats_reporter.devdocs.json'; diff --git a/api_docs/kbn_cli_dev_mode.mdx b/api_docs/kbn_cli_dev_mode.mdx index 71a260fab038c..fdbc668b291e9 100644 --- a/api_docs/kbn_cli_dev_mode.mdx +++ b/api_docs/kbn_cli_dev_mode.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cli-dev-mode title: "@kbn/cli-dev-mode" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/cli-dev-mode plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cli-dev-mode'] --- import kbnCliDevModeObj from './kbn_cli_dev_mode.devdocs.json'; diff --git a/api_docs/kbn_coloring.mdx b/api_docs/kbn_coloring.mdx index 7c869e64566db..ede4127cde1f8 100644 --- a/api_docs/kbn_coloring.mdx +++ b/api_docs/kbn_coloring.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-coloring title: "@kbn/coloring" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/coloring plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/coloring'] --- import kbnColoringObj from './kbn_coloring.devdocs.json'; diff --git a/api_docs/kbn_config.mdx b/api_docs/kbn_config.mdx index 66dbe20320bea..dbad26342b34b 100644 --- a/api_docs/kbn_config.mdx +++ b/api_docs/kbn_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config title: "@kbn/config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config'] --- import kbnConfigObj from './kbn_config.devdocs.json'; diff --git a/api_docs/kbn_config_mocks.mdx b/api_docs/kbn_config_mocks.mdx index 363c398c87735..bc7b578bf7051 100644 --- a/api_docs/kbn_config_mocks.mdx +++ b/api_docs/kbn_config_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-mocks title: "@kbn/config-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-mocks'] --- import kbnConfigMocksObj from './kbn_config_mocks.devdocs.json'; diff --git a/api_docs/kbn_config_schema.mdx b/api_docs/kbn_config_schema.mdx index a253304dd8e66..82e626fbf1b20 100644 --- a/api_docs/kbn_config_schema.mdx +++ b/api_docs/kbn_config_schema.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-schema title: "@kbn/config-schema" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config-schema plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-schema'] --- import kbnConfigSchemaObj from './kbn_config_schema.devdocs.json'; diff --git a/api_docs/kbn_content_management_content_editor.mdx b/api_docs/kbn_content_management_content_editor.mdx index c5bc6fae58061..faa22b9b56552 100644 --- a/api_docs/kbn_content_management_content_editor.mdx +++ b/api_docs/kbn_content_management_content_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-content-management-content-editor title: "@kbn/content-management-content-editor" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/content-management-content-editor plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/content-management-content-editor'] --- import kbnContentManagementContentEditorObj from './kbn_content_management_content_editor.devdocs.json'; diff --git a/api_docs/kbn_content_management_table_list.mdx b/api_docs/kbn_content_management_table_list.mdx index 67fb4fc2d268c..99045be94dca0 100644 --- a/api_docs/kbn_content_management_table_list.mdx +++ b/api_docs/kbn_content_management_table_list.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-content-management-table-list title: "@kbn/content-management-table-list" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/content-management-table-list plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/content-management-table-list'] --- import kbnContentManagementTableListObj from './kbn_content_management_table_list.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser.mdx b/api_docs/kbn_core_analytics_browser.mdx index bd0babef68b6d..7087722a958ec 100644 --- a/api_docs/kbn_core_analytics_browser.mdx +++ b/api_docs/kbn_core_analytics_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser title: "@kbn/core-analytics-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser'] --- import kbnCoreAnalyticsBrowserObj from './kbn_core_analytics_browser.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser_internal.mdx b/api_docs/kbn_core_analytics_browser_internal.mdx index ffe6c513319f0..597ba2a293744 100644 --- a/api_docs/kbn_core_analytics_browser_internal.mdx +++ b/api_docs/kbn_core_analytics_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-internal title: "@kbn/core-analytics-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-internal'] --- import kbnCoreAnalyticsBrowserInternalObj from './kbn_core_analytics_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser_mocks.mdx b/api_docs/kbn_core_analytics_browser_mocks.mdx index 2b17d37d624c1..78862be0a7c2a 100644 --- a/api_docs/kbn_core_analytics_browser_mocks.mdx +++ b/api_docs/kbn_core_analytics_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-mocks title: "@kbn/core-analytics-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-mocks'] --- import kbnCoreAnalyticsBrowserMocksObj from './kbn_core_analytics_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server.mdx b/api_docs/kbn_core_analytics_server.mdx index 46478fe6df7be..7d887a3e2136c 100644 --- a/api_docs/kbn_core_analytics_server.mdx +++ b/api_docs/kbn_core_analytics_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server title: "@kbn/core-analytics-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server'] --- import kbnCoreAnalyticsServerObj from './kbn_core_analytics_server.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server_internal.mdx b/api_docs/kbn_core_analytics_server_internal.mdx index e58a33293e84a..f8c0708770d25 100644 --- a/api_docs/kbn_core_analytics_server_internal.mdx +++ b/api_docs/kbn_core_analytics_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-internal title: "@kbn/core-analytics-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-internal'] --- import kbnCoreAnalyticsServerInternalObj from './kbn_core_analytics_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server_mocks.mdx b/api_docs/kbn_core_analytics_server_mocks.mdx index 6728390da3389..1e11154bbd9b3 100644 --- a/api_docs/kbn_core_analytics_server_mocks.mdx +++ b/api_docs/kbn_core_analytics_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-mocks title: "@kbn/core-analytics-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-mocks'] --- import kbnCoreAnalyticsServerMocksObj from './kbn_core_analytics_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_application_browser.mdx b/api_docs/kbn_core_application_browser.mdx index 925be935477af..1dac0776db86e 100644 --- a/api_docs/kbn_core_application_browser.mdx +++ b/api_docs/kbn_core_application_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser title: "@kbn/core-application-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-application-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser'] --- import kbnCoreApplicationBrowserObj from './kbn_core_application_browser.devdocs.json'; diff --git a/api_docs/kbn_core_application_browser_internal.mdx b/api_docs/kbn_core_application_browser_internal.mdx index 3f2deeeda156f..2313f3006dbc1 100644 --- a/api_docs/kbn_core_application_browser_internal.mdx +++ b/api_docs/kbn_core_application_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser-internal title: "@kbn/core-application-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-application-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser-internal'] --- import kbnCoreApplicationBrowserInternalObj from './kbn_core_application_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_application_browser_mocks.mdx b/api_docs/kbn_core_application_browser_mocks.mdx index 061e56d316e1e..1c986c61aee40 100644 --- a/api_docs/kbn_core_application_browser_mocks.mdx +++ b/api_docs/kbn_core_application_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-browser-mocks title: "@kbn/core-application-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-application-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-browser-mocks'] --- import kbnCoreApplicationBrowserMocksObj from './kbn_core_application_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_application_common.mdx b/api_docs/kbn_core_application_common.mdx index 2edfbff89d204..afaacc9b2937e 100644 --- a/api_docs/kbn_core_application_common.mdx +++ b/api_docs/kbn_core_application_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-application-common title: "@kbn/core-application-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-application-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-application-common'] --- import kbnCoreApplicationCommonObj from './kbn_core_application_common.devdocs.json'; diff --git a/api_docs/kbn_core_apps_browser_internal.mdx b/api_docs/kbn_core_apps_browser_internal.mdx index e65fed629b237..ee2d6677c2209 100644 --- a/api_docs/kbn_core_apps_browser_internal.mdx +++ b/api_docs/kbn_core_apps_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-browser-internal title: "@kbn/core-apps-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-apps-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-browser-internal'] --- import kbnCoreAppsBrowserInternalObj from './kbn_core_apps_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_apps_browser_mocks.mdx b/api_docs/kbn_core_apps_browser_mocks.mdx index c6a5cc07ce9d9..18b5ceaae2661 100644 --- a/api_docs/kbn_core_apps_browser_mocks.mdx +++ b/api_docs/kbn_core_apps_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-browser-mocks title: "@kbn/core-apps-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-apps-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-browser-mocks'] --- import kbnCoreAppsBrowserMocksObj from './kbn_core_apps_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_apps_server_internal.mdx b/api_docs/kbn_core_apps_server_internal.mdx index 46ef2a82a5e48..a9147334c7aaa 100644 --- a/api_docs/kbn_core_apps_server_internal.mdx +++ b/api_docs/kbn_core_apps_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-apps-server-internal title: "@kbn/core-apps-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-apps-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-apps-server-internal'] --- import kbnCoreAppsServerInternalObj from './kbn_core_apps_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_base_browser_mocks.mdx b/api_docs/kbn_core_base_browser_mocks.mdx index 3eb739cda14ad..1078c2eb427a6 100644 --- a/api_docs/kbn_core_base_browser_mocks.mdx +++ b/api_docs/kbn_core_base_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-browser-mocks title: "@kbn/core-base-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-browser-mocks'] --- import kbnCoreBaseBrowserMocksObj from './kbn_core_base_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_base_common.mdx b/api_docs/kbn_core_base_common.mdx index b0b534b6f8397..86ce82c82dbc7 100644 --- a/api_docs/kbn_core_base_common.mdx +++ b/api_docs/kbn_core_base_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-common title: "@kbn/core-base-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-common'] --- import kbnCoreBaseCommonObj from './kbn_core_base_common.devdocs.json'; diff --git a/api_docs/kbn_core_base_server_internal.mdx b/api_docs/kbn_core_base_server_internal.mdx index f22fc241ed847..71181a23cc984 100644 --- a/api_docs/kbn_core_base_server_internal.mdx +++ b/api_docs/kbn_core_base_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-internal title: "@kbn/core-base-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-internal'] --- import kbnCoreBaseServerInternalObj from './kbn_core_base_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_base_server_mocks.mdx b/api_docs/kbn_core_base_server_mocks.mdx index 42b26d5bbe40f..f8bec8a5428aa 100644 --- a/api_docs/kbn_core_base_server_mocks.mdx +++ b/api_docs/kbn_core_base_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-mocks title: "@kbn/core-base-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-mocks'] --- import kbnCoreBaseServerMocksObj from './kbn_core_base_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_browser_mocks.mdx b/api_docs/kbn_core_capabilities_browser_mocks.mdx index 0e29870762ddf..cd9edb37be626 100644 --- a/api_docs/kbn_core_capabilities_browser_mocks.mdx +++ b/api_docs/kbn_core_capabilities_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-browser-mocks title: "@kbn/core-capabilities-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-browser-mocks'] --- import kbnCoreCapabilitiesBrowserMocksObj from './kbn_core_capabilities_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_common.mdx b/api_docs/kbn_core_capabilities_common.mdx index 2a5975912f6e0..5fb9933164c39 100644 --- a/api_docs/kbn_core_capabilities_common.mdx +++ b/api_docs/kbn_core_capabilities_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-common title: "@kbn/core-capabilities-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-common'] --- import kbnCoreCapabilitiesCommonObj from './kbn_core_capabilities_common.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_server.mdx b/api_docs/kbn_core_capabilities_server.mdx index f7e136ddcf886..f5d2f940860d8 100644 --- a/api_docs/kbn_core_capabilities_server.mdx +++ b/api_docs/kbn_core_capabilities_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server title: "@kbn/core-capabilities-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server'] --- import kbnCoreCapabilitiesServerObj from './kbn_core_capabilities_server.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_server_mocks.mdx b/api_docs/kbn_core_capabilities_server_mocks.mdx index 089611f4f982c..199f67dc0526c 100644 --- a/api_docs/kbn_core_capabilities_server_mocks.mdx +++ b/api_docs/kbn_core_capabilities_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server-mocks title: "@kbn/core-capabilities-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server-mocks'] --- import kbnCoreCapabilitiesServerMocksObj from './kbn_core_capabilities_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_chrome_browser.mdx b/api_docs/kbn_core_chrome_browser.mdx index 2739a16c3e26d..f00f77c2a56d9 100644 --- a/api_docs/kbn_core_chrome_browser.mdx +++ b/api_docs/kbn_core_chrome_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-chrome-browser title: "@kbn/core-chrome-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-chrome-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-chrome-browser'] --- import kbnCoreChromeBrowserObj from './kbn_core_chrome_browser.devdocs.json'; diff --git a/api_docs/kbn_core_chrome_browser_mocks.mdx b/api_docs/kbn_core_chrome_browser_mocks.mdx index ef124b9ce828b..f7734579a207e 100644 --- a/api_docs/kbn_core_chrome_browser_mocks.mdx +++ b/api_docs/kbn_core_chrome_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-chrome-browser-mocks title: "@kbn/core-chrome-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-chrome-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-chrome-browser-mocks'] --- import kbnCoreChromeBrowserMocksObj from './kbn_core_chrome_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_config_server_internal.mdx b/api_docs/kbn_core_config_server_internal.mdx index 3fa820f55e2c1..39f484e711d93 100644 --- a/api_docs/kbn_core_config_server_internal.mdx +++ b/api_docs/kbn_core_config_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-config-server-internal title: "@kbn/core-config-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-config-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-config-server-internal'] --- import kbnCoreConfigServerInternalObj from './kbn_core_config_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_browser.mdx b/api_docs/kbn_core_custom_branding_browser.mdx index b0588f2ef34a6..7ab0311096690 100644 --- a/api_docs/kbn_core_custom_branding_browser.mdx +++ b/api_docs/kbn_core_custom_branding_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser title: "@kbn/core-custom-branding-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser'] --- import kbnCoreCustomBrandingBrowserObj from './kbn_core_custom_branding_browser.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_browser_internal.mdx b/api_docs/kbn_core_custom_branding_browser_internal.mdx index 8f353fa408805..55bf129989c7f 100644 --- a/api_docs/kbn_core_custom_branding_browser_internal.mdx +++ b/api_docs/kbn_core_custom_branding_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser-internal title: "@kbn/core-custom-branding-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser-internal'] --- import kbnCoreCustomBrandingBrowserInternalObj from './kbn_core_custom_branding_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_browser_mocks.mdx b/api_docs/kbn_core_custom_branding_browser_mocks.mdx index c94056127d66a..19a4e0702db7d 100644 --- a/api_docs/kbn_core_custom_branding_browser_mocks.mdx +++ b/api_docs/kbn_core_custom_branding_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-browser-mocks title: "@kbn/core-custom-branding-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-browser-mocks'] --- import kbnCoreCustomBrandingBrowserMocksObj from './kbn_core_custom_branding_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_common.mdx b/api_docs/kbn_core_custom_branding_common.mdx index 965df8d06317e..1db1587a61f5f 100644 --- a/api_docs/kbn_core_custom_branding_common.mdx +++ b/api_docs/kbn_core_custom_branding_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-common title: "@kbn/core-custom-branding-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-common'] --- import kbnCoreCustomBrandingCommonObj from './kbn_core_custom_branding_common.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_server.mdx b/api_docs/kbn_core_custom_branding_server.mdx index d17f96da63f95..62db4fa2001d1 100644 --- a/api_docs/kbn_core_custom_branding_server.mdx +++ b/api_docs/kbn_core_custom_branding_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server title: "@kbn/core-custom-branding-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server'] --- import kbnCoreCustomBrandingServerObj from './kbn_core_custom_branding_server.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_server_internal.mdx b/api_docs/kbn_core_custom_branding_server_internal.mdx index 112dd38004af3..254964816fd3b 100644 --- a/api_docs/kbn_core_custom_branding_server_internal.mdx +++ b/api_docs/kbn_core_custom_branding_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server-internal title: "@kbn/core-custom-branding-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server-internal'] --- import kbnCoreCustomBrandingServerInternalObj from './kbn_core_custom_branding_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_custom_branding_server_mocks.mdx b/api_docs/kbn_core_custom_branding_server_mocks.mdx index 7657432fe89bd..cad934947771d 100644 --- a/api_docs/kbn_core_custom_branding_server_mocks.mdx +++ b/api_docs/kbn_core_custom_branding_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-custom-branding-server-mocks title: "@kbn/core-custom-branding-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-custom-branding-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-custom-branding-server-mocks'] --- import kbnCoreCustomBrandingServerMocksObj from './kbn_core_custom_branding_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser.mdx b/api_docs/kbn_core_deprecations_browser.mdx index 21dfb0909e8b0..7ec4dda1b4742 100644 --- a/api_docs/kbn_core_deprecations_browser.mdx +++ b/api_docs/kbn_core_deprecations_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser title: "@kbn/core-deprecations-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser'] --- import kbnCoreDeprecationsBrowserObj from './kbn_core_deprecations_browser.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser_internal.mdx b/api_docs/kbn_core_deprecations_browser_internal.mdx index c7d03b4c34ad2..b2fbee971dc1d 100644 --- a/api_docs/kbn_core_deprecations_browser_internal.mdx +++ b/api_docs/kbn_core_deprecations_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-internal title: "@kbn/core-deprecations-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-internal'] --- import kbnCoreDeprecationsBrowserInternalObj from './kbn_core_deprecations_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser_mocks.mdx b/api_docs/kbn_core_deprecations_browser_mocks.mdx index 383aaa98dea0b..ea81b3c21b105 100644 --- a/api_docs/kbn_core_deprecations_browser_mocks.mdx +++ b/api_docs/kbn_core_deprecations_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-mocks title: "@kbn/core-deprecations-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-mocks'] --- import kbnCoreDeprecationsBrowserMocksObj from './kbn_core_deprecations_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_common.mdx b/api_docs/kbn_core_deprecations_common.mdx index d353993a82b5e..c545f5acbf99b 100644 --- a/api_docs/kbn_core_deprecations_common.mdx +++ b/api_docs/kbn_core_deprecations_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-common title: "@kbn/core-deprecations-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-common'] --- import kbnCoreDeprecationsCommonObj from './kbn_core_deprecations_common.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_server.mdx b/api_docs/kbn_core_deprecations_server.mdx index d684649cac4ba..cf80d4a366efd 100644 --- a/api_docs/kbn_core_deprecations_server.mdx +++ b/api_docs/kbn_core_deprecations_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server title: "@kbn/core-deprecations-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server'] --- import kbnCoreDeprecationsServerObj from './kbn_core_deprecations_server.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_server_internal.mdx b/api_docs/kbn_core_deprecations_server_internal.mdx index 60aec58ac93f8..59a9ca9e497b7 100644 --- a/api_docs/kbn_core_deprecations_server_internal.mdx +++ b/api_docs/kbn_core_deprecations_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server-internal title: "@kbn/core-deprecations-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server-internal'] --- import kbnCoreDeprecationsServerInternalObj from './kbn_core_deprecations_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_server_mocks.mdx b/api_docs/kbn_core_deprecations_server_mocks.mdx index 4f06adcb4c3f2..591d382a787f6 100644 --- a/api_docs/kbn_core_deprecations_server_mocks.mdx +++ b/api_docs/kbn_core_deprecations_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-server-mocks title: "@kbn/core-deprecations-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-server-mocks'] --- import kbnCoreDeprecationsServerMocksObj from './kbn_core_deprecations_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_browser.mdx b/api_docs/kbn_core_doc_links_browser.mdx index 64aa85183bf8d..d87279308d415 100644 --- a/api_docs/kbn_core_doc_links_browser.mdx +++ b/api_docs/kbn_core_doc_links_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser title: "@kbn/core-doc-links-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser'] --- import kbnCoreDocLinksBrowserObj from './kbn_core_doc_links_browser.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_browser_mocks.mdx b/api_docs/kbn_core_doc_links_browser_mocks.mdx index 7916d11105022..96e95f0c56da0 100644 --- a/api_docs/kbn_core_doc_links_browser_mocks.mdx +++ b/api_docs/kbn_core_doc_links_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser-mocks title: "@kbn/core-doc-links-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser-mocks'] --- import kbnCoreDocLinksBrowserMocksObj from './kbn_core_doc_links_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_server.mdx b/api_docs/kbn_core_doc_links_server.mdx index faa09acc52387..6e2118197a786 100644 --- a/api_docs/kbn_core_doc_links_server.mdx +++ b/api_docs/kbn_core_doc_links_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server title: "@kbn/core-doc-links-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server'] --- import kbnCoreDocLinksServerObj from './kbn_core_doc_links_server.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_server_mocks.mdx b/api_docs/kbn_core_doc_links_server_mocks.mdx index b5e9a4ccb8dbb..81a23f62c93c7 100644 --- a/api_docs/kbn_core_doc_links_server_mocks.mdx +++ b/api_docs/kbn_core_doc_links_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server-mocks title: "@kbn/core-doc-links-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server-mocks'] --- import kbnCoreDocLinksServerMocksObj from './kbn_core_doc_links_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx index 3fd2bcf68c1c3..0f1b6127d642f 100644 --- a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx +++ b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-internal title: "@kbn/core-elasticsearch-client-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-client-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-internal'] --- import kbnCoreElasticsearchClientServerInternalObj from './kbn_core_elasticsearch_client_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx index 433072f2de56e..3cf5d5e60c0f7 100644 --- a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx +++ b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-mocks title: "@kbn/core-elasticsearch-client-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-client-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-mocks'] --- import kbnCoreElasticsearchClientServerMocksObj from './kbn_core_elasticsearch_client_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server.mdx b/api_docs/kbn_core_elasticsearch_server.mdx index c278fa1841f2d..cc4abbc0c24ee 100644 --- a/api_docs/kbn_core_elasticsearch_server.mdx +++ b/api_docs/kbn_core_elasticsearch_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server title: "@kbn/core-elasticsearch-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server'] --- import kbnCoreElasticsearchServerObj from './kbn_core_elasticsearch_server.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server_internal.mdx b/api_docs/kbn_core_elasticsearch_server_internal.mdx index 9de835878b228..8bf607ec67890 100644 --- a/api_docs/kbn_core_elasticsearch_server_internal.mdx +++ b/api_docs/kbn_core_elasticsearch_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-internal title: "@kbn/core-elasticsearch-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-internal'] --- import kbnCoreElasticsearchServerInternalObj from './kbn_core_elasticsearch_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_server_mocks.mdx index a83b7ec2ee3ea..44032756a56df 100644 --- a/api_docs/kbn_core_elasticsearch_server_mocks.mdx +++ b/api_docs/kbn_core_elasticsearch_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-mocks title: "@kbn/core-elasticsearch-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-mocks'] --- import kbnCoreElasticsearchServerMocksObj from './kbn_core_elasticsearch_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_environment_server_internal.mdx b/api_docs/kbn_core_environment_server_internal.mdx index 1984164dba728..61607265c06e5 100644 --- a/api_docs/kbn_core_environment_server_internal.mdx +++ b/api_docs/kbn_core_environment_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-internal title: "@kbn/core-environment-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-environment-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-internal'] --- import kbnCoreEnvironmentServerInternalObj from './kbn_core_environment_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_environment_server_mocks.mdx b/api_docs/kbn_core_environment_server_mocks.mdx index be966e3aa9705..69e3829f43f5a 100644 --- a/api_docs/kbn_core_environment_server_mocks.mdx +++ b/api_docs/kbn_core_environment_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-mocks title: "@kbn/core-environment-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-environment-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-mocks'] --- import kbnCoreEnvironmentServerMocksObj from './kbn_core_environment_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser.mdx b/api_docs/kbn_core_execution_context_browser.mdx index 70dc4cb32b0f6..f6da73d8c1345 100644 --- a/api_docs/kbn_core_execution_context_browser.mdx +++ b/api_docs/kbn_core_execution_context_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser title: "@kbn/core-execution-context-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser'] --- import kbnCoreExecutionContextBrowserObj from './kbn_core_execution_context_browser.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser_internal.mdx b/api_docs/kbn_core_execution_context_browser_internal.mdx index 72722d95c29e2..7a95447ef13e3 100644 --- a/api_docs/kbn_core_execution_context_browser_internal.mdx +++ b/api_docs/kbn_core_execution_context_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-internal title: "@kbn/core-execution-context-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-internal'] --- import kbnCoreExecutionContextBrowserInternalObj from './kbn_core_execution_context_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser_mocks.mdx b/api_docs/kbn_core_execution_context_browser_mocks.mdx index 0fb8d10b2c639..08431549f17ab 100644 --- a/api_docs/kbn_core_execution_context_browser_mocks.mdx +++ b/api_docs/kbn_core_execution_context_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-mocks title: "@kbn/core-execution-context-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-mocks'] --- import kbnCoreExecutionContextBrowserMocksObj from './kbn_core_execution_context_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_common.mdx b/api_docs/kbn_core_execution_context_common.mdx index 050e7d8eac38b..7e0fb2e7965e3 100644 --- a/api_docs/kbn_core_execution_context_common.mdx +++ b/api_docs/kbn_core_execution_context_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-common title: "@kbn/core-execution-context-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-common'] --- import kbnCoreExecutionContextCommonObj from './kbn_core_execution_context_common.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server.mdx b/api_docs/kbn_core_execution_context_server.mdx index ce5f5ce67e242..3515f985d7dc6 100644 --- a/api_docs/kbn_core_execution_context_server.mdx +++ b/api_docs/kbn_core_execution_context_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server title: "@kbn/core-execution-context-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server'] --- import kbnCoreExecutionContextServerObj from './kbn_core_execution_context_server.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server_internal.mdx b/api_docs/kbn_core_execution_context_server_internal.mdx index 141e9c0f3d3f3..649f9dcdfe079 100644 --- a/api_docs/kbn_core_execution_context_server_internal.mdx +++ b/api_docs/kbn_core_execution_context_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-internal title: "@kbn/core-execution-context-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-internal'] --- import kbnCoreExecutionContextServerInternalObj from './kbn_core_execution_context_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server_mocks.mdx b/api_docs/kbn_core_execution_context_server_mocks.mdx index 47f49f142d2d0..812e3548e9145 100644 --- a/api_docs/kbn_core_execution_context_server_mocks.mdx +++ b/api_docs/kbn_core_execution_context_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-mocks title: "@kbn/core-execution-context-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-mocks'] --- import kbnCoreExecutionContextServerMocksObj from './kbn_core_execution_context_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_fatal_errors_browser.mdx b/api_docs/kbn_core_fatal_errors_browser.mdx index d0950f433ac81..c6e54e92b855d 100644 --- a/api_docs/kbn_core_fatal_errors_browser.mdx +++ b/api_docs/kbn_core_fatal_errors_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser title: "@kbn/core-fatal-errors-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-fatal-errors-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser'] --- import kbnCoreFatalErrorsBrowserObj from './kbn_core_fatal_errors_browser.devdocs.json'; diff --git a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx index 2daf9c2050d40..70bbf249aab6d 100644 --- a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx +++ b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser-mocks title: "@kbn/core-fatal-errors-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-fatal-errors-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser-mocks'] --- import kbnCoreFatalErrorsBrowserMocksObj from './kbn_core_fatal_errors_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser.mdx b/api_docs/kbn_core_http_browser.mdx index c797998ca49d0..3199d7b7151a3 100644 --- a/api_docs/kbn_core_http_browser.mdx +++ b/api_docs/kbn_core_http_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser title: "@kbn/core-http-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser'] --- import kbnCoreHttpBrowserObj from './kbn_core_http_browser.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser_internal.mdx b/api_docs/kbn_core_http_browser_internal.mdx index 334bb46a06c8d..6cdd57ab5ed3e 100644 --- a/api_docs/kbn_core_http_browser_internal.mdx +++ b/api_docs/kbn_core_http_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-internal title: "@kbn/core-http-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-internal'] --- import kbnCoreHttpBrowserInternalObj from './kbn_core_http_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser_mocks.mdx b/api_docs/kbn_core_http_browser_mocks.mdx index f45a3ff135202..cfb239def016a 100644 --- a/api_docs/kbn_core_http_browser_mocks.mdx +++ b/api_docs/kbn_core_http_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-mocks title: "@kbn/core-http-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-mocks'] --- import kbnCoreHttpBrowserMocksObj from './kbn_core_http_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_common.mdx b/api_docs/kbn_core_http_common.mdx index 07c8d10e287c8..eac1c0508257e 100644 --- a/api_docs/kbn_core_http_common.mdx +++ b/api_docs/kbn_core_http_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-common title: "@kbn/core-http-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-common'] --- import kbnCoreHttpCommonObj from './kbn_core_http_common.devdocs.json'; diff --git a/api_docs/kbn_core_http_context_server_mocks.mdx b/api_docs/kbn_core_http_context_server_mocks.mdx index 2887d54d6c072..78550a06f7db8 100644 --- a/api_docs/kbn_core_http_context_server_mocks.mdx +++ b/api_docs/kbn_core_http_context_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-context-server-mocks title: "@kbn/core-http-context-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-context-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-context-server-mocks'] --- import kbnCoreHttpContextServerMocksObj from './kbn_core_http_context_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_request_handler_context_server.mdx b/api_docs/kbn_core_http_request_handler_context_server.mdx index df5ce63b82fa2..2ccfde36e9889 100644 --- a/api_docs/kbn_core_http_request_handler_context_server.mdx +++ b/api_docs/kbn_core_http_request_handler_context_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-request-handler-context-server title: "@kbn/core-http-request-handler-context-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-request-handler-context-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-request-handler-context-server'] --- import kbnCoreHttpRequestHandlerContextServerObj from './kbn_core_http_request_handler_context_server.devdocs.json'; diff --git a/api_docs/kbn_core_http_resources_server.mdx b/api_docs/kbn_core_http_resources_server.mdx index 4f586c348e4f9..18021a8315841 100644 --- a/api_docs/kbn_core_http_resources_server.mdx +++ b/api_docs/kbn_core_http_resources_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server title: "@kbn/core-http-resources-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-resources-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server'] --- import kbnCoreHttpResourcesServerObj from './kbn_core_http_resources_server.devdocs.json'; diff --git a/api_docs/kbn_core_http_resources_server_internal.mdx b/api_docs/kbn_core_http_resources_server_internal.mdx index 5f4e0c12a0e98..66b453c2cdcfe 100644 --- a/api_docs/kbn_core_http_resources_server_internal.mdx +++ b/api_docs/kbn_core_http_resources_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server-internal title: "@kbn/core-http-resources-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-resources-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server-internal'] --- import kbnCoreHttpResourcesServerInternalObj from './kbn_core_http_resources_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_resources_server_mocks.mdx b/api_docs/kbn_core_http_resources_server_mocks.mdx index 88f02ec490d03..c440466fbcba9 100644 --- a/api_docs/kbn_core_http_resources_server_mocks.mdx +++ b/api_docs/kbn_core_http_resources_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-resources-server-mocks title: "@kbn/core-http-resources-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-resources-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-resources-server-mocks'] --- import kbnCoreHttpResourcesServerMocksObj from './kbn_core_http_resources_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_router_server_internal.mdx b/api_docs/kbn_core_http_router_server_internal.mdx index 759ecc1c1e737..9bdac460a0671 100644 --- a/api_docs/kbn_core_http_router_server_internal.mdx +++ b/api_docs/kbn_core_http_router_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-internal title: "@kbn/core-http-router-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-router-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-internal'] --- import kbnCoreHttpRouterServerInternalObj from './kbn_core_http_router_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_router_server_mocks.mdx b/api_docs/kbn_core_http_router_server_mocks.mdx index 3d9b8135292af..ce55e1039a97f 100644 --- a/api_docs/kbn_core_http_router_server_mocks.mdx +++ b/api_docs/kbn_core_http_router_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-mocks title: "@kbn/core-http-router-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-router-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-mocks'] --- import kbnCoreHttpRouterServerMocksObj from './kbn_core_http_router_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_server.mdx b/api_docs/kbn_core_http_server.mdx index 4f64e06e9674e..b6ac722c10f09 100644 --- a/api_docs/kbn_core_http_server.mdx +++ b/api_docs/kbn_core_http_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server title: "@kbn/core-http-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server'] --- import kbnCoreHttpServerObj from './kbn_core_http_server.devdocs.json'; diff --git a/api_docs/kbn_core_http_server_internal.mdx b/api_docs/kbn_core_http_server_internal.mdx index bfb80e821eb29..5e5fd076455f1 100644 --- a/api_docs/kbn_core_http_server_internal.mdx +++ b/api_docs/kbn_core_http_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-internal title: "@kbn/core-http-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-internal'] --- import kbnCoreHttpServerInternalObj from './kbn_core_http_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_server_mocks.mdx b/api_docs/kbn_core_http_server_mocks.mdx index c8a00f2d71d35..bb7d33cfca4cb 100644 --- a/api_docs/kbn_core_http_server_mocks.mdx +++ b/api_docs/kbn_core_http_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-mocks title: "@kbn/core-http-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-mocks'] --- import kbnCoreHttpServerMocksObj from './kbn_core_http_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_browser.mdx b/api_docs/kbn_core_i18n_browser.mdx index d2f969d945c1e..0af9ad56816e1 100644 --- a/api_docs/kbn_core_i18n_browser.mdx +++ b/api_docs/kbn_core_i18n_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser title: "@kbn/core-i18n-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser'] --- import kbnCoreI18nBrowserObj from './kbn_core_i18n_browser.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_browser_mocks.mdx b/api_docs/kbn_core_i18n_browser_mocks.mdx index 4f332e0faa55d..c2c5158f58a79 100644 --- a/api_docs/kbn_core_i18n_browser_mocks.mdx +++ b/api_docs/kbn_core_i18n_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser-mocks title: "@kbn/core-i18n-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser-mocks'] --- import kbnCoreI18nBrowserMocksObj from './kbn_core_i18n_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_server.mdx b/api_docs/kbn_core_i18n_server.mdx index 30205cf8b4b7d..a68c77decdb3d 100644 --- a/api_docs/kbn_core_i18n_server.mdx +++ b/api_docs/kbn_core_i18n_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server title: "@kbn/core-i18n-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server'] --- import kbnCoreI18nServerObj from './kbn_core_i18n_server.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_server_internal.mdx b/api_docs/kbn_core_i18n_server_internal.mdx index 56fa415fb9377..9a218c1f89a9c 100644 --- a/api_docs/kbn_core_i18n_server_internal.mdx +++ b/api_docs/kbn_core_i18n_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server-internal title: "@kbn/core-i18n-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server-internal'] --- import kbnCoreI18nServerInternalObj from './kbn_core_i18n_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_server_mocks.mdx b/api_docs/kbn_core_i18n_server_mocks.mdx index 621136816a6d5..d87664e11efa3 100644 --- a/api_docs/kbn_core_i18n_server_mocks.mdx +++ b/api_docs/kbn_core_i18n_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-server-mocks title: "@kbn/core-i18n-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-server-mocks'] --- import kbnCoreI18nServerMocksObj from './kbn_core_i18n_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx index ecf12a47edf6f..c48935dc4918a 100644 --- a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx +++ b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-injected-metadata-browser-mocks title: "@kbn/core-injected-metadata-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-injected-metadata-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-injected-metadata-browser-mocks'] --- import kbnCoreInjectedMetadataBrowserMocksObj from './kbn_core_injected_metadata_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_integrations_browser_internal.mdx b/api_docs/kbn_core_integrations_browser_internal.mdx index 758c27360710e..fb5bab6a37ec7 100644 --- a/api_docs/kbn_core_integrations_browser_internal.mdx +++ b/api_docs/kbn_core_integrations_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-internal title: "@kbn/core-integrations-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-integrations-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-internal'] --- import kbnCoreIntegrationsBrowserInternalObj from './kbn_core_integrations_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_integrations_browser_mocks.mdx b/api_docs/kbn_core_integrations_browser_mocks.mdx index 0faf80f8b1d64..69ed0fd68a737 100644 --- a/api_docs/kbn_core_integrations_browser_mocks.mdx +++ b/api_docs/kbn_core_integrations_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-mocks title: "@kbn/core-integrations-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-integrations-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-mocks'] --- import kbnCoreIntegrationsBrowserMocksObj from './kbn_core_integrations_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_lifecycle_browser.mdx b/api_docs/kbn_core_lifecycle_browser.mdx index 96a072d386b68..f3fa6293ef89f 100644 --- a/api_docs/kbn_core_lifecycle_browser.mdx +++ b/api_docs/kbn_core_lifecycle_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-browser title: "@kbn/core-lifecycle-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-lifecycle-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-browser'] --- import kbnCoreLifecycleBrowserObj from './kbn_core_lifecycle_browser.devdocs.json'; diff --git a/api_docs/kbn_core_lifecycle_browser_mocks.mdx b/api_docs/kbn_core_lifecycle_browser_mocks.mdx index 686555175a670..73178cdf07ba4 100644 --- a/api_docs/kbn_core_lifecycle_browser_mocks.mdx +++ b/api_docs/kbn_core_lifecycle_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-browser-mocks title: "@kbn/core-lifecycle-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-lifecycle-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-browser-mocks'] --- import kbnCoreLifecycleBrowserMocksObj from './kbn_core_lifecycle_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_lifecycle_server.mdx b/api_docs/kbn_core_lifecycle_server.mdx index fd28c416c3f37..7f848dc3e64fa 100644 --- a/api_docs/kbn_core_lifecycle_server.mdx +++ b/api_docs/kbn_core_lifecycle_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-server title: "@kbn/core-lifecycle-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-lifecycle-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-server'] --- import kbnCoreLifecycleServerObj from './kbn_core_lifecycle_server.devdocs.json'; diff --git a/api_docs/kbn_core_lifecycle_server_mocks.mdx b/api_docs/kbn_core_lifecycle_server_mocks.mdx index 35f5efafd3b01..b57586a18e294 100644 --- a/api_docs/kbn_core_lifecycle_server_mocks.mdx +++ b/api_docs/kbn_core_lifecycle_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-lifecycle-server-mocks title: "@kbn/core-lifecycle-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-lifecycle-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-lifecycle-server-mocks'] --- import kbnCoreLifecycleServerMocksObj from './kbn_core_lifecycle_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_logging_browser_mocks.mdx b/api_docs/kbn_core_logging_browser_mocks.mdx index 88ab5142cb852..9837753764de9 100644 --- a/api_docs/kbn_core_logging_browser_mocks.mdx +++ b/api_docs/kbn_core_logging_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-browser-mocks title: "@kbn/core-logging-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-browser-mocks'] --- import kbnCoreLoggingBrowserMocksObj from './kbn_core_logging_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_logging_common_internal.mdx b/api_docs/kbn_core_logging_common_internal.mdx index 8e0df34b9aec9..cea078307acd8 100644 --- a/api_docs/kbn_core_logging_common_internal.mdx +++ b/api_docs/kbn_core_logging_common_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-common-internal title: "@kbn/core-logging-common-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-common-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-common-internal'] --- import kbnCoreLoggingCommonInternalObj from './kbn_core_logging_common_internal.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server.mdx b/api_docs/kbn_core_logging_server.mdx index 9aa390e34f0fb..e6eff1e8ec5d2 100644 --- a/api_docs/kbn_core_logging_server.mdx +++ b/api_docs/kbn_core_logging_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server title: "@kbn/core-logging-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server'] --- import kbnCoreLoggingServerObj from './kbn_core_logging_server.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server_internal.mdx b/api_docs/kbn_core_logging_server_internal.mdx index 05d00acfa64d2..0edd115c267e0 100644 --- a/api_docs/kbn_core_logging_server_internal.mdx +++ b/api_docs/kbn_core_logging_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-internal title: "@kbn/core-logging-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-internal'] --- import kbnCoreLoggingServerInternalObj from './kbn_core_logging_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server_mocks.mdx b/api_docs/kbn_core_logging_server_mocks.mdx index dca89b485c853..ee94baa98e7d3 100644 --- a/api_docs/kbn_core_logging_server_mocks.mdx +++ b/api_docs/kbn_core_logging_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-mocks title: "@kbn/core-logging-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-mocks'] --- import kbnCoreLoggingServerMocksObj from './kbn_core_logging_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_collectors_server_internal.mdx b/api_docs/kbn_core_metrics_collectors_server_internal.mdx index 724da2d16c5d6..767f6b32d505b 100644 --- a/api_docs/kbn_core_metrics_collectors_server_internal.mdx +++ b/api_docs/kbn_core_metrics_collectors_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-internal title: "@kbn/core-metrics-collectors-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-collectors-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-internal'] --- import kbnCoreMetricsCollectorsServerInternalObj from './kbn_core_metrics_collectors_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx index b51a7ae9afde5..30ebeadbf2a5f 100644 --- a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx +++ b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-mocks title: "@kbn/core-metrics-collectors-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-collectors-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-mocks'] --- import kbnCoreMetricsCollectorsServerMocksObj from './kbn_core_metrics_collectors_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server.mdx b/api_docs/kbn_core_metrics_server.mdx index 55b7e2975f629..103483c76b1dd 100644 --- a/api_docs/kbn_core_metrics_server.mdx +++ b/api_docs/kbn_core_metrics_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server title: "@kbn/core-metrics-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server'] --- import kbnCoreMetricsServerObj from './kbn_core_metrics_server.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server_internal.mdx b/api_docs/kbn_core_metrics_server_internal.mdx index 9857cb694d986..398e175bd52fe 100644 --- a/api_docs/kbn_core_metrics_server_internal.mdx +++ b/api_docs/kbn_core_metrics_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-internal title: "@kbn/core-metrics-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-internal'] --- import kbnCoreMetricsServerInternalObj from './kbn_core_metrics_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server_mocks.mdx b/api_docs/kbn_core_metrics_server_mocks.mdx index 8338c33c8391e..528842db480ee 100644 --- a/api_docs/kbn_core_metrics_server_mocks.mdx +++ b/api_docs/kbn_core_metrics_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-mocks title: "@kbn/core-metrics-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-mocks'] --- import kbnCoreMetricsServerMocksObj from './kbn_core_metrics_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_mount_utils_browser.mdx b/api_docs/kbn_core_mount_utils_browser.mdx index 337b42b96190d..77cb80b72be75 100644 --- a/api_docs/kbn_core_mount_utils_browser.mdx +++ b/api_docs/kbn_core_mount_utils_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-mount-utils-browser title: "@kbn/core-mount-utils-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-mount-utils-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-mount-utils-browser'] --- import kbnCoreMountUtilsBrowserObj from './kbn_core_mount_utils_browser.devdocs.json'; diff --git a/api_docs/kbn_core_node_server.mdx b/api_docs/kbn_core_node_server.mdx index 4fec95172600a..bdb2d82a8e2d6 100644 --- a/api_docs/kbn_core_node_server.mdx +++ b/api_docs/kbn_core_node_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server title: "@kbn/core-node-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server'] --- import kbnCoreNodeServerObj from './kbn_core_node_server.devdocs.json'; diff --git a/api_docs/kbn_core_node_server_internal.mdx b/api_docs/kbn_core_node_server_internal.mdx index 29e715d0d55b1..fd991893fbb87 100644 --- a/api_docs/kbn_core_node_server_internal.mdx +++ b/api_docs/kbn_core_node_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-internal title: "@kbn/core-node-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-internal'] --- import kbnCoreNodeServerInternalObj from './kbn_core_node_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_node_server_mocks.mdx b/api_docs/kbn_core_node_server_mocks.mdx index c1621620d938d..03e1e02f9d4bd 100644 --- a/api_docs/kbn_core_node_server_mocks.mdx +++ b/api_docs/kbn_core_node_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-mocks title: "@kbn/core-node-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-mocks'] --- import kbnCoreNodeServerMocksObj from './kbn_core_node_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser.mdx b/api_docs/kbn_core_notifications_browser.mdx index d7e1099d545a9..079f1df911cd5 100644 --- a/api_docs/kbn_core_notifications_browser.mdx +++ b/api_docs/kbn_core_notifications_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser title: "@kbn/core-notifications-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser'] --- import kbnCoreNotificationsBrowserObj from './kbn_core_notifications_browser.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser_internal.mdx b/api_docs/kbn_core_notifications_browser_internal.mdx index 08c1598007300..e423d5f624e48 100644 --- a/api_docs/kbn_core_notifications_browser_internal.mdx +++ b/api_docs/kbn_core_notifications_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-internal title: "@kbn/core-notifications-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-internal'] --- import kbnCoreNotificationsBrowserInternalObj from './kbn_core_notifications_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser_mocks.mdx b/api_docs/kbn_core_notifications_browser_mocks.mdx index a19ee6682f1de..1708856f320a3 100644 --- a/api_docs/kbn_core_notifications_browser_mocks.mdx +++ b/api_docs/kbn_core_notifications_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-mocks title: "@kbn/core-notifications-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-mocks'] --- import kbnCoreNotificationsBrowserMocksObj from './kbn_core_notifications_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser.mdx b/api_docs/kbn_core_overlays_browser.mdx index 353346d8b2134..307318e72b696 100644 --- a/api_docs/kbn_core_overlays_browser.mdx +++ b/api_docs/kbn_core_overlays_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser title: "@kbn/core-overlays-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser'] --- import kbnCoreOverlaysBrowserObj from './kbn_core_overlays_browser.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser_internal.mdx b/api_docs/kbn_core_overlays_browser_internal.mdx index b19493a9538be..25e63fcbcbc1b 100644 --- a/api_docs/kbn_core_overlays_browser_internal.mdx +++ b/api_docs/kbn_core_overlays_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-internal title: "@kbn/core-overlays-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-internal'] --- import kbnCoreOverlaysBrowserInternalObj from './kbn_core_overlays_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser_mocks.mdx b/api_docs/kbn_core_overlays_browser_mocks.mdx index 2bb7d9828fa66..cf1abb71d9925 100644 --- a/api_docs/kbn_core_overlays_browser_mocks.mdx +++ b/api_docs/kbn_core_overlays_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-mocks title: "@kbn/core-overlays-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-mocks'] --- import kbnCoreOverlaysBrowserMocksObj from './kbn_core_overlays_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_plugins_browser.mdx b/api_docs/kbn_core_plugins_browser.mdx index 0eb16427a9a12..f3d2fc4db90f9 100644 --- a/api_docs/kbn_core_plugins_browser.mdx +++ b/api_docs/kbn_core_plugins_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-browser title: "@kbn/core-plugins-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-plugins-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-browser'] --- import kbnCorePluginsBrowserObj from './kbn_core_plugins_browser.devdocs.json'; diff --git a/api_docs/kbn_core_plugins_browser_mocks.mdx b/api_docs/kbn_core_plugins_browser_mocks.mdx index eeb1c6c9031c0..192405726c169 100644 --- a/api_docs/kbn_core_plugins_browser_mocks.mdx +++ b/api_docs/kbn_core_plugins_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-browser-mocks title: "@kbn/core-plugins-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-plugins-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-browser-mocks'] --- import kbnCorePluginsBrowserMocksObj from './kbn_core_plugins_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_plugins_server.mdx b/api_docs/kbn_core_plugins_server.mdx index d279efbb46f03..9931fb0389706 100644 --- a/api_docs/kbn_core_plugins_server.mdx +++ b/api_docs/kbn_core_plugins_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-server title: "@kbn/core-plugins-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-plugins-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-server'] --- import kbnCorePluginsServerObj from './kbn_core_plugins_server.devdocs.json'; diff --git a/api_docs/kbn_core_plugins_server_mocks.mdx b/api_docs/kbn_core_plugins_server_mocks.mdx index 639f4ec5d932e..9a1acabff021c 100644 --- a/api_docs/kbn_core_plugins_server_mocks.mdx +++ b/api_docs/kbn_core_plugins_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-plugins-server-mocks title: "@kbn/core-plugins-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-plugins-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-plugins-server-mocks'] --- import kbnCorePluginsServerMocksObj from './kbn_core_plugins_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_preboot_server.mdx b/api_docs/kbn_core_preboot_server.mdx index 34d716a4264f2..d4640c0b8d030 100644 --- a/api_docs/kbn_core_preboot_server.mdx +++ b/api_docs/kbn_core_preboot_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server title: "@kbn/core-preboot-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-preboot-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server'] --- import kbnCorePrebootServerObj from './kbn_core_preboot_server.devdocs.json'; diff --git a/api_docs/kbn_core_preboot_server_mocks.mdx b/api_docs/kbn_core_preboot_server_mocks.mdx index f2ddd9752409b..f002ae81b5533 100644 --- a/api_docs/kbn_core_preboot_server_mocks.mdx +++ b/api_docs/kbn_core_preboot_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server-mocks title: "@kbn/core-preboot-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-preboot-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server-mocks'] --- import kbnCorePrebootServerMocksObj from './kbn_core_preboot_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_rendering_browser_mocks.mdx b/api_docs/kbn_core_rendering_browser_mocks.mdx index 2dbe503efe103..e1a9420128ab6 100644 --- a/api_docs/kbn_core_rendering_browser_mocks.mdx +++ b/api_docs/kbn_core_rendering_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-browser-mocks title: "@kbn/core-rendering-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-rendering-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-browser-mocks'] --- import kbnCoreRenderingBrowserMocksObj from './kbn_core_rendering_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_rendering_server_internal.mdx b/api_docs/kbn_core_rendering_server_internal.mdx index f628611b6dd89..6a86eb18d7714 100644 --- a/api_docs/kbn_core_rendering_server_internal.mdx +++ b/api_docs/kbn_core_rendering_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-server-internal title: "@kbn/core-rendering-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-rendering-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-server-internal'] --- import kbnCoreRenderingServerInternalObj from './kbn_core_rendering_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_rendering_server_mocks.mdx b/api_docs/kbn_core_rendering_server_mocks.mdx index 7bee735adc7d9..c106becee5683 100644 --- a/api_docs/kbn_core_rendering_server_mocks.mdx +++ b/api_docs/kbn_core_rendering_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-rendering-server-mocks title: "@kbn/core-rendering-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-rendering-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-rendering-server-mocks'] --- import kbnCoreRenderingServerMocksObj from './kbn_core_rendering_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_root_server_internal.mdx b/api_docs/kbn_core_root_server_internal.mdx index 8c9d4f2a11c08..54d3d7b87ec5e 100644 --- a/api_docs/kbn_core_root_server_internal.mdx +++ b/api_docs/kbn_core_root_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-root-server-internal title: "@kbn/core-root-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-root-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-root-server-internal'] --- import kbnCoreRootServerInternalObj from './kbn_core_root_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_browser.mdx b/api_docs/kbn_core_saved_objects_api_browser.mdx index c0d01cc0786dd..1dd37326da07f 100644 --- a/api_docs/kbn_core_saved_objects_api_browser.mdx +++ b/api_docs/kbn_core_saved_objects_api_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-browser title: "@kbn/core-saved-objects-api-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-browser'] --- import kbnCoreSavedObjectsApiBrowserObj from './kbn_core_saved_objects_api_browser.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_server.mdx b/api_docs/kbn_core_saved_objects_api_server.mdx index 45cc33cdccd8f..ba6e659e38e8f 100644 --- a/api_docs/kbn_core_saved_objects_api_server.mdx +++ b/api_docs/kbn_core_saved_objects_api_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server title: "@kbn/core-saved-objects-api-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server'] --- import kbnCoreSavedObjectsApiServerObj from './kbn_core_saved_objects_api_server.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_server_internal.mdx b/api_docs/kbn_core_saved_objects_api_server_internal.mdx index 4cb0bd225724a..d7d156c5fc080 100644 --- a/api_docs/kbn_core_saved_objects_api_server_internal.mdx +++ b/api_docs/kbn_core_saved_objects_api_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server-internal title: "@kbn/core-saved-objects-api-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server-internal'] --- import kbnCoreSavedObjectsApiServerInternalObj from './kbn_core_saved_objects_api_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_server_mocks.mdx b/api_docs/kbn_core_saved_objects_api_server_mocks.mdx index 03e009ba04b02..59736d9f27a8e 100644 --- a/api_docs/kbn_core_saved_objects_api_server_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_api_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server-mocks title: "@kbn/core-saved-objects-api-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server-mocks'] --- import kbnCoreSavedObjectsApiServerMocksObj from './kbn_core_saved_objects_api_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_base_server_internal.mdx b/api_docs/kbn_core_saved_objects_base_server_internal.mdx index cdffca564cd74..380dbcf90cafa 100644 --- a/api_docs/kbn_core_saved_objects_base_server_internal.mdx +++ b/api_docs/kbn_core_saved_objects_base_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-base-server-internal title: "@kbn/core-saved-objects-base-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-base-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-base-server-internal'] --- import kbnCoreSavedObjectsBaseServerInternalObj from './kbn_core_saved_objects_base_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_base_server_mocks.mdx b/api_docs/kbn_core_saved_objects_base_server_mocks.mdx index 187cff3f40b42..a86b36f9b6865 100644 --- a/api_docs/kbn_core_saved_objects_base_server_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_base_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-base-server-mocks title: "@kbn/core-saved-objects-base-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-base-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-base-server-mocks'] --- import kbnCoreSavedObjectsBaseServerMocksObj from './kbn_core_saved_objects_base_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser.mdx b/api_docs/kbn_core_saved_objects_browser.mdx index 460dac8573db4..333620ff5cbc6 100644 --- a/api_docs/kbn_core_saved_objects_browser.mdx +++ b/api_docs/kbn_core_saved_objects_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser title: "@kbn/core-saved-objects-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser'] --- import kbnCoreSavedObjectsBrowserObj from './kbn_core_saved_objects_browser.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser_internal.mdx b/api_docs/kbn_core_saved_objects_browser_internal.mdx index ef7070674ac26..cb4c94d60d62e 100644 --- a/api_docs/kbn_core_saved_objects_browser_internal.mdx +++ b/api_docs/kbn_core_saved_objects_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-internal title: "@kbn/core-saved-objects-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-internal'] --- import kbnCoreSavedObjectsBrowserInternalObj from './kbn_core_saved_objects_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser_mocks.mdx b/api_docs/kbn_core_saved_objects_browser_mocks.mdx index 95fd818c0a922..eb2e56006c6ff 100644 --- a/api_docs/kbn_core_saved_objects_browser_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-mocks title: "@kbn/core-saved-objects-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-mocks'] --- import kbnCoreSavedObjectsBrowserMocksObj from './kbn_core_saved_objects_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_common.devdocs.json b/api_docs/kbn_core_saved_objects_common.devdocs.json index 748f954221ef6..229234828f179 100644 --- a/api_docs/kbn_core_saved_objects_common.devdocs.json +++ b/api_docs/kbn_core_saved_objects_common.devdocs.json @@ -1444,230 +1444,6 @@ "plugin": "@kbn/core-saved-objects-browser-mocks", "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts" }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/export.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/saved_objects_management.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/saved_objects_client.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/collect_multi_namespace_references.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/update_objects_spaces.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.ts" - }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" @@ -1676,70 +1452,6 @@ "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/errors.ts" }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/collect_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_objects_filter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.ts" - }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.ts" @@ -1750,999 +1462,375 @@ }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/split_overwrites.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/validate_references.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.ts" + "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "core", + "path": "src/core/types/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "apm", + "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsTaggingOss", + "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/errors.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/so_references.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "lists", + "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/import.ts" - }, - { - "plugin": "core", - "path": "src/core/types/index.ts" - }, - { - "plugin": "apm", - "path": "x-pack/plugins/apm/server/routes/settings/apm_indices/route.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsTaggingOss", - "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/so_references.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "lists", - "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.mock.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/public/utils.test.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" - }, - { - "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/host_risk_score_dashboards.ts" }, { "plugin": "securitySolution", - "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "upgradeAssistant", - "path": "x-pack/plugins/upgrade_assistant/common/types.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "savedObjectsTagging", - "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" - }, - { - "plugin": "dataViews", - "path": "src/plugins/data_views/common/data_view.stub.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "savedObjectsManagement", - "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "data", - "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "security", - "path": "x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "encryptedSavedObjects", - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/server/embeddable/make_lens_embeddable_factory.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/authorization/authorization.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/common/types.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "synthetics", - "path": "x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/test_helpers.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/rules_client/tests/bulk_disable.test.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "fleet", - "path": "x-pack/plugins/fleet/server/services/agents/action.mock.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "observability", - "path": "x-pack/plugins/observability/server/services/slo/fixtures/slo.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-browser-internal", - "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/internal_bulk_resolve.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.security_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.spaces_extension.test.ts" + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "securitySolution", + "path": "x-pack/plugins/security_solution/server/lib/risk_score/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_details/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/overview/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "upgradeAssistant", + "path": "x-pack/plugins/upgrade_assistant/common/types.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/apply_export_transforms.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "savedObjectsTagging", + "path": "x-pack/plugins/saved_objects_tagging/common/test_utils/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "dataViews", + "path": "src/plugins/data_views/common/data_view.stub.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/collect_exported_objects.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/saved_objects_exporter.test.ts" + "plugin": "savedObjectsManagement", + "path": "src/plugins/saved_objects_management/server/lib/find_relationships.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/sort_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/export/utils.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/import_saved_objects.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "data", + "path": "src/plugins/data/server/search/saved_objects/search_session_migration.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/operations/find.ts" }, { - "plugin": "@kbn/core-ui-settings-server-internal", - "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "synthetics", + "path": "x-pack/plugins/synthetics/public/apps/synthetics/components/settings/hooks/use_params_list.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/create_saved_objects.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/execute_import_hooks.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/extract_errors.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/get_import_state_map_for_retries.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/regenerate_ids.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + "plugin": "@kbn/core-saved-objects-browser-internal", + "path": "packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" }, { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/import_dashboards.test.ts" + "plugin": "@kbn/core-ui-settings-server-internal", + "path": "packages/core/ui-settings/core-ui-settings-server-internal/src/saved_objects/transforms.test.ts" } ], "initialIsOpen": false @@ -2813,30 +1901,6 @@ { "plugin": "core", "path": "src/core/types/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.13/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" } ], "initialIsOpen": false @@ -3210,22 +2274,6 @@ "plugin": "ml", "path": "x-pack/plugins/ml/common/types/modules.ts" }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, { "plugin": "dashboard", "path": "src/plugins/dashboard/public/services/dashboard_saved_object/lib/save_dashboard_state_to_saved_object.ts" @@ -3233,14 +2281,6 @@ { "plugin": "dashboard", "path": "src/plugins/dashboard/public/services/dashboard_saved_object/lib/save_dashboard_state_to_saved_object.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" } ], "initialIsOpen": false @@ -3673,22 +2713,6 @@ "plugin": "savedObjectsTaggingOss", "path": "src/plugins/saved_objects_tagging_oss/public/decorator/inject_tag_references.test.ts" }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, - { - "plugin": "@kbn/core-saved-objects-server", - "path": "packages/core/saved-objects/core-saved-objects-server/src/serialization.ts" - }, { "plugin": "core", "path": "src/core/types/index.ts" @@ -4233,38 +3257,6 @@ "plugin": "data", "path": "src/plugins/data/common/search/search_source/inject_references.test.ts" }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, - { - "plugin": "alerting", - "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.16/index.ts" - }, { "plugin": "lens", "path": "x-pack/plugins/lens/common/locator/locator.ts" @@ -4286,64 +3278,76 @@ "path": "x-pack/plugins/lens/public/app_plugin/share_action.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/types.ts" }, { - "plugin": "cases", - "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/types.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/test_helpers/repository.test.common.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/cpu.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/load.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/memory.ts" }, { - "plugin": "@kbn/core-saved-objects-api-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/repository.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/rx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/resolve_import_errors.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/tx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/tx.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_read.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_read.ts" }, { - "plugin": "@kbn/core-saved-objects-import-export-server-internal", - "path": "packages/core/saved-objects/core-saved-objects-import-export-server-internal/src/import/lib/check_origin_conflicts.test.ts" + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_write.ts" + }, + { + "plugin": "infra", + "path": "x-pack/plugins/infra/public/common/visualizations/lens/hosts/diskio_write.ts" + }, + { + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" + }, + { + "plugin": "cases", + "path": "x-pack/plugins/cases/server/services/user_actions/test_utils.ts" } ], "initialIsOpen": false diff --git a/api_docs/kbn_core_saved_objects_common.mdx b/api_docs/kbn_core_saved_objects_common.mdx index 002444fe5b442..62425ee9d4656 100644 --- a/api_docs/kbn_core_saved_objects_common.mdx +++ b/api_docs/kbn_core_saved_objects_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-common title: "@kbn/core-saved-objects-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-common'] --- import kbnCoreSavedObjectsCommonObj from './kbn_core_saved_objects_common.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx b/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx index d3e633f0de9aa..e988dbd28fa73 100644 --- a/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx +++ b/api_docs/kbn_core_saved_objects_import_export_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-import-export-server-internal title: "@kbn/core-saved-objects-import-export-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-import-export-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-import-export-server-internal'] --- import kbnCoreSavedObjectsImportExportServerInternalObj from './kbn_core_saved_objects_import_export_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx b/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx index 55d37320e6d36..fa4a06c45ab66 100644 --- a/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_import_export_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-import-export-server-mocks title: "@kbn/core-saved-objects-import-export-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-import-export-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-import-export-server-mocks'] --- import kbnCoreSavedObjectsImportExportServerMocksObj from './kbn_core_saved_objects_import_export_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_migration_server_internal.mdx b/api_docs/kbn_core_saved_objects_migration_server_internal.mdx index 3c779e4848996..ccb3e9e0c90ab 100644 --- a/api_docs/kbn_core_saved_objects_migration_server_internal.mdx +++ b/api_docs/kbn_core_saved_objects_migration_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-migration-server-internal title: "@kbn/core-saved-objects-migration-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-migration-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-migration-server-internal'] --- import kbnCoreSavedObjectsMigrationServerInternalObj from './kbn_core_saved_objects_migration_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx b/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx index 1c182be9cdb07..3cfcb7fe646fe 100644 --- a/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_migration_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-migration-server-mocks title: "@kbn/core-saved-objects-migration-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-migration-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-migration-server-mocks'] --- import kbnCoreSavedObjectsMigrationServerMocksObj from './kbn_core_saved_objects_migration_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_server.devdocs.json b/api_docs/kbn_core_saved_objects_server.devdocs.json index b4dac3d8ec4ea..755886dd41f22 100644 --- a/api_docs/kbn_core_saved_objects_server.devdocs.json +++ b/api_docs/kbn_core_saved_objects_server.devdocs.json @@ -2806,6 +2806,30 @@ { "plugin": "savedSearch", "path": "src/plugins/saved_search/server/saved_objects/search_migrations.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.11/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" + }, + { + "plugin": "alerting", + "path": "x-pack/plugins/alerting/server/saved_objects/migrations/7.15/index.ts" + }, + { + "plugin": "@kbn/core-saved-objects-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" + }, + { + "plugin": "@kbn/core-saved-objects-server-internal", + "path": "packages/core/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/lib/collect_references_deep.test.ts" } ], "children": [ diff --git a/api_docs/kbn_core_saved_objects_server.mdx b/api_docs/kbn_core_saved_objects_server.mdx index 2a9401298559d..43b5561e3bf6b 100644 --- a/api_docs/kbn_core_saved_objects_server.mdx +++ b/api_docs/kbn_core_saved_objects_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server title: "@kbn/core-saved-objects-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server'] --- import kbnCoreSavedObjectsServerObj from './kbn_core_saved_objects_server.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_server_internal.mdx b/api_docs/kbn_core_saved_objects_server_internal.mdx index 2e40c1b5b1871..80e13fa2876c7 100644 --- a/api_docs/kbn_core_saved_objects_server_internal.mdx +++ b/api_docs/kbn_core_saved_objects_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server-internal title: "@kbn/core-saved-objects-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server-internal'] --- import kbnCoreSavedObjectsServerInternalObj from './kbn_core_saved_objects_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_server_mocks.mdx b/api_docs/kbn_core_saved_objects_server_mocks.mdx index e37112ca2932c..f7975967cbc88 100644 --- a/api_docs/kbn_core_saved_objects_server_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server-mocks title: "@kbn/core-saved-objects-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server-mocks'] --- import kbnCoreSavedObjectsServerMocksObj from './kbn_core_saved_objects_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_utils_server.mdx b/api_docs/kbn_core_saved_objects_utils_server.mdx index 3c7a95f4dc7d7..7a8656e390cff 100644 --- a/api_docs/kbn_core_saved_objects_utils_server.mdx +++ b/api_docs/kbn_core_saved_objects_utils_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-utils-server title: "@kbn/core-saved-objects-utils-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-utils-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-utils-server'] --- import kbnCoreSavedObjectsUtilsServerObj from './kbn_core_saved_objects_utils_server.devdocs.json'; diff --git a/api_docs/kbn_core_status_common.mdx b/api_docs/kbn_core_status_common.mdx index ab77a4f75b9b8..ba988058f674e 100644 --- a/api_docs/kbn_core_status_common.mdx +++ b/api_docs/kbn_core_status_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-common title: "@kbn/core-status-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-status-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-common'] --- import kbnCoreStatusCommonObj from './kbn_core_status_common.devdocs.json'; diff --git a/api_docs/kbn_core_status_common_internal.mdx b/api_docs/kbn_core_status_common_internal.mdx index c1fea24307a47..2978e0fec8d7f 100644 --- a/api_docs/kbn_core_status_common_internal.mdx +++ b/api_docs/kbn_core_status_common_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-common-internal title: "@kbn/core-status-common-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-status-common-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-common-internal'] --- import kbnCoreStatusCommonInternalObj from './kbn_core_status_common_internal.devdocs.json'; diff --git a/api_docs/kbn_core_status_server.mdx b/api_docs/kbn_core_status_server.mdx index 20ced0d3eefff..b58d04eb6efef 100644 --- a/api_docs/kbn_core_status_server.mdx +++ b/api_docs/kbn_core_status_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server title: "@kbn/core-status-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-status-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server'] --- import kbnCoreStatusServerObj from './kbn_core_status_server.devdocs.json'; diff --git a/api_docs/kbn_core_status_server_internal.mdx b/api_docs/kbn_core_status_server_internal.mdx index 878afa6f4176d..6b75c1917ff23 100644 --- a/api_docs/kbn_core_status_server_internal.mdx +++ b/api_docs/kbn_core_status_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server-internal title: "@kbn/core-status-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-status-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server-internal'] --- import kbnCoreStatusServerInternalObj from './kbn_core_status_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_status_server_mocks.mdx b/api_docs/kbn_core_status_server_mocks.mdx index c229bd8a6e0dd..183b8147d90a3 100644 --- a/api_docs/kbn_core_status_server_mocks.mdx +++ b/api_docs/kbn_core_status_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-status-server-mocks title: "@kbn/core-status-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-status-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-status-server-mocks'] --- import kbnCoreStatusServerMocksObj from './kbn_core_status_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx index 1fe2fa49f42c9..9c354e5323cc6 100644 --- a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx +++ b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-deprecations-getters title: "@kbn/core-test-helpers-deprecations-getters" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-deprecations-getters plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-deprecations-getters'] --- import kbnCoreTestHelpersDeprecationsGettersObj from './kbn_core_test_helpers_deprecations_getters.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx index 38bdb3014c5be..ff98fc44872af 100644 --- a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx +++ b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-http-setup-browser title: "@kbn/core-test-helpers-http-setup-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-http-setup-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-http-setup-browser'] --- import kbnCoreTestHelpersHttpSetupBrowserObj from './kbn_core_test_helpers_http_setup_browser.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_kbn_server.mdx b/api_docs/kbn_core_test_helpers_kbn_server.mdx index 8436eff2da97d..8661cdfe45dfb 100644 --- a/api_docs/kbn_core_test_helpers_kbn_server.mdx +++ b/api_docs/kbn_core_test_helpers_kbn_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-kbn-server title: "@kbn/core-test-helpers-kbn-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-kbn-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-kbn-server'] --- import kbnCoreTestHelpersKbnServerObj from './kbn_core_test_helpers_kbn_server.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_so_type_serializer.mdx b/api_docs/kbn_core_test_helpers_so_type_serializer.mdx index 51aa63e24d4f0..eacb2f429b65a 100644 --- a/api_docs/kbn_core_test_helpers_so_type_serializer.mdx +++ b/api_docs/kbn_core_test_helpers_so_type_serializer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-so-type-serializer title: "@kbn/core-test-helpers-so-type-serializer" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-so-type-serializer plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-so-type-serializer'] --- import kbnCoreTestHelpersSoTypeSerializerObj from './kbn_core_test_helpers_so_type_serializer.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_test_utils.mdx b/api_docs/kbn_core_test_helpers_test_utils.mdx index ca50d95ad63df..6f776941212c4 100644 --- a/api_docs/kbn_core_test_helpers_test_utils.mdx +++ b/api_docs/kbn_core_test_helpers_test_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-test-utils title: "@kbn/core-test-helpers-test-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-test-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-test-utils'] --- import kbnCoreTestHelpersTestUtilsObj from './kbn_core_test_helpers_test_utils.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser.mdx b/api_docs/kbn_core_theme_browser.mdx index b9a8fb1fda494..da3f4a918c8b9 100644 --- a/api_docs/kbn_core_theme_browser.mdx +++ b/api_docs/kbn_core_theme_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser title: "@kbn/core-theme-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser'] --- import kbnCoreThemeBrowserObj from './kbn_core_theme_browser.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser_internal.mdx b/api_docs/kbn_core_theme_browser_internal.mdx index 5eba0869f8339..e5c8796f33de3 100644 --- a/api_docs/kbn_core_theme_browser_internal.mdx +++ b/api_docs/kbn_core_theme_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-internal title: "@kbn/core-theme-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-internal'] --- import kbnCoreThemeBrowserInternalObj from './kbn_core_theme_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser_mocks.mdx b/api_docs/kbn_core_theme_browser_mocks.mdx index 1879c357339bb..a2e1c4fe55e8f 100644 --- a/api_docs/kbn_core_theme_browser_mocks.mdx +++ b/api_docs/kbn_core_theme_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-mocks title: "@kbn/core-theme-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-mocks'] --- import kbnCoreThemeBrowserMocksObj from './kbn_core_theme_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser.mdx b/api_docs/kbn_core_ui_settings_browser.mdx index ddc0c181695db..941d9dc12f2a4 100644 --- a/api_docs/kbn_core_ui_settings_browser.mdx +++ b/api_docs/kbn_core_ui_settings_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser title: "@kbn/core-ui-settings-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser'] --- import kbnCoreUiSettingsBrowserObj from './kbn_core_ui_settings_browser.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser_internal.mdx b/api_docs/kbn_core_ui_settings_browser_internal.mdx index ed2194c8a708e..9fcf0f0c16a4c 100644 --- a/api_docs/kbn_core_ui_settings_browser_internal.mdx +++ b/api_docs/kbn_core_ui_settings_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-internal title: "@kbn/core-ui-settings-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-internal'] --- import kbnCoreUiSettingsBrowserInternalObj from './kbn_core_ui_settings_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser_mocks.mdx b/api_docs/kbn_core_ui_settings_browser_mocks.mdx index cc1e5629c0cca..7c3bab4ac066e 100644 --- a/api_docs/kbn_core_ui_settings_browser_mocks.mdx +++ b/api_docs/kbn_core_ui_settings_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-mocks title: "@kbn/core-ui-settings-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-mocks'] --- import kbnCoreUiSettingsBrowserMocksObj from './kbn_core_ui_settings_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_common.mdx b/api_docs/kbn_core_ui_settings_common.mdx index 788e20d34853a..4036cb5adea1b 100644 --- a/api_docs/kbn_core_ui_settings_common.mdx +++ b/api_docs/kbn_core_ui_settings_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-common title: "@kbn/core-ui-settings-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-common plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-common'] --- import kbnCoreUiSettingsCommonObj from './kbn_core_ui_settings_common.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_server.mdx b/api_docs/kbn_core_ui_settings_server.mdx index 982e4e4c68261..9404e63273453 100644 --- a/api_docs/kbn_core_ui_settings_server.mdx +++ b/api_docs/kbn_core_ui_settings_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server title: "@kbn/core-ui-settings-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server'] --- import kbnCoreUiSettingsServerObj from './kbn_core_ui_settings_server.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_server_internal.mdx b/api_docs/kbn_core_ui_settings_server_internal.mdx index 4c83bbc9fe2cb..d80875a2a6e69 100644 --- a/api_docs/kbn_core_ui_settings_server_internal.mdx +++ b/api_docs/kbn_core_ui_settings_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server-internal title: "@kbn/core-ui-settings-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server-internal'] --- import kbnCoreUiSettingsServerInternalObj from './kbn_core_ui_settings_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_server_mocks.mdx b/api_docs/kbn_core_ui_settings_server_mocks.mdx index 9fb8da253474b..0ac3fb2d3c820 100644 --- a/api_docs/kbn_core_ui_settings_server_mocks.mdx +++ b/api_docs/kbn_core_ui_settings_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-server-mocks title: "@kbn/core-ui-settings-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-server-mocks'] --- import kbnCoreUiSettingsServerMocksObj from './kbn_core_ui_settings_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_usage_data_server.mdx b/api_docs/kbn_core_usage_data_server.mdx index b27796dc85af4..583b148d6e9cd 100644 --- a/api_docs/kbn_core_usage_data_server.mdx +++ b/api_docs/kbn_core_usage_data_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server title: "@kbn/core-usage-data-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-usage-data-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server'] --- import kbnCoreUsageDataServerObj from './kbn_core_usage_data_server.devdocs.json'; diff --git a/api_docs/kbn_core_usage_data_server_internal.mdx b/api_docs/kbn_core_usage_data_server_internal.mdx index c8f6bc900e15c..7a5a6a01875f8 100644 --- a/api_docs/kbn_core_usage_data_server_internal.mdx +++ b/api_docs/kbn_core_usage_data_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server-internal title: "@kbn/core-usage-data-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-usage-data-server-internal plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server-internal'] --- import kbnCoreUsageDataServerInternalObj from './kbn_core_usage_data_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_usage_data_server_mocks.mdx b/api_docs/kbn_core_usage_data_server_mocks.mdx index a53913bd9e65c..d96653071f210 100644 --- a/api_docs/kbn_core_usage_data_server_mocks.mdx +++ b/api_docs/kbn_core_usage_data_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-usage-data-server-mocks title: "@kbn/core-usage-data-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-usage-data-server-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-usage-data-server-mocks'] --- import kbnCoreUsageDataServerMocksObj from './kbn_core_usage_data_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_crypto.mdx b/api_docs/kbn_crypto.mdx index aa9ba3d5893a3..56cb008ea4436 100644 --- a/api_docs/kbn_crypto.mdx +++ b/api_docs/kbn_crypto.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto title: "@kbn/crypto" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/crypto plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto'] --- import kbnCryptoObj from './kbn_crypto.devdocs.json'; diff --git a/api_docs/kbn_crypto_browser.mdx b/api_docs/kbn_crypto_browser.mdx index 88233251ee0e7..a9aebbe684288 100644 --- a/api_docs/kbn_crypto_browser.mdx +++ b/api_docs/kbn_crypto_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto-browser title: "@kbn/crypto-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/crypto-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto-browser'] --- import kbnCryptoBrowserObj from './kbn_crypto_browser.devdocs.json'; diff --git a/api_docs/kbn_cypress_config.mdx b/api_docs/kbn_cypress_config.mdx index b2c73b8236f1a..bb64e5892fa68 100644 --- a/api_docs/kbn_cypress_config.mdx +++ b/api_docs/kbn_cypress_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cypress-config title: "@kbn/cypress-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/cypress-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cypress-config'] --- import kbnCypressConfigObj from './kbn_cypress_config.devdocs.json'; diff --git a/api_docs/kbn_datemath.mdx b/api_docs/kbn_datemath.mdx index 14761aa0366fb..40081c074fac4 100644 --- a/api_docs/kbn_datemath.mdx +++ b/api_docs/kbn_datemath.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-datemath title: "@kbn/datemath" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/datemath plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/datemath'] --- import kbnDatemathObj from './kbn_datemath.devdocs.json'; diff --git a/api_docs/kbn_dev_cli_errors.mdx b/api_docs/kbn_dev_cli_errors.mdx index ab5ba6a8158a3..cbf22a12faf62 100644 --- a/api_docs/kbn_dev_cli_errors.mdx +++ b/api_docs/kbn_dev_cli_errors.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-errors title: "@kbn/dev-cli-errors" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-cli-errors plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-errors'] --- import kbnDevCliErrorsObj from './kbn_dev_cli_errors.devdocs.json'; diff --git a/api_docs/kbn_dev_cli_runner.mdx b/api_docs/kbn_dev_cli_runner.mdx index dcbdc60c41500..f1bad8b957a72 100644 --- a/api_docs/kbn_dev_cli_runner.mdx +++ b/api_docs/kbn_dev_cli_runner.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-runner title: "@kbn/dev-cli-runner" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-cli-runner plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-runner'] --- import kbnDevCliRunnerObj from './kbn_dev_cli_runner.devdocs.json'; diff --git a/api_docs/kbn_dev_proc_runner.mdx b/api_docs/kbn_dev_proc_runner.mdx index 5458a945a9da0..b640885eadc94 100644 --- a/api_docs/kbn_dev_proc_runner.mdx +++ b/api_docs/kbn_dev_proc_runner.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-proc-runner title: "@kbn/dev-proc-runner" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-proc-runner plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-proc-runner'] --- import kbnDevProcRunnerObj from './kbn_dev_proc_runner.devdocs.json'; diff --git a/api_docs/kbn_dev_utils.devdocs.json b/api_docs/kbn_dev_utils.devdocs.json index adb4510de09bb..2d366c4839e72 100644 --- a/api_docs/kbn_dev_utils.devdocs.json +++ b/api_docs/kbn_dev_utils.devdocs.json @@ -202,23 +202,6 @@ "returnComment": [], "initialIsOpen": false }, - { - "parentPluginId": "@kbn/dev-utils", - "id": "def-common.shipCiStatsCli", - "type": "Function", - "tags": [], - "label": "shipCiStatsCli", - "description": [], - "signature": [ - "() => void" - ], - "path": "packages/kbn-dev-utils/src/ship_ci_stats_cli.ts", - "deprecated": false, - "trackAdoption": false, - "children": [], - "returnComment": [], - "initialIsOpen": false - }, { "parentPluginId": "@kbn/dev-utils", "id": "def-common.transformFileStream", diff --git a/api_docs/kbn_dev_utils.mdx b/api_docs/kbn_dev_utils.mdx index 7614c0594642e..800cabe346ed1 100644 --- a/api_docs/kbn_dev_utils.mdx +++ b/api_docs/kbn_dev_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-utils title: "@kbn/dev-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-utils'] --- import kbnDevUtilsObj from './kbn_dev_utils.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Owner missing] for questions regarding this plugin. | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 28 | 2 | 25 | 0 | +| 27 | 2 | 24 | 0 | ## Common diff --git a/api_docs/kbn_doc_links.mdx b/api_docs/kbn_doc_links.mdx index 062c175e1c508..81e8ad7691eaf 100644 --- a/api_docs/kbn_doc_links.mdx +++ b/api_docs/kbn_doc_links.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-doc-links title: "@kbn/doc-links" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/doc-links plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/doc-links'] --- import kbnDocLinksObj from './kbn_doc_links.devdocs.json'; diff --git a/api_docs/kbn_docs_utils.mdx b/api_docs/kbn_docs_utils.mdx index 7e7bacb575088..70a65a65f8c81 100644 --- a/api_docs/kbn_docs_utils.mdx +++ b/api_docs/kbn_docs_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-docs-utils title: "@kbn/docs-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/docs-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/docs-utils'] --- import kbnDocsUtilsObj from './kbn_docs_utils.devdocs.json'; diff --git a/api_docs/kbn_ebt_tools.mdx b/api_docs/kbn_ebt_tools.mdx index e15698a881a79..58e355ed72008 100644 --- a/api_docs/kbn_ebt_tools.mdx +++ b/api_docs/kbn_ebt_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ebt-tools title: "@kbn/ebt-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ebt-tools plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ebt-tools'] --- import kbnEbtToolsObj from './kbn_ebt_tools.devdocs.json'; diff --git a/api_docs/kbn_ecs.mdx b/api_docs/kbn_ecs.mdx index bc85360a07509..6bc1fd16d8ba6 100644 --- a/api_docs/kbn_ecs.mdx +++ b/api_docs/kbn_ecs.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ecs title: "@kbn/ecs" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ecs plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ecs'] --- import kbnEcsObj from './kbn_ecs.devdocs.json'; diff --git a/api_docs/kbn_es.mdx b/api_docs/kbn_es.mdx index 542f528a53230..ceb1290e24dea 100644 --- a/api_docs/kbn_es.mdx +++ b/api_docs/kbn_es.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es title: "@kbn/es" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es'] --- import kbnEsObj from './kbn_es.devdocs.json'; diff --git a/api_docs/kbn_es_archiver.mdx b/api_docs/kbn_es_archiver.mdx index 190b8813a020e..f2bd4ec1733d6 100644 --- a/api_docs/kbn_es_archiver.mdx +++ b/api_docs/kbn_es_archiver.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-archiver title: "@kbn/es-archiver" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-archiver plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-archiver'] --- import kbnEsArchiverObj from './kbn_es_archiver.devdocs.json'; diff --git a/api_docs/kbn_es_errors.mdx b/api_docs/kbn_es_errors.mdx index 32124a2f13116..0aedf8c230367 100644 --- a/api_docs/kbn_es_errors.mdx +++ b/api_docs/kbn_es_errors.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-errors title: "@kbn/es-errors" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-errors plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-errors'] --- import kbnEsErrorsObj from './kbn_es_errors.devdocs.json'; diff --git a/api_docs/kbn_es_query.devdocs.json b/api_docs/kbn_es_query.devdocs.json index 73c14e298d98e..4804bbcd473dc 100644 --- a/api_docs/kbn_es_query.devdocs.json +++ b/api_docs/kbn_es_query.devdocs.json @@ -130,7 +130,7 @@ "section": "def-common.Filter", "text": "Filter" }, - "[], indexPattern: ", + "[], indexPattern: Pick<", { "pluginId": "@kbn/es-query", "scope": "common", @@ -138,7 +138,7 @@ "section": "def-common.DataViewBase", "text": "DataViewBase" }, - ", disabled: boolean | undefined, negate: boolean | undefined, alias: string | null | undefined, store: ", + ", \"id\">, disabled: boolean | undefined, negate: boolean | undefined, alias: string | null | undefined, store: ", { "pluginId": "@kbn/es-query", "scope": "common", @@ -214,13 +214,15 @@ "label": "indexPattern", "description": [], "signature": [ + "Pick<", { "pluginId": "@kbn/es-query", "scope": "common", "docId": "kibKbnEsQueryPluginApi", "section": "def-common.DataViewBase", "text": "DataViewBase" - } + }, + ", \"id\">" ], "path": "packages/kbn-es-query/src/filters/build_filters/combined_filter.ts", "deprecated": false, diff --git a/api_docs/kbn_es_query.mdx b/api_docs/kbn_es_query.mdx index af07f6922cfdd..44620e8fdab08 100644 --- a/api_docs/kbn_es_query.mdx +++ b/api_docs/kbn_es_query.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-query title: "@kbn/es-query" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-query plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-query'] --- import kbnEsQueryObj from './kbn_es_query.devdocs.json'; diff --git a/api_docs/kbn_es_types.mdx b/api_docs/kbn_es_types.mdx index 0e677aa184ee9..16d178762bbdf 100644 --- a/api_docs/kbn_es_types.mdx +++ b/api_docs/kbn_es_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-types title: "@kbn/es-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-types'] --- import kbnEsTypesObj from './kbn_es_types.devdocs.json'; diff --git a/api_docs/kbn_eslint_plugin_imports.mdx b/api_docs/kbn_eslint_plugin_imports.mdx index 63a54963656d9..181ae6b601031 100644 --- a/api_docs/kbn_eslint_plugin_imports.mdx +++ b/api_docs/kbn_eslint_plugin_imports.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-eslint-plugin-imports title: "@kbn/eslint-plugin-imports" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/eslint-plugin-imports plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/eslint-plugin-imports'] --- import kbnEslintPluginImportsObj from './kbn_eslint_plugin_imports.devdocs.json'; diff --git a/api_docs/kbn_field_types.mdx b/api_docs/kbn_field_types.mdx index 1b2af2ce4b674..105ed34b3d8cc 100644 --- a/api_docs/kbn_field_types.mdx +++ b/api_docs/kbn_field_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-field-types title: "@kbn/field-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/field-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/field-types'] --- import kbnFieldTypesObj from './kbn_field_types.devdocs.json'; diff --git a/api_docs/kbn_find_used_node_modules.mdx b/api_docs/kbn_find_used_node_modules.mdx index 1acead1d0bed9..341235b4255b4 100644 --- a/api_docs/kbn_find_used_node_modules.mdx +++ b/api_docs/kbn_find_used_node_modules.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-find-used-node-modules title: "@kbn/find-used-node-modules" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/find-used-node-modules plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/find-used-node-modules'] --- import kbnFindUsedNodeModulesObj from './kbn_find_used_node_modules.devdocs.json'; diff --git a/api_docs/kbn_ftr_common_functional_services.mdx b/api_docs/kbn_ftr_common_functional_services.mdx index a098db47c7a5e..c3f254b8fd6fb 100644 --- a/api_docs/kbn_ftr_common_functional_services.mdx +++ b/api_docs/kbn_ftr_common_functional_services.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ftr-common-functional-services title: "@kbn/ftr-common-functional-services" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ftr-common-functional-services plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ftr-common-functional-services'] --- import kbnFtrCommonFunctionalServicesObj from './kbn_ftr_common_functional_services.devdocs.json'; diff --git a/api_docs/kbn_generate.mdx b/api_docs/kbn_generate.mdx index 9589093a62f46..83b7c46d6c8be 100644 --- a/api_docs/kbn_generate.mdx +++ b/api_docs/kbn_generate.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-generate title: "@kbn/generate" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/generate plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/generate'] --- import kbnGenerateObj from './kbn_generate.devdocs.json'; diff --git a/api_docs/kbn_get_repo_files.mdx b/api_docs/kbn_get_repo_files.mdx index 26d4747e0858e..bee3fa6842476 100644 --- a/api_docs/kbn_get_repo_files.mdx +++ b/api_docs/kbn_get_repo_files.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-get-repo-files title: "@kbn/get-repo-files" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/get-repo-files plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/get-repo-files'] --- import kbnGetRepoFilesObj from './kbn_get_repo_files.devdocs.json'; diff --git a/api_docs/kbn_guided_onboarding.mdx b/api_docs/kbn_guided_onboarding.mdx index e65e2f4e5f693..b709c8eed4228 100644 --- a/api_docs/kbn_guided_onboarding.mdx +++ b/api_docs/kbn_guided_onboarding.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-guided-onboarding title: "@kbn/guided-onboarding" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/guided-onboarding plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/guided-onboarding'] --- import kbnGuidedOnboardingObj from './kbn_guided_onboarding.devdocs.json'; diff --git a/api_docs/kbn_handlebars.mdx b/api_docs/kbn_handlebars.mdx index 7456a0db34383..04c2fc7c0fbf5 100644 --- a/api_docs/kbn_handlebars.mdx +++ b/api_docs/kbn_handlebars.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-handlebars title: "@kbn/handlebars" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/handlebars plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/handlebars'] --- import kbnHandlebarsObj from './kbn_handlebars.devdocs.json'; diff --git a/api_docs/kbn_hapi_mocks.mdx b/api_docs/kbn_hapi_mocks.mdx index 76968ee9d6cc3..3599b67b099a0 100644 --- a/api_docs/kbn_hapi_mocks.mdx +++ b/api_docs/kbn_hapi_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-hapi-mocks title: "@kbn/hapi-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/hapi-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/hapi-mocks'] --- import kbnHapiMocksObj from './kbn_hapi_mocks.devdocs.json'; diff --git a/api_docs/kbn_health_gateway_server.mdx b/api_docs/kbn_health_gateway_server.mdx index 895abb37fcd6f..01354a0eda818 100644 --- a/api_docs/kbn_health_gateway_server.mdx +++ b/api_docs/kbn_health_gateway_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-health-gateway-server title: "@kbn/health-gateway-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/health-gateway-server plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/health-gateway-server'] --- import kbnHealthGatewayServerObj from './kbn_health_gateway_server.devdocs.json'; diff --git a/api_docs/kbn_home_sample_data_card.mdx b/api_docs/kbn_home_sample_data_card.mdx index 8cbb1bd05a1a1..902489d37c9bd 100644 --- a/api_docs/kbn_home_sample_data_card.mdx +++ b/api_docs/kbn_home_sample_data_card.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-card title: "@kbn/home-sample-data-card" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/home-sample-data-card plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-card'] --- import kbnHomeSampleDataCardObj from './kbn_home_sample_data_card.devdocs.json'; diff --git a/api_docs/kbn_home_sample_data_tab.mdx b/api_docs/kbn_home_sample_data_tab.mdx index 9a1886dcacb91..8b5d904d4c941 100644 --- a/api_docs/kbn_home_sample_data_tab.mdx +++ b/api_docs/kbn_home_sample_data_tab.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-tab title: "@kbn/home-sample-data-tab" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/home-sample-data-tab plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-tab'] --- import kbnHomeSampleDataTabObj from './kbn_home_sample_data_tab.devdocs.json'; diff --git a/api_docs/kbn_i18n.mdx b/api_docs/kbn_i18n.mdx index 792c3f0a66523..40cf1be666b29 100644 --- a/api_docs/kbn_i18n.mdx +++ b/api_docs/kbn_i18n.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-i18n title: "@kbn/i18n" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/i18n plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/i18n'] --- import kbnI18nObj from './kbn_i18n.devdocs.json'; diff --git a/api_docs/kbn_i18n_react.mdx b/api_docs/kbn_i18n_react.mdx index 6989212d58b26..48e2c7292d6cd 100644 --- a/api_docs/kbn_i18n_react.mdx +++ b/api_docs/kbn_i18n_react.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-i18n-react title: "@kbn/i18n-react" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/i18n-react plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/i18n-react'] --- import kbnI18nReactObj from './kbn_i18n_react.devdocs.json'; diff --git a/api_docs/kbn_import_resolver.mdx b/api_docs/kbn_import_resolver.mdx index 2b1162e07c2fd..1900578745ead 100644 --- a/api_docs/kbn_import_resolver.mdx +++ b/api_docs/kbn_import_resolver.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-import-resolver title: "@kbn/import-resolver" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/import-resolver plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/import-resolver'] --- import kbnImportResolverObj from './kbn_import_resolver.devdocs.json'; diff --git a/api_docs/kbn_interpreter.mdx b/api_docs/kbn_interpreter.mdx index 9ca750959b931..b3b2d49d8e1a7 100644 --- a/api_docs/kbn_interpreter.mdx +++ b/api_docs/kbn_interpreter.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-interpreter title: "@kbn/interpreter" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/interpreter plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/interpreter'] --- import kbnInterpreterObj from './kbn_interpreter.devdocs.json'; diff --git a/api_docs/kbn_io_ts_utils.mdx b/api_docs/kbn_io_ts_utils.mdx index 4ae7018ec4280..6bb790ec28ac2 100644 --- a/api_docs/kbn_io_ts_utils.mdx +++ b/api_docs/kbn_io_ts_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-io-ts-utils title: "@kbn/io-ts-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/io-ts-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/io-ts-utils'] --- import kbnIoTsUtilsObj from './kbn_io_ts_utils.devdocs.json'; diff --git a/api_docs/kbn_jest_serializers.mdx b/api_docs/kbn_jest_serializers.mdx index 5a715cd188e76..b751e86870d5c 100644 --- a/api_docs/kbn_jest_serializers.mdx +++ b/api_docs/kbn_jest_serializers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-jest-serializers title: "@kbn/jest-serializers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/jest-serializers plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/jest-serializers'] --- import kbnJestSerializersObj from './kbn_jest_serializers.devdocs.json'; diff --git a/api_docs/kbn_journeys.mdx b/api_docs/kbn_journeys.mdx index 26de7f7f4f750..fccc21d9a91c7 100644 --- a/api_docs/kbn_journeys.mdx +++ b/api_docs/kbn_journeys.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-journeys title: "@kbn/journeys" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/journeys plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/journeys'] --- import kbnJourneysObj from './kbn_journeys.devdocs.json'; diff --git a/api_docs/kbn_json_ast.mdx b/api_docs/kbn_json_ast.mdx index fe2837ad2ed80..0803cc42b6d69 100644 --- a/api_docs/kbn_json_ast.mdx +++ b/api_docs/kbn_json_ast.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-json-ast title: "@kbn/json-ast" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/json-ast plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/json-ast'] --- import kbnJsonAstObj from './kbn_json_ast.devdocs.json'; diff --git a/api_docs/kbn_kibana_manifest_schema.mdx b/api_docs/kbn_kibana_manifest_schema.mdx index b9927c269d964..52a09fe7c9627 100644 --- a/api_docs/kbn_kibana_manifest_schema.mdx +++ b/api_docs/kbn_kibana_manifest_schema.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-kibana-manifest-schema title: "@kbn/kibana-manifest-schema" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/kibana-manifest-schema plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/kibana-manifest-schema'] --- import kbnKibanaManifestSchemaObj from './kbn_kibana_manifest_schema.devdocs.json'; diff --git a/api_docs/kbn_language_documentation_popover.mdx b/api_docs/kbn_language_documentation_popover.mdx index 7347d9af32135..fd423c504cd2d 100644 --- a/api_docs/kbn_language_documentation_popover.mdx +++ b/api_docs/kbn_language_documentation_popover.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-language-documentation-popover title: "@kbn/language-documentation-popover" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/language-documentation-popover plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/language-documentation-popover'] --- import kbnLanguageDocumentationPopoverObj from './kbn_language_documentation_popover.devdocs.json'; diff --git a/api_docs/kbn_logging.mdx b/api_docs/kbn_logging.mdx index 2355da9366676..dbef8d7fc9b16 100644 --- a/api_docs/kbn_logging.mdx +++ b/api_docs/kbn_logging.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging title: "@kbn/logging" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/logging plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging'] --- import kbnLoggingObj from './kbn_logging.devdocs.json'; diff --git a/api_docs/kbn_logging_mocks.mdx b/api_docs/kbn_logging_mocks.mdx index 70fe8fa26e766..9a3f7988b039f 100644 --- a/api_docs/kbn_logging_mocks.mdx +++ b/api_docs/kbn_logging_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging-mocks title: "@kbn/logging-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/logging-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging-mocks'] --- import kbnLoggingMocksObj from './kbn_logging_mocks.devdocs.json'; diff --git a/api_docs/kbn_managed_vscode_config.mdx b/api_docs/kbn_managed_vscode_config.mdx index 149d817b26211..3fc6495488a4c 100644 --- a/api_docs/kbn_managed_vscode_config.mdx +++ b/api_docs/kbn_managed_vscode_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-managed-vscode-config title: "@kbn/managed-vscode-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/managed-vscode-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/managed-vscode-config'] --- import kbnManagedVscodeConfigObj from './kbn_managed_vscode_config.devdocs.json'; diff --git a/api_docs/kbn_mapbox_gl.mdx b/api_docs/kbn_mapbox_gl.mdx index 296a61a6da707..d4e2197491a2c 100644 --- a/api_docs/kbn_mapbox_gl.mdx +++ b/api_docs/kbn_mapbox_gl.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-mapbox-gl title: "@kbn/mapbox-gl" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/mapbox-gl plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/mapbox-gl'] --- import kbnMapboxGlObj from './kbn_mapbox_gl.devdocs.json'; diff --git a/api_docs/kbn_ml_agg_utils.mdx b/api_docs/kbn_ml_agg_utils.mdx index 8951742444a08..75be1ffd0ce3f 100644 --- a/api_docs/kbn_ml_agg_utils.mdx +++ b/api_docs/kbn_ml_agg_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-agg-utils title: "@kbn/ml-agg-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-agg-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-agg-utils'] --- import kbnMlAggUtilsObj from './kbn_ml_agg_utils.devdocs.json'; diff --git a/api_docs/kbn_ml_date_picker.mdx b/api_docs/kbn_ml_date_picker.mdx index f6a00f1901bc0..46ef2bab5634c 100644 --- a/api_docs/kbn_ml_date_picker.mdx +++ b/api_docs/kbn_ml_date_picker.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-date-picker title: "@kbn/ml-date-picker" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-date-picker plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-date-picker'] --- import kbnMlDatePickerObj from './kbn_ml_date_picker.devdocs.json'; diff --git a/api_docs/kbn_ml_is_defined.mdx b/api_docs/kbn_ml_is_defined.mdx index 1923c9ad41140..398dd108a8bd5 100644 --- a/api_docs/kbn_ml_is_defined.mdx +++ b/api_docs/kbn_ml_is_defined.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-is-defined title: "@kbn/ml-is-defined" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-is-defined plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-is-defined'] --- import kbnMlIsDefinedObj from './kbn_ml_is_defined.devdocs.json'; diff --git a/api_docs/kbn_ml_is_populated_object.mdx b/api_docs/kbn_ml_is_populated_object.mdx index 4de14def9d2b6..d7453c051fadd 100644 --- a/api_docs/kbn_ml_is_populated_object.mdx +++ b/api_docs/kbn_ml_is_populated_object.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-is-populated-object title: "@kbn/ml-is-populated-object" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-is-populated-object plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-is-populated-object'] --- import kbnMlIsPopulatedObjectObj from './kbn_ml_is_populated_object.devdocs.json'; diff --git a/api_docs/kbn_ml_local_storage.mdx b/api_docs/kbn_ml_local_storage.mdx index b50aca3102461..c37fb66738121 100644 --- a/api_docs/kbn_ml_local_storage.mdx +++ b/api_docs/kbn_ml_local_storage.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-local-storage title: "@kbn/ml-local-storage" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-local-storage plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-local-storage'] --- import kbnMlLocalStorageObj from './kbn_ml_local_storage.devdocs.json'; diff --git a/api_docs/kbn_ml_nested_property.mdx b/api_docs/kbn_ml_nested_property.mdx index 1d69c3f1900d9..381fb7bb686a8 100644 --- a/api_docs/kbn_ml_nested_property.mdx +++ b/api_docs/kbn_ml_nested_property.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-nested-property title: "@kbn/ml-nested-property" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-nested-property plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-nested-property'] --- import kbnMlNestedPropertyObj from './kbn_ml_nested_property.devdocs.json'; diff --git a/api_docs/kbn_ml_query_utils.mdx b/api_docs/kbn_ml_query_utils.mdx index ca77d5dc51720..3730f5fdfa75e 100644 --- a/api_docs/kbn_ml_query_utils.mdx +++ b/api_docs/kbn_ml_query_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-query-utils title: "@kbn/ml-query-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-query-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-query-utils'] --- import kbnMlQueryUtilsObj from './kbn_ml_query_utils.devdocs.json'; diff --git a/api_docs/kbn_ml_string_hash.mdx b/api_docs/kbn_ml_string_hash.mdx index 5191d4d7b5150..fda98e5192031 100644 --- a/api_docs/kbn_ml_string_hash.mdx +++ b/api_docs/kbn_ml_string_hash.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-string-hash title: "@kbn/ml-string-hash" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-string-hash plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-string-hash'] --- import kbnMlStringHashObj from './kbn_ml_string_hash.devdocs.json'; diff --git a/api_docs/kbn_ml_url_state.mdx b/api_docs/kbn_ml_url_state.mdx index a9afe8b59649b..2af7f8fbe15cf 100644 --- a/api_docs/kbn_ml_url_state.mdx +++ b/api_docs/kbn_ml_url_state.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-url-state title: "@kbn/ml-url-state" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-url-state plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-url-state'] --- import kbnMlUrlStateObj from './kbn_ml_url_state.devdocs.json'; diff --git a/api_docs/kbn_monaco.mdx b/api_docs/kbn_monaco.mdx index b8dbaae5df26e..322b0f1a846f7 100644 --- a/api_docs/kbn_monaco.mdx +++ b/api_docs/kbn_monaco.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-monaco title: "@kbn/monaco" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/monaco plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/monaco'] --- import kbnMonacoObj from './kbn_monaco.devdocs.json'; diff --git a/api_docs/kbn_optimizer.mdx b/api_docs/kbn_optimizer.mdx index 90dbc29c587e2..cb8d84edd97d0 100644 --- a/api_docs/kbn_optimizer.mdx +++ b/api_docs/kbn_optimizer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer title: "@kbn/optimizer" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/optimizer plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer'] --- import kbnOptimizerObj from './kbn_optimizer.devdocs.json'; diff --git a/api_docs/kbn_optimizer_webpack_helpers.mdx b/api_docs/kbn_optimizer_webpack_helpers.mdx index e6d4d69a71021..f230a504b622f 100644 --- a/api_docs/kbn_optimizer_webpack_helpers.mdx +++ b/api_docs/kbn_optimizer_webpack_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer-webpack-helpers title: "@kbn/optimizer-webpack-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/optimizer-webpack-helpers plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer-webpack-helpers'] --- import kbnOptimizerWebpackHelpersObj from './kbn_optimizer_webpack_helpers.devdocs.json'; diff --git a/api_docs/kbn_osquery_io_ts_types.mdx b/api_docs/kbn_osquery_io_ts_types.mdx index 23d7624d1f48a..33734d2b0de3d 100644 --- a/api_docs/kbn_osquery_io_ts_types.mdx +++ b/api_docs/kbn_osquery_io_ts_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-osquery-io-ts-types title: "@kbn/osquery-io-ts-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/osquery-io-ts-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/osquery-io-ts-types'] --- import kbnOsqueryIoTsTypesObj from './kbn_osquery_io_ts_types.devdocs.json'; diff --git a/api_docs/kbn_performance_testing_dataset_extractor.mdx b/api_docs/kbn_performance_testing_dataset_extractor.mdx index 332e40a829133..43586ef9a6987 100644 --- a/api_docs/kbn_performance_testing_dataset_extractor.mdx +++ b/api_docs/kbn_performance_testing_dataset_extractor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-performance-testing-dataset-extractor title: "@kbn/performance-testing-dataset-extractor" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/performance-testing-dataset-extractor plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/performance-testing-dataset-extractor'] --- import kbnPerformanceTestingDatasetExtractorObj from './kbn_performance_testing_dataset_extractor.devdocs.json'; diff --git a/api_docs/kbn_plugin_generator.mdx b/api_docs/kbn_plugin_generator.mdx index 002aed65bfa35..98ac7d44eabd0 100644 --- a/api_docs/kbn_plugin_generator.mdx +++ b/api_docs/kbn_plugin_generator.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-generator title: "@kbn/plugin-generator" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/plugin-generator plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-generator'] --- import kbnPluginGeneratorObj from './kbn_plugin_generator.devdocs.json'; diff --git a/api_docs/kbn_plugin_helpers.mdx b/api_docs/kbn_plugin_helpers.mdx index 5aed9e74a7398..057f404c5c8c6 100644 --- a/api_docs/kbn_plugin_helpers.mdx +++ b/api_docs/kbn_plugin_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-helpers title: "@kbn/plugin-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/plugin-helpers plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-helpers'] --- import kbnPluginHelpersObj from './kbn_plugin_helpers.devdocs.json'; diff --git a/api_docs/kbn_react_field.mdx b/api_docs/kbn_react_field.mdx index 1c77865d1c656..dbbe95164be32 100644 --- a/api_docs/kbn_react_field.mdx +++ b/api_docs/kbn_react_field.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-react-field title: "@kbn/react-field" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/react-field plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/react-field'] --- import kbnReactFieldObj from './kbn_react_field.devdocs.json'; diff --git a/api_docs/kbn_repo_file_maps.mdx b/api_docs/kbn_repo_file_maps.mdx index f9a9cbe4987e3..1bb6197f78b79 100644 --- a/api_docs/kbn_repo_file_maps.mdx +++ b/api_docs/kbn_repo_file_maps.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-file-maps title: "@kbn/repo-file-maps" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/repo-file-maps plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-file-maps'] --- import kbnRepoFileMapsObj from './kbn_repo_file_maps.devdocs.json'; diff --git a/api_docs/kbn_repo_linter.mdx b/api_docs/kbn_repo_linter.mdx index d5d1710941535..1a1be9368ce32 100644 --- a/api_docs/kbn_repo_linter.mdx +++ b/api_docs/kbn_repo_linter.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-linter title: "@kbn/repo-linter" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/repo-linter plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-linter'] --- import kbnRepoLinterObj from './kbn_repo_linter.devdocs.json'; diff --git a/api_docs/kbn_repo_path.mdx b/api_docs/kbn_repo_path.mdx index d199e4de53700..151216d6910e4 100644 --- a/api_docs/kbn_repo_path.mdx +++ b/api_docs/kbn_repo_path.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-path title: "@kbn/repo-path" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/repo-path plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-path'] --- import kbnRepoPathObj from './kbn_repo_path.devdocs.json'; diff --git a/api_docs/kbn_repo_source_classifier.mdx b/api_docs/kbn_repo_source_classifier.mdx index b85beabfbdbc4..6608daaaa27b5 100644 --- a/api_docs/kbn_repo_source_classifier.mdx +++ b/api_docs/kbn_repo_source_classifier.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-source-classifier title: "@kbn/repo-source-classifier" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/repo-source-classifier plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-source-classifier'] --- import kbnRepoSourceClassifierObj from './kbn_repo_source_classifier.devdocs.json'; diff --git a/api_docs/kbn_rison.mdx b/api_docs/kbn_rison.mdx index 4a63f6dd0ab83..f6fc9e3d8360a 100644 --- a/api_docs/kbn_rison.mdx +++ b/api_docs/kbn_rison.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-rison title: "@kbn/rison" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/rison plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/rison'] --- import kbnRisonObj from './kbn_rison.devdocs.json'; diff --git a/api_docs/kbn_rule_data_utils.mdx b/api_docs/kbn_rule_data_utils.mdx index 35eedd5ca226c..e06865f214f4c 100644 --- a/api_docs/kbn_rule_data_utils.mdx +++ b/api_docs/kbn_rule_data_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-rule-data-utils title: "@kbn/rule-data-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/rule-data-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/rule-data-utils'] --- import kbnRuleDataUtilsObj from './kbn_rule_data_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_autocomplete.mdx b/api_docs/kbn_securitysolution_autocomplete.mdx index 09d54bc51541a..9bff03426e054 100644 --- a/api_docs/kbn_securitysolution_autocomplete.mdx +++ b/api_docs/kbn_securitysolution_autocomplete.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-autocomplete title: "@kbn/securitysolution-autocomplete" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-autocomplete plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-autocomplete'] --- import kbnSecuritysolutionAutocompleteObj from './kbn_securitysolution_autocomplete.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_ecs.mdx b/api_docs/kbn_securitysolution_ecs.mdx index 60ef1c3351db5..af61683516d12 100644 --- a/api_docs/kbn_securitysolution_ecs.mdx +++ b/api_docs/kbn_securitysolution_ecs.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-ecs title: "@kbn/securitysolution-ecs" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-ecs plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-ecs'] --- import kbnSecuritysolutionEcsObj from './kbn_securitysolution_ecs.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_es_utils.mdx b/api_docs/kbn_securitysolution_es_utils.mdx index 3477818b17c91..c46dae10e94f6 100644 --- a/api_docs/kbn_securitysolution_es_utils.mdx +++ b/api_docs/kbn_securitysolution_es_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-es-utils title: "@kbn/securitysolution-es-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-es-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-es-utils'] --- import kbnSecuritysolutionEsUtilsObj from './kbn_securitysolution_es_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_exception_list_components.mdx b/api_docs/kbn_securitysolution_exception_list_components.mdx index c0c4dd5b9cd8c..588f597406346 100644 --- a/api_docs/kbn_securitysolution_exception_list_components.mdx +++ b/api_docs/kbn_securitysolution_exception_list_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-exception-list-components title: "@kbn/securitysolution-exception-list-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-exception-list-components plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-exception-list-components'] --- import kbnSecuritysolutionExceptionListComponentsObj from './kbn_securitysolution_exception_list_components.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_hook_utils.mdx b/api_docs/kbn_securitysolution_hook_utils.mdx index 7606fb0f3c2e0..5b9ef853d717f 100644 --- a/api_docs/kbn_securitysolution_hook_utils.mdx +++ b/api_docs/kbn_securitysolution_hook_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-hook-utils title: "@kbn/securitysolution-hook-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-hook-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-hook-utils'] --- import kbnSecuritysolutionHookUtilsObj from './kbn_securitysolution_hook_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx index 1f6cb59abe6ab..646bfd83af092 100644 --- a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-alerting-types title: "@kbn/securitysolution-io-ts-alerting-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-alerting-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-alerting-types'] --- import kbnSecuritysolutionIoTsAlertingTypesObj from './kbn_securitysolution_io_ts_alerting_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_list_types.mdx b/api_docs/kbn_securitysolution_io_ts_list_types.mdx index 471bb7daf7382..5f786f8f2de71 100644 --- a/api_docs/kbn_securitysolution_io_ts_list_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_list_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-list-types title: "@kbn/securitysolution-io-ts-list-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-list-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-list-types'] --- import kbnSecuritysolutionIoTsListTypesObj from './kbn_securitysolution_io_ts_list_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_types.mdx b/api_docs/kbn_securitysolution_io_ts_types.mdx index bfbed76e3e700..be82c291b7ed0 100644 --- a/api_docs/kbn_securitysolution_io_ts_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-types title: "@kbn/securitysolution-io-ts-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-types'] --- import kbnSecuritysolutionIoTsTypesObj from './kbn_securitysolution_io_ts_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_utils.mdx b/api_docs/kbn_securitysolution_io_ts_utils.mdx index 726137c40d6e3..6b9bc9f65df15 100644 --- a/api_docs/kbn_securitysolution_io_ts_utils.mdx +++ b/api_docs/kbn_securitysolution_io_ts_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-utils title: "@kbn/securitysolution-io-ts-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-utils'] --- import kbnSecuritysolutionIoTsUtilsObj from './kbn_securitysolution_io_ts_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_api.mdx b/api_docs/kbn_securitysolution_list_api.mdx index b682cf1dcda62..d935c2b25137f 100644 --- a/api_docs/kbn_securitysolution_list_api.mdx +++ b/api_docs/kbn_securitysolution_list_api.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-api title: "@kbn/securitysolution-list-api" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-api plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-api'] --- import kbnSecuritysolutionListApiObj from './kbn_securitysolution_list_api.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_constants.mdx b/api_docs/kbn_securitysolution_list_constants.mdx index fd5f8553b7698..aa1e239634737 100644 --- a/api_docs/kbn_securitysolution_list_constants.mdx +++ b/api_docs/kbn_securitysolution_list_constants.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-constants title: "@kbn/securitysolution-list-constants" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-constants plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-constants'] --- import kbnSecuritysolutionListConstantsObj from './kbn_securitysolution_list_constants.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_hooks.mdx b/api_docs/kbn_securitysolution_list_hooks.mdx index a889a36d1dec1..8adf3c5ff3405 100644 --- a/api_docs/kbn_securitysolution_list_hooks.mdx +++ b/api_docs/kbn_securitysolution_list_hooks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-hooks title: "@kbn/securitysolution-list-hooks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-hooks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-hooks'] --- import kbnSecuritysolutionListHooksObj from './kbn_securitysolution_list_hooks.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_utils.mdx b/api_docs/kbn_securitysolution_list_utils.mdx index c1de7b28e108e..6f6ad62ed1a35 100644 --- a/api_docs/kbn_securitysolution_list_utils.mdx +++ b/api_docs/kbn_securitysolution_list_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-utils title: "@kbn/securitysolution-list-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-utils'] --- import kbnSecuritysolutionListUtilsObj from './kbn_securitysolution_list_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_rules.mdx b/api_docs/kbn_securitysolution_rules.mdx index d6947e192818c..5fc1b22fad7e8 100644 --- a/api_docs/kbn_securitysolution_rules.mdx +++ b/api_docs/kbn_securitysolution_rules.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-rules title: "@kbn/securitysolution-rules" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-rules plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-rules'] --- import kbnSecuritysolutionRulesObj from './kbn_securitysolution_rules.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_t_grid.mdx b/api_docs/kbn_securitysolution_t_grid.mdx index 47aee2c288d13..2ce507e4ee453 100644 --- a/api_docs/kbn_securitysolution_t_grid.mdx +++ b/api_docs/kbn_securitysolution_t_grid.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-t-grid title: "@kbn/securitysolution-t-grid" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-t-grid plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-t-grid'] --- import kbnSecuritysolutionTGridObj from './kbn_securitysolution_t_grid.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_utils.mdx b/api_docs/kbn_securitysolution_utils.mdx index 71c950c282de1..c465ca7e1e77a 100644 --- a/api_docs/kbn_securitysolution_utils.mdx +++ b/api_docs/kbn_securitysolution_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-utils title: "@kbn/securitysolution-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-utils'] --- import kbnSecuritysolutionUtilsObj from './kbn_securitysolution_utils.devdocs.json'; diff --git a/api_docs/kbn_server_http_tools.mdx b/api_docs/kbn_server_http_tools.mdx index 1a32fe5a8417e..b221a1d1a2417 100644 --- a/api_docs/kbn_server_http_tools.mdx +++ b/api_docs/kbn_server_http_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-http-tools title: "@kbn/server-http-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/server-http-tools plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-http-tools'] --- import kbnServerHttpToolsObj from './kbn_server_http_tools.devdocs.json'; diff --git a/api_docs/kbn_server_route_repository.mdx b/api_docs/kbn_server_route_repository.mdx index be05dc840c063..26f1c00d31336 100644 --- a/api_docs/kbn_server_route_repository.mdx +++ b/api_docs/kbn_server_route_repository.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-route-repository title: "@kbn/server-route-repository" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/server-route-repository plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-route-repository'] --- import kbnServerRouteRepositoryObj from './kbn_server_route_repository.devdocs.json'; diff --git a/api_docs/kbn_shared_svg.mdx b/api_docs/kbn_shared_svg.mdx index 5c56dd64ae767..67229628df3ff 100644 --- a/api_docs/kbn_shared_svg.mdx +++ b/api_docs/kbn_shared_svg.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-svg title: "@kbn/shared-svg" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-svg plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-svg'] --- import kbnSharedSvgObj from './kbn_shared_svg.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_avatar_solution.mdx b/api_docs/kbn_shared_ux_avatar_solution.mdx index 429249106c5b4..fd363074182bd 100644 --- a/api_docs/kbn_shared_ux_avatar_solution.mdx +++ b/api_docs/kbn_shared_ux_avatar_solution.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-avatar-solution title: "@kbn/shared-ux-avatar-solution" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-avatar-solution plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-avatar-solution'] --- import kbnSharedUxAvatarSolutionObj from './kbn_shared_ux_avatar_solution.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx b/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx index 6aa4d356dc643..57c7b5c78e5af 100644 --- a/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx +++ b/api_docs/kbn_shared_ux_avatar_user_profile_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-avatar-user-profile-components title: "@kbn/shared-ux-avatar-user-profile-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-avatar-user-profile-components plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-avatar-user-profile-components'] --- import kbnSharedUxAvatarUserProfileComponentsObj from './kbn_shared_ux_avatar_user_profile_components.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_button_exit_full_screen.mdx b/api_docs/kbn_shared_ux_button_exit_full_screen.mdx index d01d88b65e245..2d2f7479cb731 100644 --- a/api_docs/kbn_shared_ux_button_exit_full_screen.mdx +++ b/api_docs/kbn_shared_ux_button_exit_full_screen.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-exit-full-screen title: "@kbn/shared-ux-button-exit-full-screen" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-button-exit-full-screen plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-exit-full-screen'] --- import kbnSharedUxButtonExitFullScreenObj from './kbn_shared_ux_button_exit_full_screen.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx index 9255d66b184b7..aee31277899fe 100644 --- a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx +++ b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-exit-full-screen-mocks title: "@kbn/shared-ux-button-exit-full-screen-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-button-exit-full-screen-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-exit-full-screen-mocks'] --- import kbnSharedUxButtonExitFullScreenMocksObj from './kbn_shared_ux_button_exit_full_screen_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_button_toolbar.mdx b/api_docs/kbn_shared_ux_button_toolbar.mdx index 83757a898e606..c0d11cc4a7389 100644 --- a/api_docs/kbn_shared_ux_button_toolbar.mdx +++ b/api_docs/kbn_shared_ux_button_toolbar.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-toolbar title: "@kbn/shared-ux-button-toolbar" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-button-toolbar plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-toolbar'] --- import kbnSharedUxButtonToolbarObj from './kbn_shared_ux_button_toolbar.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_card_no_data.mdx b/api_docs/kbn_shared_ux_card_no_data.mdx index 85491e50f5464..20131af9ae6a6 100644 --- a/api_docs/kbn_shared_ux_card_no_data.mdx +++ b/api_docs/kbn_shared_ux_card_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data title: "@kbn/shared-ux-card-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-card-no-data plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data'] --- import kbnSharedUxCardNoDataObj from './kbn_shared_ux_card_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx index 71689235c968e..a42a50a3a9153 100644 --- a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data-mocks title: "@kbn/shared-ux-card-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-card-no-data-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data-mocks'] --- import kbnSharedUxCardNoDataMocksObj from './kbn_shared_ux_card_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_context.mdx b/api_docs/kbn_shared_ux_file_context.mdx index c5e3ad90cb628..b9b7299d82825 100644 --- a/api_docs/kbn_shared_ux_file_context.mdx +++ b/api_docs/kbn_shared_ux_file_context.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-context title: "@kbn/shared-ux-file-context" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-context plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-context'] --- import kbnSharedUxFileContextObj from './kbn_shared_ux_file_context.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_image.mdx b/api_docs/kbn_shared_ux_file_image.mdx index 6fe406e5be943..f53517306ffb6 100644 --- a/api_docs/kbn_shared_ux_file_image.mdx +++ b/api_docs/kbn_shared_ux_file_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-image title: "@kbn/shared-ux-file-image" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-image plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-image'] --- import kbnSharedUxFileImageObj from './kbn_shared_ux_file_image.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_image_mocks.mdx b/api_docs/kbn_shared_ux_file_image_mocks.mdx index ee718b45c2453..d4101621ff92c 100644 --- a/api_docs/kbn_shared_ux_file_image_mocks.mdx +++ b/api_docs/kbn_shared_ux_file_image_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-image-mocks title: "@kbn/shared-ux-file-image-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-image-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-image-mocks'] --- import kbnSharedUxFileImageMocksObj from './kbn_shared_ux_file_image_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_mocks.mdx b/api_docs/kbn_shared_ux_file_mocks.mdx index a647b412c0b23..0fadef82b9371 100644 --- a/api_docs/kbn_shared_ux_file_mocks.mdx +++ b/api_docs/kbn_shared_ux_file_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-mocks title: "@kbn/shared-ux-file-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-mocks'] --- import kbnSharedUxFileMocksObj from './kbn_shared_ux_file_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_picker.mdx b/api_docs/kbn_shared_ux_file_picker.mdx index bf13d02131cd9..2099e302f0694 100644 --- a/api_docs/kbn_shared_ux_file_picker.mdx +++ b/api_docs/kbn_shared_ux_file_picker.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-picker title: "@kbn/shared-ux-file-picker" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-picker plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-picker'] --- import kbnSharedUxFilePickerObj from './kbn_shared_ux_file_picker.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_upload.mdx b/api_docs/kbn_shared_ux_file_upload.mdx index 95e7585d3c1ea..23d40d811f84a 100644 --- a/api_docs/kbn_shared_ux_file_upload.mdx +++ b/api_docs/kbn_shared_ux_file_upload.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-upload title: "@kbn/shared-ux-file-upload" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-upload plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-upload'] --- import kbnSharedUxFileUploadObj from './kbn_shared_ux_file_upload.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_file_util.mdx b/api_docs/kbn_shared_ux_file_util.mdx index 150cb8d79acd2..bd8f77b6383c9 100644 --- a/api_docs/kbn_shared_ux_file_util.mdx +++ b/api_docs/kbn_shared_ux_file_util.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-file-util title: "@kbn/shared-ux-file-util" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-file-util plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-file-util'] --- import kbnSharedUxFileUtilObj from './kbn_shared_ux_file_util.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_link_redirect_app.mdx b/api_docs/kbn_shared_ux_link_redirect_app.mdx index 58086c15f6dee..088fb8c5be1b0 100644 --- a/api_docs/kbn_shared_ux_link_redirect_app.mdx +++ b/api_docs/kbn_shared_ux_link_redirect_app.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-link-redirect-app title: "@kbn/shared-ux-link-redirect-app" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-link-redirect-app plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-link-redirect-app'] --- import kbnSharedUxLinkRedirectAppObj from './kbn_shared_ux_link_redirect_app.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx index 3ef6616bc223e..3d29a0acf1eeb 100644 --- a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx +++ b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-link-redirect-app-mocks title: "@kbn/shared-ux-link-redirect-app-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-link-redirect-app-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-link-redirect-app-mocks'] --- import kbnSharedUxLinkRedirectAppMocksObj from './kbn_shared_ux_link_redirect_app_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_markdown.mdx b/api_docs/kbn_shared_ux_markdown.mdx index 6a9ad55aa3f60..f87799dde556e 100644 --- a/api_docs/kbn_shared_ux_markdown.mdx +++ b/api_docs/kbn_shared_ux_markdown.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-markdown title: "@kbn/shared-ux-markdown" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-markdown plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-markdown'] --- import kbnSharedUxMarkdownObj from './kbn_shared_ux_markdown.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_markdown_mocks.mdx b/api_docs/kbn_shared_ux_markdown_mocks.mdx index 13a0e261d4761..a2ec3d0e12e08 100644 --- a/api_docs/kbn_shared_ux_markdown_mocks.mdx +++ b/api_docs/kbn_shared_ux_markdown_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-markdown-mocks title: "@kbn/shared-ux-markdown-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-markdown-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-markdown-mocks'] --- import kbnSharedUxMarkdownMocksObj from './kbn_shared_ux_markdown_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx index 66a35b0e905de..91cd2ba019949 100644 --- a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx +++ b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data title: "@kbn/shared-ux-page-analytics-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-analytics-no-data plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data'] --- import kbnSharedUxPageAnalyticsNoDataObj from './kbn_shared_ux_page_analytics_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx index 1e9847e735485..1689ee0f13220 100644 --- a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data-mocks title: "@kbn/shared-ux-page-analytics-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-analytics-no-data-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data-mocks'] --- import kbnSharedUxPageAnalyticsNoDataMocksObj from './kbn_shared_ux_page_analytics_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx index 99797bffe6315..0d9bc50275cda 100644 --- a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data title: "@kbn/shared-ux-page-kibana-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-no-data plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data'] --- import kbnSharedUxPageKibanaNoDataObj from './kbn_shared_ux_page_kibana_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx index d9156da1b2715..aa4f978edb462 100644 --- a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data-mocks title: "@kbn/shared-ux-page-kibana-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-no-data-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data-mocks'] --- import kbnSharedUxPageKibanaNoDataMocksObj from './kbn_shared_ux_page_kibana_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_template.mdx b/api_docs/kbn_shared_ux_page_kibana_template.mdx index 8902ad56a11be..2765aff1ae9b9 100644 --- a/api_docs/kbn_shared_ux_page_kibana_template.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_template.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-template title: "@kbn/shared-ux-page-kibana-template" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-template plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-template'] --- import kbnSharedUxPageKibanaTemplateObj from './kbn_shared_ux_page_kibana_template.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx b/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx index 012450ce5ccef..4c376ee9d4675 100644 --- a/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_template_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-template-mocks title: "@kbn/shared-ux-page-kibana-template-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-template-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-template-mocks'] --- import kbnSharedUxPageKibanaTemplateMocksObj from './kbn_shared_ux_page_kibana_template_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_no_data.mdx b/api_docs/kbn_shared_ux_page_no_data.mdx index e8f230cbbd148..e343881da64a1 100644 --- a/api_docs/kbn_shared_ux_page_no_data.mdx +++ b/api_docs/kbn_shared_ux_page_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data title: "@kbn/shared-ux-page-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-no-data plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data'] --- import kbnSharedUxPageNoDataObj from './kbn_shared_ux_page_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_no_data_config.mdx b/api_docs/kbn_shared_ux_page_no_data_config.mdx index 2107ab6b25785..3dc4772791b2e 100644 --- a/api_docs/kbn_shared_ux_page_no_data_config.mdx +++ b/api_docs/kbn_shared_ux_page_no_data_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-config title: "@kbn/shared-ux-page-no-data-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-no-data-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-config'] --- import kbnSharedUxPageNoDataConfigObj from './kbn_shared_ux_page_no_data_config.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx b/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx index f0ebf8d108c9d..e45899cd041f7 100644 --- a/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_no_data_config_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-config-mocks title: "@kbn/shared-ux-page-no-data-config-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-no-data-config-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-config-mocks'] --- import kbnSharedUxPageNoDataConfigMocksObj from './kbn_shared_ux_page_no_data_config_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_no_data_mocks.mdx index fb29394c43986..48bf6a7e52316 100644 --- a/api_docs/kbn_shared_ux_page_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-no-data-mocks title: "@kbn/shared-ux-page-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-no-data-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-no-data-mocks'] --- import kbnSharedUxPageNoDataMocksObj from './kbn_shared_ux_page_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_solution_nav.mdx b/api_docs/kbn_shared_ux_page_solution_nav.mdx index bf195a21030c5..6ee2363cd6e64 100644 --- a/api_docs/kbn_shared_ux_page_solution_nav.mdx +++ b/api_docs/kbn_shared_ux_page_solution_nav.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-solution-nav title: "@kbn/shared-ux-page-solution-nav" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-solution-nav plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-solution-nav'] --- import kbnSharedUxPageSolutionNavObj from './kbn_shared_ux_page_solution_nav.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx index b6829a713dc5b..ed65d5242fb16 100644 --- a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx +++ b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views title: "@kbn/shared-ux-prompt-no-data-views" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-prompt-no-data-views plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views'] --- import kbnSharedUxPromptNoDataViewsObj from './kbn_shared_ux_prompt_no_data_views.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx index 100b3d0ff0fe4..1fbdd5ff445ab 100644 --- a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx +++ b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views-mocks title: "@kbn/shared-ux-prompt-no-data-views-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-prompt-no-data-views-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views-mocks'] --- import kbnSharedUxPromptNoDataViewsMocksObj from './kbn_shared_ux_prompt_no_data_views_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_prompt_not_found.mdx b/api_docs/kbn_shared_ux_prompt_not_found.mdx index 8aa5b0eeec9bd..725f4b150bec0 100644 --- a/api_docs/kbn_shared_ux_prompt_not_found.mdx +++ b/api_docs/kbn_shared_ux_prompt_not_found.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-not-found title: "@kbn/shared-ux-prompt-not-found" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-prompt-not-found plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-not-found'] --- import kbnSharedUxPromptNotFoundObj from './kbn_shared_ux_prompt_not_found.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_router.mdx b/api_docs/kbn_shared_ux_router.mdx index 5023c0435753b..47eb9b72b8ef2 100644 --- a/api_docs/kbn_shared_ux_router.mdx +++ b/api_docs/kbn_shared_ux_router.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-router title: "@kbn/shared-ux-router" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-router plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-router'] --- import kbnSharedUxRouterObj from './kbn_shared_ux_router.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_router_mocks.mdx b/api_docs/kbn_shared_ux_router_mocks.mdx index 57916cc232c8c..22335e64ca818 100644 --- a/api_docs/kbn_shared_ux_router_mocks.mdx +++ b/api_docs/kbn_shared_ux_router_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-router-mocks title: "@kbn/shared-ux-router-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-router-mocks plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-router-mocks'] --- import kbnSharedUxRouterMocksObj from './kbn_shared_ux_router_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_storybook_config.mdx b/api_docs/kbn_shared_ux_storybook_config.mdx index 60ce18487be4f..ab557ad3e716a 100644 --- a/api_docs/kbn_shared_ux_storybook_config.mdx +++ b/api_docs/kbn_shared_ux_storybook_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook-config title: "@kbn/shared-ux-storybook-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-storybook-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook-config'] --- import kbnSharedUxStorybookConfigObj from './kbn_shared_ux_storybook_config.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_storybook_mock.mdx b/api_docs/kbn_shared_ux_storybook_mock.mdx index bbf16bbbdcf02..71e56f0c0736d 100644 --- a/api_docs/kbn_shared_ux_storybook_mock.mdx +++ b/api_docs/kbn_shared_ux_storybook_mock.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook-mock title: "@kbn/shared-ux-storybook-mock" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-storybook-mock plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook-mock'] --- import kbnSharedUxStorybookMockObj from './kbn_shared_ux_storybook_mock.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_utility.mdx b/api_docs/kbn_shared_ux_utility.mdx index 741cc149bba5c..59b49dd98e3f1 100644 --- a/api_docs/kbn_shared_ux_utility.mdx +++ b/api_docs/kbn_shared_ux_utility.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-utility title: "@kbn/shared-ux-utility" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-utility plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-utility'] --- import kbnSharedUxUtilityObj from './kbn_shared_ux_utility.devdocs.json'; diff --git a/api_docs/kbn_slo_schema.mdx b/api_docs/kbn_slo_schema.mdx index b9d892401025d..5fba985ae17aa 100644 --- a/api_docs/kbn_slo_schema.mdx +++ b/api_docs/kbn_slo_schema.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-slo-schema title: "@kbn/slo-schema" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/slo-schema plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/slo-schema'] --- import kbnSloSchemaObj from './kbn_slo_schema.devdocs.json'; diff --git a/api_docs/kbn_some_dev_log.mdx b/api_docs/kbn_some_dev_log.mdx index d92ecbce88570..eaae6ee5a2a48 100644 --- a/api_docs/kbn_some_dev_log.mdx +++ b/api_docs/kbn_some_dev_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-some-dev-log title: "@kbn/some-dev-log" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/some-dev-log plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/some-dev-log'] --- import kbnSomeDevLogObj from './kbn_some_dev_log.devdocs.json'; diff --git a/api_docs/kbn_std.mdx b/api_docs/kbn_std.mdx index fa797c9f29bf9..8311291617c1e 100644 --- a/api_docs/kbn_std.mdx +++ b/api_docs/kbn_std.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-std title: "@kbn/std" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/std plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/std'] --- import kbnStdObj from './kbn_std.devdocs.json'; diff --git a/api_docs/kbn_stdio_dev_helpers.mdx b/api_docs/kbn_stdio_dev_helpers.mdx index b915affd484f7..face91aa4091d 100644 --- a/api_docs/kbn_stdio_dev_helpers.mdx +++ b/api_docs/kbn_stdio_dev_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-stdio-dev-helpers title: "@kbn/stdio-dev-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/stdio-dev-helpers plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/stdio-dev-helpers'] --- import kbnStdioDevHelpersObj from './kbn_stdio_dev_helpers.devdocs.json'; diff --git a/api_docs/kbn_storybook.mdx b/api_docs/kbn_storybook.mdx index f1906c594e7e0..097dcb57f4ff8 100644 --- a/api_docs/kbn_storybook.mdx +++ b/api_docs/kbn_storybook.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-storybook title: "@kbn/storybook" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/storybook plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/storybook'] --- import kbnStorybookObj from './kbn_storybook.devdocs.json'; diff --git a/api_docs/kbn_telemetry_tools.mdx b/api_docs/kbn_telemetry_tools.mdx index 60b366c31383f..a6e160f5916c2 100644 --- a/api_docs/kbn_telemetry_tools.mdx +++ b/api_docs/kbn_telemetry_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-telemetry-tools title: "@kbn/telemetry-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/telemetry-tools plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/telemetry-tools'] --- import kbnTelemetryToolsObj from './kbn_telemetry_tools.devdocs.json'; diff --git a/api_docs/kbn_test.mdx b/api_docs/kbn_test.mdx index 3ac047b60e78a..a20e9b0889090 100644 --- a/api_docs/kbn_test.mdx +++ b/api_docs/kbn_test.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test title: "@kbn/test" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/test plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test'] --- import kbnTestObj from './kbn_test.devdocs.json'; diff --git a/api_docs/kbn_test_jest_helpers.mdx b/api_docs/kbn_test_jest_helpers.mdx index 3901597fb9e91..05525a70c0f37 100644 --- a/api_docs/kbn_test_jest_helpers.mdx +++ b/api_docs/kbn_test_jest_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test-jest-helpers title: "@kbn/test-jest-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/test-jest-helpers plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test-jest-helpers'] --- import kbnTestJestHelpersObj from './kbn_test_jest_helpers.devdocs.json'; diff --git a/api_docs/kbn_test_subj_selector.mdx b/api_docs/kbn_test_subj_selector.mdx index 462366995a653..984a2d0abb9b2 100644 --- a/api_docs/kbn_test_subj_selector.mdx +++ b/api_docs/kbn_test_subj_selector.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test-subj-selector title: "@kbn/test-subj-selector" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/test-subj-selector plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test-subj-selector'] --- import kbnTestSubjSelectorObj from './kbn_test_subj_selector.devdocs.json'; diff --git a/api_docs/kbn_tooling_log.mdx b/api_docs/kbn_tooling_log.mdx index ce4e776280213..5b4b83d5bcff2 100644 --- a/api_docs/kbn_tooling_log.mdx +++ b/api_docs/kbn_tooling_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-tooling-log title: "@kbn/tooling-log" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/tooling-log plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/tooling-log'] --- import kbnToolingLogObj from './kbn_tooling_log.devdocs.json'; diff --git a/api_docs/kbn_ts_projects.mdx b/api_docs/kbn_ts_projects.mdx index a7cf269ee38bd..48e93af3cc48f 100644 --- a/api_docs/kbn_ts_projects.mdx +++ b/api_docs/kbn_ts_projects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ts-projects title: "@kbn/ts-projects" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ts-projects plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ts-projects'] --- import kbnTsProjectsObj from './kbn_ts_projects.devdocs.json'; diff --git a/api_docs/kbn_typed_react_router_config.mdx b/api_docs/kbn_typed_react_router_config.mdx index a8ac08a315a7a..25540d4aa2efe 100644 --- a/api_docs/kbn_typed_react_router_config.mdx +++ b/api_docs/kbn_typed_react_router_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-typed-react-router-config title: "@kbn/typed-react-router-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/typed-react-router-config plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/typed-react-router-config'] --- import kbnTypedReactRouterConfigObj from './kbn_typed_react_router_config.devdocs.json'; diff --git a/api_docs/kbn_ui_actions_browser.mdx b/api_docs/kbn_ui_actions_browser.mdx index ae8670f5dec70..cfc3d51a89018 100644 --- a/api_docs/kbn_ui_actions_browser.mdx +++ b/api_docs/kbn_ui_actions_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-actions-browser title: "@kbn/ui-actions-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ui-actions-browser plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-actions-browser'] --- import kbnUiActionsBrowserObj from './kbn_ui_actions_browser.devdocs.json'; diff --git a/api_docs/kbn_ui_shared_deps_src.mdx b/api_docs/kbn_ui_shared_deps_src.mdx index 347fe000515e3..8d05c4d7f41b3 100644 --- a/api_docs/kbn_ui_shared_deps_src.mdx +++ b/api_docs/kbn_ui_shared_deps_src.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-shared-deps-src title: "@kbn/ui-shared-deps-src" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ui-shared-deps-src plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-shared-deps-src'] --- import kbnUiSharedDepsSrcObj from './kbn_ui_shared_deps_src.devdocs.json'; diff --git a/api_docs/kbn_ui_theme.mdx b/api_docs/kbn_ui_theme.mdx index 01eeecc58b93e..84c2d016891df 100644 --- a/api_docs/kbn_ui_theme.mdx +++ b/api_docs/kbn_ui_theme.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-theme title: "@kbn/ui-theme" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ui-theme plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-theme'] --- import kbnUiThemeObj from './kbn_ui_theme.devdocs.json'; diff --git a/api_docs/kbn_user_profile_components.mdx b/api_docs/kbn_user_profile_components.mdx index befdb1cc8734d..99f1739ca783d 100644 --- a/api_docs/kbn_user_profile_components.mdx +++ b/api_docs/kbn_user_profile_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-user-profile-components title: "@kbn/user-profile-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/user-profile-components plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/user-profile-components'] --- import kbnUserProfileComponentsObj from './kbn_user_profile_components.devdocs.json'; diff --git a/api_docs/kbn_utility_types.mdx b/api_docs/kbn_utility_types.mdx index 2dc76eb947af5..27fd91b29927c 100644 --- a/api_docs/kbn_utility_types.mdx +++ b/api_docs/kbn_utility_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types title: "@kbn/utility-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utility-types plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types'] --- import kbnUtilityTypesObj from './kbn_utility_types.devdocs.json'; diff --git a/api_docs/kbn_utility_types_jest.mdx b/api_docs/kbn_utility_types_jest.mdx index b64cc7cc08705..79d61d36d4811 100644 --- a/api_docs/kbn_utility_types_jest.mdx +++ b/api_docs/kbn_utility_types_jest.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types-jest title: "@kbn/utility-types-jest" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utility-types-jest plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types-jest'] --- import kbnUtilityTypesJestObj from './kbn_utility_types_jest.devdocs.json'; diff --git a/api_docs/kbn_utils.mdx b/api_docs/kbn_utils.mdx index 1980b063ac49a..cc3300cae8b83 100644 --- a/api_docs/kbn_utils.mdx +++ b/api_docs/kbn_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utils title: "@kbn/utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utils'] --- import kbnUtilsObj from './kbn_utils.devdocs.json'; diff --git a/api_docs/kbn_yarn_lock_validator.mdx b/api_docs/kbn_yarn_lock_validator.mdx index 49dafb3c3f91f..c56bffddee4f3 100644 --- a/api_docs/kbn_yarn_lock_validator.mdx +++ b/api_docs/kbn_yarn_lock_validator.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-yarn-lock-validator title: "@kbn/yarn-lock-validator" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/yarn-lock-validator plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/yarn-lock-validator'] --- import kbnYarnLockValidatorObj from './kbn_yarn_lock_validator.devdocs.json'; diff --git a/api_docs/kibana_overview.mdx b/api_docs/kibana_overview.mdx index 562a637256b05..93e806641489c 100644 --- a/api_docs/kibana_overview.mdx +++ b/api_docs/kibana_overview.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaOverview title: "kibanaOverview" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaOverview plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaOverview'] --- import kibanaOverviewObj from './kibana_overview.devdocs.json'; diff --git a/api_docs/kibana_react.mdx b/api_docs/kibana_react.mdx index 0c054048d3ead..774c084a5f911 100644 --- a/api_docs/kibana_react.mdx +++ b/api_docs/kibana_react.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaReact title: "kibanaReact" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaReact plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaReact'] --- import kibanaReactObj from './kibana_react.devdocs.json'; diff --git a/api_docs/kibana_utils.mdx b/api_docs/kibana_utils.mdx index 685863468e1c2..5a885ae737656 100644 --- a/api_docs/kibana_utils.mdx +++ b/api_docs/kibana_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaUtils title: "kibanaUtils" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaUtils plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaUtils'] --- import kibanaUtilsObj from './kibana_utils.devdocs.json'; diff --git a/api_docs/kubernetes_security.mdx b/api_docs/kubernetes_security.mdx index 4a56ad41fc1f9..f32a2496628e6 100644 --- a/api_docs/kubernetes_security.mdx +++ b/api_docs/kubernetes_security.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kubernetesSecurity title: "kubernetesSecurity" image: https://source.unsplash.com/400x175/?github description: API docs for the kubernetesSecurity plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kubernetesSecurity'] --- import kubernetesSecurityObj from './kubernetes_security.devdocs.json'; diff --git a/api_docs/lens.mdx b/api_docs/lens.mdx index ee1860d9a2d5a..abd3e00b729f7 100644 --- a/api_docs/lens.mdx +++ b/api_docs/lens.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lens title: "lens" image: https://source.unsplash.com/400x175/?github description: API docs for the lens plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lens'] --- import lensObj from './lens.devdocs.json'; diff --git a/api_docs/license_api_guard.mdx b/api_docs/license_api_guard.mdx index b58751f65148c..7e6180752c1b1 100644 --- a/api_docs/license_api_guard.mdx +++ b/api_docs/license_api_guard.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseApiGuard title: "licenseApiGuard" image: https://source.unsplash.com/400x175/?github description: API docs for the licenseApiGuard plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseApiGuard'] --- import licenseApiGuardObj from './license_api_guard.devdocs.json'; diff --git a/api_docs/license_management.mdx b/api_docs/license_management.mdx index a2cd4c1c2cc38..9c7669e693da9 100644 --- a/api_docs/license_management.mdx +++ b/api_docs/license_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseManagement title: "licenseManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the licenseManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseManagement'] --- import licenseManagementObj from './license_management.devdocs.json'; diff --git a/api_docs/licensing.mdx b/api_docs/licensing.mdx index 4bbcdac001647..3b0b31e49b6cf 100644 --- a/api_docs/licensing.mdx +++ b/api_docs/licensing.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licensing title: "licensing" image: https://source.unsplash.com/400x175/?github description: API docs for the licensing plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licensing'] --- import licensingObj from './licensing.devdocs.json'; diff --git a/api_docs/lists.mdx b/api_docs/lists.mdx index 8558d457d3899..bdcc2ece39175 100644 --- a/api_docs/lists.mdx +++ b/api_docs/lists.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lists title: "lists" image: https://source.unsplash.com/400x175/?github description: API docs for the lists plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lists'] --- import listsObj from './lists.devdocs.json'; diff --git a/api_docs/management.mdx b/api_docs/management.mdx index 1c99a88f8d66e..e4045cc26dca6 100644 --- a/api_docs/management.mdx +++ b/api_docs/management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/management title: "management" image: https://source.unsplash.com/400x175/?github description: API docs for the management plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'management'] --- import managementObj from './management.devdocs.json'; diff --git a/api_docs/maps.mdx b/api_docs/maps.mdx index dad6f9bb1e201..b4b3442abdf8b 100644 --- a/api_docs/maps.mdx +++ b/api_docs/maps.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/maps title: "maps" image: https://source.unsplash.com/400x175/?github description: API docs for the maps plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'maps'] --- import mapsObj from './maps.devdocs.json'; diff --git a/api_docs/maps_ems.mdx b/api_docs/maps_ems.mdx index 42822cab39150..83a775136fe3b 100644 --- a/api_docs/maps_ems.mdx +++ b/api_docs/maps_ems.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/mapsEms title: "mapsEms" image: https://source.unsplash.com/400x175/?github description: API docs for the mapsEms plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'mapsEms'] --- import mapsEmsObj from './maps_ems.devdocs.json'; diff --git a/api_docs/ml.mdx b/api_docs/ml.mdx index e12ad6fdfc9d1..e49face595536 100644 --- a/api_docs/ml.mdx +++ b/api_docs/ml.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ml title: "ml" image: https://source.unsplash.com/400x175/?github description: API docs for the ml plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ml'] --- import mlObj from './ml.devdocs.json'; diff --git a/api_docs/monitoring.mdx b/api_docs/monitoring.mdx index bf922479b7922..8ea58a34e89ac 100644 --- a/api_docs/monitoring.mdx +++ b/api_docs/monitoring.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoring title: "monitoring" image: https://source.unsplash.com/400x175/?github description: API docs for the monitoring plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoring'] --- import monitoringObj from './monitoring.devdocs.json'; diff --git a/api_docs/monitoring_collection.mdx b/api_docs/monitoring_collection.mdx index 38b487c4e9bdc..7afa2ee79d3fb 100644 --- a/api_docs/monitoring_collection.mdx +++ b/api_docs/monitoring_collection.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoringCollection title: "monitoringCollection" image: https://source.unsplash.com/400x175/?github description: API docs for the monitoringCollection plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoringCollection'] --- import monitoringCollectionObj from './monitoring_collection.devdocs.json'; diff --git a/api_docs/navigation.mdx b/api_docs/navigation.mdx index 6548e4fc8a019..8e53be2dff966 100644 --- a/api_docs/navigation.mdx +++ b/api_docs/navigation.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/navigation title: "navigation" image: https://source.unsplash.com/400x175/?github description: API docs for the navigation plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'navigation'] --- import navigationObj from './navigation.devdocs.json'; diff --git a/api_docs/newsfeed.mdx b/api_docs/newsfeed.mdx index 7c256c099085e..6ac8675395281 100644 --- a/api_docs/newsfeed.mdx +++ b/api_docs/newsfeed.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/newsfeed title: "newsfeed" image: https://source.unsplash.com/400x175/?github description: API docs for the newsfeed plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'newsfeed'] --- import newsfeedObj from './newsfeed.devdocs.json'; diff --git a/api_docs/notifications.mdx b/api_docs/notifications.mdx index 12abfa38e8c20..08a6fffc0323d 100644 --- a/api_docs/notifications.mdx +++ b/api_docs/notifications.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/notifications title: "notifications" image: https://source.unsplash.com/400x175/?github description: API docs for the notifications plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'notifications'] --- import notificationsObj from './notifications.devdocs.json'; diff --git a/api_docs/observability.mdx b/api_docs/observability.mdx index b468090720c89..5a7054508d2dc 100644 --- a/api_docs/observability.mdx +++ b/api_docs/observability.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/observability title: "observability" image: https://source.unsplash.com/400x175/?github description: API docs for the observability plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'observability'] --- import observabilityObj from './observability.devdocs.json'; diff --git a/api_docs/osquery.mdx b/api_docs/osquery.mdx index 44e4929143370..84e846e37d3da 100644 --- a/api_docs/osquery.mdx +++ b/api_docs/osquery.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/osquery title: "osquery" image: https://source.unsplash.com/400x175/?github description: API docs for the osquery plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'osquery'] --- import osqueryObj from './osquery.devdocs.json'; diff --git a/api_docs/plugin_directory.mdx b/api_docs/plugin_directory.mdx index bdfb5f0c1f844..5566e47db3ed1 100644 --- a/api_docs/plugin_directory.mdx +++ b/api_docs/plugin_directory.mdx @@ -7,7 +7,7 @@ id: kibDevDocsPluginDirectory slug: /kibana-dev-docs/api-meta/plugin-api-directory title: Directory description: Directory of public APIs available through plugins or packages. -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -15,13 +15,13 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Count | Plugins or Packages with a
public API | Number of teams | |--------------|----------|------------------------| -| 562 | 464 | 42 | +| 563 | 464 | 42 | ### Public API health stats | API Count | Any Count | Missing comments | Missing exports | |--------------|----------|-----------------|--------| -| 34891 | 527 | 24529 | 1244 | +| 34900 | 527 | 24538 | 1244 | ## Plugin Directory @@ -36,7 +36,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Considering using bfetch capabilities when fetching large amounts of data. This services supports batching HTTP requests and streaming responses back. | 89 | 1 | 74 | 2 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds Canvas application to Kibana | 9 | 0 | 8 | 3 | | | [ResponseOps](https://github.com/orgs/elastic/teams/response-ops) | The Case management system in Kibana | 87 | 0 | 71 | 28 | -| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | - | 267 | 16 | 252 | 9 | +| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | - | 270 | 16 | 255 | 9 | | | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 41 | 0 | 11 | 0 | | | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | Chat available on Elastic Cloud deployments for quicker assistance. | 1 | 0 | 0 | 0 | | | [Platform Onboarding](https://github.com/orgs/elastic/teams/platform-onboarding) | Static migration page where self-managed users can see text/copy about migrating to Elastic Cloud | 8 | 1 | 8 | 1 | @@ -63,7 +63,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Stack Management](https://github.com/orgs/elastic/teams/kibana-stack-management) | - | 10 | 0 | 8 | 2 | | | [Data Discovery](https://github.com/orgs/elastic/teams/kibana-data-discovery) | This plugin contains the Discover application and the saved search embeddable. | 107 | 0 | 88 | 7 | | | [Data Discovery](https://github.com/orgs/elastic/teams/kibana-data-discovery) | - | 37 | 0 | 35 | 2 | -| | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Adds embeddables service to Kibana | 522 | 8 | 421 | 4 | +| | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Adds embeddables service to Kibana | 528 | 8 | 427 | 4 | | | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Extends embeddable plugin with more functionality | 14 | 0 | 14 | 0 | | | [Platform Security](https://github.com/orgs/elastic/teams/kibana-security) | This plugin provides encryption and decryption utilities for saved objects containing sensitive information. | 51 | 0 | 44 | 0 | | | [Enterprise Search](https://github.com/orgs/elastic/teams/enterprise-search-frontend) | Adds dashboards for discovering and managing Enterprise Search products. | 9 | 0 | 9 | 0 | @@ -186,7 +186,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | Registers the vega visualization. Is the elastic version of vega and vega-lite libraries. | 2 | 0 | 2 | 0 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | Contains the vislib visualizations. These are the classical area/line/bar, gauge/goal and heatmap charts. We want to replace them with elastic-charts. | 26 | 0 | 25 | 1 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | Contains the new xy-axis chart using the elastic-charts library, which will eventually replace the vislib xy-axis charts including bar, area, and line. | 53 | 0 | 50 | 5 | -| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | Contains the shared architecture among all the legacy visualizations, e.g. the visualization type registry or the visualization embeddable. | 800 | 12 | 770 | 18 | +| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualizations) | Contains the shared architecture among all the legacy visualizations, e.g. the visualization type registry or the visualization embeddable. | 801 | 12 | 771 | 18 | | watcher | [Stack Management](https://github.com/orgs/elastic/teams/kibana-stack-management) | - | 0 | 0 | 0 | 0 | ## Package Directory @@ -384,7 +384,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Owner missing] | - | 9 | 1 | 9 | 0 | | | [Owner missing] | - | 101 | 0 | 85 | 0 | | | [Owner missing] | - | 15 | 0 | 9 | 0 | -| | [Owner missing] | - | 28 | 2 | 25 | 0 | +| | [Owner missing] | - | 27 | 2 | 24 | 0 | | | [Owner missing] | - | 68 | 0 | 68 | 2 | | | [Owner missing] | - | 1 | 0 | 1 | 0 | | | [Owner missing] | - | 19 | 0 | 11 | 0 | diff --git a/api_docs/presentation_util.mdx b/api_docs/presentation_util.mdx index f7cee4742e313..e89dcf8bbfc81 100644 --- a/api_docs/presentation_util.mdx +++ b/api_docs/presentation_util.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/presentationUtil title: "presentationUtil" image: https://source.unsplash.com/400x175/?github description: API docs for the presentationUtil plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'presentationUtil'] --- import presentationUtilObj from './presentation_util.devdocs.json'; diff --git a/api_docs/profiling.mdx b/api_docs/profiling.mdx index 5fdf09635d65c..d7b36a697907e 100644 --- a/api_docs/profiling.mdx +++ b/api_docs/profiling.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/profiling title: "profiling" image: https://source.unsplash.com/400x175/?github description: API docs for the profiling plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'profiling'] --- import profilingObj from './profiling.devdocs.json'; diff --git a/api_docs/remote_clusters.mdx b/api_docs/remote_clusters.mdx index 84df35fc21a9b..fbb8a276ab769 100644 --- a/api_docs/remote_clusters.mdx +++ b/api_docs/remote_clusters.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/remoteClusters title: "remoteClusters" image: https://source.unsplash.com/400x175/?github description: API docs for the remoteClusters plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'remoteClusters'] --- import remoteClustersObj from './remote_clusters.devdocs.json'; diff --git a/api_docs/reporting.mdx b/api_docs/reporting.mdx index 98fe9b447f2e1..2ee9fb1c96187 100644 --- a/api_docs/reporting.mdx +++ b/api_docs/reporting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/reporting title: "reporting" image: https://source.unsplash.com/400x175/?github description: API docs for the reporting plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'reporting'] --- import reportingObj from './reporting.devdocs.json'; diff --git a/api_docs/rollup.mdx b/api_docs/rollup.mdx index cf348b76faa70..3d781b47a7db6 100644 --- a/api_docs/rollup.mdx +++ b/api_docs/rollup.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/rollup title: "rollup" image: https://source.unsplash.com/400x175/?github description: API docs for the rollup plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'rollup'] --- import rollupObj from './rollup.devdocs.json'; diff --git a/api_docs/rule_registry.mdx b/api_docs/rule_registry.mdx index ee10961989f17..fe5f3702f3f0d 100644 --- a/api_docs/rule_registry.mdx +++ b/api_docs/rule_registry.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ruleRegistry title: "ruleRegistry" image: https://source.unsplash.com/400x175/?github description: API docs for the ruleRegistry plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ruleRegistry'] --- import ruleRegistryObj from './rule_registry.devdocs.json'; diff --git a/api_docs/runtime_fields.mdx b/api_docs/runtime_fields.mdx index 127230c60b313..0b41e37466b0a 100644 --- a/api_docs/runtime_fields.mdx +++ b/api_docs/runtime_fields.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/runtimeFields title: "runtimeFields" image: https://source.unsplash.com/400x175/?github description: API docs for the runtimeFields plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'runtimeFields'] --- import runtimeFieldsObj from './runtime_fields.devdocs.json'; diff --git a/api_docs/saved_objects.mdx b/api_docs/saved_objects.mdx index d1ae0cdd44378..0422373d291be 100644 --- a/api_docs/saved_objects.mdx +++ b/api_docs/saved_objects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjects title: "savedObjects" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjects plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjects'] --- import savedObjectsObj from './saved_objects.devdocs.json'; diff --git a/api_docs/saved_objects_finder.mdx b/api_docs/saved_objects_finder.mdx index 420fb21472668..f6c37b3e96ee4 100644 --- a/api_docs/saved_objects_finder.mdx +++ b/api_docs/saved_objects_finder.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsFinder title: "savedObjectsFinder" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsFinder plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsFinder'] --- import savedObjectsFinderObj from './saved_objects_finder.devdocs.json'; diff --git a/api_docs/saved_objects_management.mdx b/api_docs/saved_objects_management.mdx index 6af81c24bb803..2ea637d862897 100644 --- a/api_docs/saved_objects_management.mdx +++ b/api_docs/saved_objects_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsManagement title: "savedObjectsManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsManagement plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsManagement'] --- import savedObjectsManagementObj from './saved_objects_management.devdocs.json'; diff --git a/api_docs/saved_objects_tagging.mdx b/api_docs/saved_objects_tagging.mdx index 55a6c8381c241..dd5677871439b 100644 --- a/api_docs/saved_objects_tagging.mdx +++ b/api_docs/saved_objects_tagging.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTagging title: "savedObjectsTagging" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsTagging plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTagging'] --- import savedObjectsTaggingObj from './saved_objects_tagging.devdocs.json'; diff --git a/api_docs/saved_objects_tagging_oss.mdx b/api_docs/saved_objects_tagging_oss.mdx index 2204398d32a32..c218f7db9131a 100644 --- a/api_docs/saved_objects_tagging_oss.mdx +++ b/api_docs/saved_objects_tagging_oss.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTaggingOss title: "savedObjectsTaggingOss" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsTaggingOss plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTaggingOss'] --- import savedObjectsTaggingOssObj from './saved_objects_tagging_oss.devdocs.json'; diff --git a/api_docs/saved_search.mdx b/api_docs/saved_search.mdx index c8dc58ae28ac7..8a5fb8d1ac225 100644 --- a/api_docs/saved_search.mdx +++ b/api_docs/saved_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedSearch title: "savedSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the savedSearch plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedSearch'] --- import savedSearchObj from './saved_search.devdocs.json'; diff --git a/api_docs/screenshot_mode.mdx b/api_docs/screenshot_mode.mdx index c68d9d43b87ae..cdc393ea9e14f 100644 --- a/api_docs/screenshot_mode.mdx +++ b/api_docs/screenshot_mode.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotMode title: "screenshotMode" image: https://source.unsplash.com/400x175/?github description: API docs for the screenshotMode plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotMode'] --- import screenshotModeObj from './screenshot_mode.devdocs.json'; diff --git a/api_docs/screenshotting.mdx b/api_docs/screenshotting.mdx index 9e251ec2872cf..a0a9521d60446 100644 --- a/api_docs/screenshotting.mdx +++ b/api_docs/screenshotting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotting title: "screenshotting" image: https://source.unsplash.com/400x175/?github description: API docs for the screenshotting plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotting'] --- import screenshottingObj from './screenshotting.devdocs.json'; diff --git a/api_docs/security.mdx b/api_docs/security.mdx index 5af06b37a16da..db81e4193a208 100644 --- a/api_docs/security.mdx +++ b/api_docs/security.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/security title: "security" image: https://source.unsplash.com/400x175/?github description: API docs for the security plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'security'] --- import securityObj from './security.devdocs.json'; diff --git a/api_docs/security_solution.mdx b/api_docs/security_solution.mdx index ad96e67593dba..fcf71b04f8fd0 100644 --- a/api_docs/security_solution.mdx +++ b/api_docs/security_solution.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/securitySolution title: "securitySolution" image: https://source.unsplash.com/400x175/?github description: API docs for the securitySolution plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'securitySolution'] --- import securitySolutionObj from './security_solution.devdocs.json'; diff --git a/api_docs/session_view.mdx b/api_docs/session_view.mdx index 7f8a39b95aaaa..099b85c23276c 100644 --- a/api_docs/session_view.mdx +++ b/api_docs/session_view.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/sessionView title: "sessionView" image: https://source.unsplash.com/400x175/?github description: API docs for the sessionView plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'sessionView'] --- import sessionViewObj from './session_view.devdocs.json'; diff --git a/api_docs/share.mdx b/api_docs/share.mdx index 68f9f742ee5a8..6ec39a2895dac 100644 --- a/api_docs/share.mdx +++ b/api_docs/share.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/share title: "share" image: https://source.unsplash.com/400x175/?github description: API docs for the share plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'share'] --- import shareObj from './share.devdocs.json'; diff --git a/api_docs/snapshot_restore.mdx b/api_docs/snapshot_restore.mdx index 65b064a72d6ea..c9ea36a1cfff6 100644 --- a/api_docs/snapshot_restore.mdx +++ b/api_docs/snapshot_restore.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/snapshotRestore title: "snapshotRestore" image: https://source.unsplash.com/400x175/?github description: API docs for the snapshotRestore plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'snapshotRestore'] --- import snapshotRestoreObj from './snapshot_restore.devdocs.json'; diff --git a/api_docs/spaces.mdx b/api_docs/spaces.mdx index 751b42cdb3595..6cbf29e277330 100644 --- a/api_docs/spaces.mdx +++ b/api_docs/spaces.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/spaces title: "spaces" image: https://source.unsplash.com/400x175/?github description: API docs for the spaces plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'spaces'] --- import spacesObj from './spaces.devdocs.json'; diff --git a/api_docs/stack_alerts.mdx b/api_docs/stack_alerts.mdx index 9e42911806d78..427fa9d501c4a 100644 --- a/api_docs/stack_alerts.mdx +++ b/api_docs/stack_alerts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/stackAlerts title: "stackAlerts" image: https://source.unsplash.com/400x175/?github description: API docs for the stackAlerts plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'stackAlerts'] --- import stackAlertsObj from './stack_alerts.devdocs.json'; diff --git a/api_docs/stack_connectors.mdx b/api_docs/stack_connectors.mdx index 4d45e69fb3ac0..8f05c3dad8516 100644 --- a/api_docs/stack_connectors.mdx +++ b/api_docs/stack_connectors.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/stackConnectors title: "stackConnectors" image: https://source.unsplash.com/400x175/?github description: API docs for the stackConnectors plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'stackConnectors'] --- import stackConnectorsObj from './stack_connectors.devdocs.json'; diff --git a/api_docs/task_manager.mdx b/api_docs/task_manager.mdx index c9de28875b1e5..bd28d0cf73a9f 100644 --- a/api_docs/task_manager.mdx +++ b/api_docs/task_manager.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/taskManager title: "taskManager" image: https://source.unsplash.com/400x175/?github description: API docs for the taskManager plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'taskManager'] --- import taskManagerObj from './task_manager.devdocs.json'; diff --git a/api_docs/telemetry.mdx b/api_docs/telemetry.mdx index 0cf2a73a4529d..bbf0dbca043fb 100644 --- a/api_docs/telemetry.mdx +++ b/api_docs/telemetry.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetry title: "telemetry" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetry plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetry'] --- import telemetryObj from './telemetry.devdocs.json'; diff --git a/api_docs/telemetry_collection_manager.mdx b/api_docs/telemetry_collection_manager.mdx index 22579d69d8ced..176a34434c6f5 100644 --- a/api_docs/telemetry_collection_manager.mdx +++ b/api_docs/telemetry_collection_manager.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionManager title: "telemetryCollectionManager" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryCollectionManager plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionManager'] --- import telemetryCollectionManagerObj from './telemetry_collection_manager.devdocs.json'; diff --git a/api_docs/telemetry_collection_xpack.mdx b/api_docs/telemetry_collection_xpack.mdx index def0dc23b8477..bdf393cd8fae0 100644 --- a/api_docs/telemetry_collection_xpack.mdx +++ b/api_docs/telemetry_collection_xpack.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionXpack title: "telemetryCollectionXpack" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryCollectionXpack plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionXpack'] --- import telemetryCollectionXpackObj from './telemetry_collection_xpack.devdocs.json'; diff --git a/api_docs/telemetry_management_section.mdx b/api_docs/telemetry_management_section.mdx index 3c6462dd3109b..ba770cd81ab9f 100644 --- a/api_docs/telemetry_management_section.mdx +++ b/api_docs/telemetry_management_section.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryManagementSection title: "telemetryManagementSection" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryManagementSection plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryManagementSection'] --- import telemetryManagementSectionObj from './telemetry_management_section.devdocs.json'; diff --git a/api_docs/threat_intelligence.mdx b/api_docs/threat_intelligence.mdx index ba49c3b608b1f..c5a494b528132 100644 --- a/api_docs/threat_intelligence.mdx +++ b/api_docs/threat_intelligence.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/threatIntelligence title: "threatIntelligence" image: https://source.unsplash.com/400x175/?github description: API docs for the threatIntelligence plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'threatIntelligence'] --- import threatIntelligenceObj from './threat_intelligence.devdocs.json'; diff --git a/api_docs/timelines.mdx b/api_docs/timelines.mdx index a88d0a629b86b..0ed7cc6bce837 100644 --- a/api_docs/timelines.mdx +++ b/api_docs/timelines.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/timelines title: "timelines" image: https://source.unsplash.com/400x175/?github description: API docs for the timelines plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'timelines'] --- import timelinesObj from './timelines.devdocs.json'; diff --git a/api_docs/transform.mdx b/api_docs/transform.mdx index 2d9bb58ccabac..d76e9ea6ae602 100644 --- a/api_docs/transform.mdx +++ b/api_docs/transform.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/transform title: "transform" image: https://source.unsplash.com/400x175/?github description: API docs for the transform plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'transform'] --- import transformObj from './transform.devdocs.json'; diff --git a/api_docs/triggers_actions_ui.mdx b/api_docs/triggers_actions_ui.mdx index e9c9f30000f13..6445a2a488090 100644 --- a/api_docs/triggers_actions_ui.mdx +++ b/api_docs/triggers_actions_ui.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/triggersActionsUi title: "triggersActionsUi" image: https://source.unsplash.com/400x175/?github description: API docs for the triggersActionsUi plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'triggersActionsUi'] --- import triggersActionsUiObj from './triggers_actions_ui.devdocs.json'; diff --git a/api_docs/ui_actions.mdx b/api_docs/ui_actions.mdx index 516218e9fb091..711963e0928ff 100644 --- a/api_docs/ui_actions.mdx +++ b/api_docs/ui_actions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActions title: "uiActions" image: https://source.unsplash.com/400x175/?github description: API docs for the uiActions plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActions'] --- import uiActionsObj from './ui_actions.devdocs.json'; diff --git a/api_docs/ui_actions_enhanced.mdx b/api_docs/ui_actions_enhanced.mdx index 2ef3040290b0d..468d03f186a10 100644 --- a/api_docs/ui_actions_enhanced.mdx +++ b/api_docs/ui_actions_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActionsEnhanced title: "uiActionsEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the uiActionsEnhanced plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActionsEnhanced'] --- import uiActionsEnhancedObj from './ui_actions_enhanced.devdocs.json'; diff --git a/api_docs/unified_field_list.mdx b/api_docs/unified_field_list.mdx index 00b6cab4773c8..dcec262afdfc7 100644 --- a/api_docs/unified_field_list.mdx +++ b/api_docs/unified_field_list.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedFieldList title: "unifiedFieldList" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedFieldList plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedFieldList'] --- import unifiedFieldListObj from './unified_field_list.devdocs.json'; diff --git a/api_docs/unified_histogram.devdocs.json b/api_docs/unified_histogram.devdocs.json index aca1afdb564fa..a5555275c7b58 100644 --- a/api_docs/unified_histogram.devdocs.json +++ b/api_docs/unified_histogram.devdocs.json @@ -1038,7 +1038,15 @@ "section": "def-common.Datatable", "text": "Datatable" }, - ", \"rows\" | \"columns\">; column: number; row: number; value: any; }[]; timeFieldName?: string | undefined; negate?: boolean | undefined; }) => void) | undefined" + ", \"rows\" | \"columns\">; column: number; row: number; value: any; }[]; timeFieldName?: string | undefined; negate?: boolean | undefined; } | { data: { table: Pick<", + { + "pluginId": "expressions", + "scope": "common", + "docId": "kibExpressionsPluginApi", + "section": "def-common.Datatable", + "text": "Datatable" + }, + ", \"rows\" | \"columns\">; column: number; value: any[]; }; timeFieldName?: string | undefined; negate?: boolean | undefined; }) => void) | undefined" ], "path": "src/plugins/unified_histogram/public/layout/layout.tsx", "deprecated": false, diff --git a/api_docs/unified_histogram.mdx b/api_docs/unified_histogram.mdx index 6b9c6903546d4..6d6856318e902 100644 --- a/api_docs/unified_histogram.mdx +++ b/api_docs/unified_histogram.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedHistogram title: "unifiedHistogram" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedHistogram plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedHistogram'] --- import unifiedHistogramObj from './unified_histogram.devdocs.json'; diff --git a/api_docs/unified_search.mdx b/api_docs/unified_search.mdx index f272c481dd11f..5d59c27e1868b 100644 --- a/api_docs/unified_search.mdx +++ b/api_docs/unified_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch title: "unifiedSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedSearch plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch'] --- import unifiedSearchObj from './unified_search.devdocs.json'; diff --git a/api_docs/unified_search_autocomplete.mdx b/api_docs/unified_search_autocomplete.mdx index 77d73b78e172e..4763c56772a61 100644 --- a/api_docs/unified_search_autocomplete.mdx +++ b/api_docs/unified_search_autocomplete.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch-autocomplete title: "unifiedSearch.autocomplete" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedSearch.autocomplete plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch.autocomplete'] --- import unifiedSearchAutocompleteObj from './unified_search_autocomplete.devdocs.json'; diff --git a/api_docs/url_forwarding.mdx b/api_docs/url_forwarding.mdx index f17065e04542f..57a27da550ab0 100644 --- a/api_docs/url_forwarding.mdx +++ b/api_docs/url_forwarding.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/urlForwarding title: "urlForwarding" image: https://source.unsplash.com/400x175/?github description: API docs for the urlForwarding plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'urlForwarding'] --- import urlForwardingObj from './url_forwarding.devdocs.json'; diff --git a/api_docs/usage_collection.mdx b/api_docs/usage_collection.mdx index 5b48442ddb42a..fc68766ce374d 100644 --- a/api_docs/usage_collection.mdx +++ b/api_docs/usage_collection.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/usageCollection title: "usageCollection" image: https://source.unsplash.com/400x175/?github description: API docs for the usageCollection plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'usageCollection'] --- import usageCollectionObj from './usage_collection.devdocs.json'; diff --git a/api_docs/ux.mdx b/api_docs/ux.mdx index 5c7349a555015..973f46bf0858f 100644 --- a/api_docs/ux.mdx +++ b/api_docs/ux.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ux title: "ux" image: https://source.unsplash.com/400x175/?github description: API docs for the ux plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ux'] --- import uxObj from './ux.devdocs.json'; diff --git a/api_docs/vis_default_editor.mdx b/api_docs/vis_default_editor.mdx index 2f54b387f6615..037a71d220782 100644 --- a/api_docs/vis_default_editor.mdx +++ b/api_docs/vis_default_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visDefaultEditor title: "visDefaultEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the visDefaultEditor plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visDefaultEditor'] --- import visDefaultEditorObj from './vis_default_editor.devdocs.json'; diff --git a/api_docs/vis_type_gauge.mdx b/api_docs/vis_type_gauge.mdx index 65c6f0898acd3..bb71b56a2e6d1 100644 --- a/api_docs/vis_type_gauge.mdx +++ b/api_docs/vis_type_gauge.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeGauge title: "visTypeGauge" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeGauge plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeGauge'] --- import visTypeGaugeObj from './vis_type_gauge.devdocs.json'; diff --git a/api_docs/vis_type_heatmap.mdx b/api_docs/vis_type_heatmap.mdx index 5d4c295dc0c78..5b934bea33597 100644 --- a/api_docs/vis_type_heatmap.mdx +++ b/api_docs/vis_type_heatmap.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeHeatmap title: "visTypeHeatmap" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeHeatmap plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeHeatmap'] --- import visTypeHeatmapObj from './vis_type_heatmap.devdocs.json'; diff --git a/api_docs/vis_type_pie.mdx b/api_docs/vis_type_pie.mdx index 83d3f2beca7a8..e9144a7ada1db 100644 --- a/api_docs/vis_type_pie.mdx +++ b/api_docs/vis_type_pie.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypePie title: "visTypePie" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypePie plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypePie'] --- import visTypePieObj from './vis_type_pie.devdocs.json'; diff --git a/api_docs/vis_type_table.mdx b/api_docs/vis_type_table.mdx index 2359b557affc9..f4f0143d3e449 100644 --- a/api_docs/vis_type_table.mdx +++ b/api_docs/vis_type_table.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTable title: "visTypeTable" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTable plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTable'] --- import visTypeTableObj from './vis_type_table.devdocs.json'; diff --git a/api_docs/vis_type_timelion.mdx b/api_docs/vis_type_timelion.mdx index f1dd8fa7504d8..bd32a09f6758d 100644 --- a/api_docs/vis_type_timelion.mdx +++ b/api_docs/vis_type_timelion.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimelion title: "visTypeTimelion" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTimelion plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimelion'] --- import visTypeTimelionObj from './vis_type_timelion.devdocs.json'; diff --git a/api_docs/vis_type_timeseries.mdx b/api_docs/vis_type_timeseries.mdx index a71e01a107d27..f420c98e44e0d 100644 --- a/api_docs/vis_type_timeseries.mdx +++ b/api_docs/vis_type_timeseries.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimeseries title: "visTypeTimeseries" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTimeseries plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimeseries'] --- import visTypeTimeseriesObj from './vis_type_timeseries.devdocs.json'; diff --git a/api_docs/vis_type_vega.mdx b/api_docs/vis_type_vega.mdx index 8699c001f12ff..430774e2c3952 100644 --- a/api_docs/vis_type_vega.mdx +++ b/api_docs/vis_type_vega.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVega title: "visTypeVega" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeVega plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVega'] --- import visTypeVegaObj from './vis_type_vega.devdocs.json'; diff --git a/api_docs/vis_type_vislib.mdx b/api_docs/vis_type_vislib.mdx index fb348433b9a43..0c317486d666f 100644 --- a/api_docs/vis_type_vislib.mdx +++ b/api_docs/vis_type_vislib.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVislib title: "visTypeVislib" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeVislib plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVislib'] --- import visTypeVislibObj from './vis_type_vislib.devdocs.json'; diff --git a/api_docs/vis_type_xy.mdx b/api_docs/vis_type_xy.mdx index c487f4833f3d3..c7d5648e9da46 100644 --- a/api_docs/vis_type_xy.mdx +++ b/api_docs/vis_type_xy.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeXy title: "visTypeXy" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeXy plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeXy'] --- import visTypeXyObj from './vis_type_xy.devdocs.json'; diff --git a/api_docs/visualizations.devdocs.json b/api_docs/visualizations.devdocs.json index 2d07aa3db8e21..f78ad0845954c 100644 --- a/api_docs/visualizations.devdocs.json +++ b/api_docs/visualizations.devdocs.json @@ -6855,6 +6855,20 @@ "deprecated": false, "trackAdoption": false }, + { + "parentPluginId": "visualizations", + "id": "def-public.VIS_EVENT_TO_TRIGGER.multiFilter", + "type": "string", + "tags": [], + "label": "multiFilter", + "description": [], + "signature": [ + "\"MULTI_VALUE_CLICK_TRIGGER\"" + ], + "path": "src/plugins/visualizations/public/embeddable/events.ts", + "deprecated": false, + "trackAdoption": false + }, { "parentPluginId": "visualizations", "id": "def-public.VIS_EVENT_TO_TRIGGER.tableRowContextMenuClick", diff --git a/api_docs/visualizations.mdx b/api_docs/visualizations.mdx index ad5edb9b89fa3..ada36451c30b8 100644 --- a/api_docs/visualizations.mdx +++ b/api_docs/visualizations.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visualizations title: "visualizations" image: https://source.unsplash.com/400x175/?github description: API docs for the visualizations plugin -date: 2023-01-25 +date: 2023-01-26 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visualizations'] --- import visualizationsObj from './visualizations.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Vis Editors](https://github.com/orgs/elastic/teams/kibana-visualization | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 800 | 12 | 770 | 18 | +| 801 | 12 | 771 | 18 | ## Client diff --git a/docs/developer/advanced/upgrading-nodejs.asciidoc b/docs/developer/advanced/upgrading-nodejs.asciidoc index 16e8502450c17..03701997a7560 100644 --- a/docs/developer/advanced/upgrading-nodejs.asciidoc +++ b/docs/developer/advanced/upgrading-nodejs.asciidoc @@ -17,7 +17,7 @@ These files must be updated when upgrading Node.js: - {kib-repo}blob/{branch}/WORKSPACE.bazel[`WORKSPACE.bazel`] - The version is specified in the `node_version` property. Besides this property, the list of files under `node_repositories` must be updated along with their respective SHA256 hashes. These can be found on the https://nodejs.org[nodejs.org] website. - Example for Node.js v18.13.0: https://nodejs.org/dist/v18.13.0/SHASUMS256.txt.asc + Example for Node.js v16.19.0: https://nodejs.org/dist/v16.19.0/SHASUMS256.txt.asc See PR {kib-repo}pull/128123[#128123] for an example of how the Node.js version has been upgraded previously. diff --git a/docs/developer/plugin-list.asciidoc b/docs/developer/plugin-list.asciidoc index 06666957c9ee4..4d0e8e1999749 100644 --- a/docs/developer/plugin-list.asciidoc +++ b/docs/developer/plugin-list.asciidoc @@ -184,6 +184,10 @@ for use in their own application. |Minimal interface for admins to manage files in Kibana. +|{kib-repo}blob/{branch}/src/plugins/ftr_apis/README.md[ftrApis] +|This plugin exposes a set of APIs used internally during functional tests by the FTR. + + |{kib-repo}blob/{branch}/src/plugins/guided_onboarding/README.md[guidedOnboarding] |This plugin contains the code for the Guided Onboarding project. Guided onboarding consists of guides for Solutions (Enterprise Search, Observability, Security) that can be completed as a checklist of steps. The guides help users to ingest their data and to navigate to the correct Solutions pages. diff --git a/docs/management/advanced-options.asciidoc b/docs/management/advanced-options.asciidoc index 11e9b1f450462..6b51685eefc6e 100644 --- a/docs/management/advanced-options.asciidoc +++ b/docs/management/advanced-options.asciidoc @@ -546,10 +546,6 @@ Disable this option if you prefer to use the new heatmap charts with improved pe Enables users to create, view, and edit experimental visualizations. When disabled, only production-ready visualizations are available to users. -[[lens-sampling]]`lens:useFieldExistenceSampling`:: -**This setting is deprecated and will not be supported as of 8.6.** -If enabled, document sampling is used to determine field existence (available or empty) for the Lens field list instead of relying on index mappings. - [float] [[kibana-telemetry-settings]] ==== Usage Data diff --git a/docs/management/cases/images/cases.png b/docs/management/cases/images/cases.png index b313decf7b6b5..ca2f2ea5d9c92 100644 Binary files a/docs/management/cases/images/cases.png and b/docs/management/cases/images/cases.png differ diff --git a/fleet_packages.json b/fleet_packages.json index a258e60fcc8bc..7ccfb852437cf 100644 --- a/fleet_packages.json +++ b/fleet_packages.json @@ -20,7 +20,7 @@ [ { "name": "apm", - "version": "8.7.0-preview-1674061297", + "version": "8.7.0-preview-1674665274", "forceAlignStackVersion": true }, { @@ -41,6 +41,6 @@ }, { "name": "security_detection_engine", - "version": "8.4.2-beta.1" + "version": "8.4.2" } ] \ No newline at end of file diff --git a/package.json b/package.json index bda02247f639e..42b2c256c33c4 100644 --- a/package.json +++ b/package.json @@ -56,7 +56,7 @@ "makelogs": "node scripts/makelogs", "spec_to_console": "node scripts/spec_to_console", "start": "node scripts/kibana --dev", - "storybook": "node --openssl-legacy-provider scripts/storybook", + "storybook": "node scripts/storybook", "test:ftr": "node scripts/functional_tests", "test:ftr:runner": "node scripts/functional_test_runner", "test:ftr:server": "node scripts/functional_tests_server", @@ -68,11 +68,11 @@ "url": "https://github.com/elastic/kibana.git" }, "engines": { - "node": "18.13.0", + "node": "16.19.0", "yarn": "^1.22.19" }, "resolutions": { - "**/@types/node": "18.11.18", + "**/@types/node": "16.11.68", "**/chokidar": "^3.5.3", "**/deepmerge": "^4.2.2", "**/fast-deep-equal": "^3.1.1", @@ -151,32 +151,23 @@ "@kbn/content-management-table-list": "link:packages/content-management/table_list", "@kbn/core-analytics-browser": "link:packages/core/analytics/core-analytics-browser", "@kbn/core-analytics-browser-internal": "link:packages/core/analytics/core-analytics-browser-internal", - "@kbn/core-analytics-browser-mocks": "link:packages/core/analytics/core-analytics-browser-mocks", "@kbn/core-analytics-server": "link:packages/core/analytics/core-analytics-server", "@kbn/core-analytics-server-internal": "link:packages/core/analytics/core-analytics-server-internal", - "@kbn/core-analytics-server-mocks": "link:packages/core/analytics/core-analytics-server-mocks", "@kbn/core-application-browser": "link:packages/core/application/core-application-browser", "@kbn/core-application-browser-internal": "link:packages/core/application/core-application-browser-internal", - "@kbn/core-application-browser-mocks": "link:packages/core/application/core-application-browser-mocks", "@kbn/core-application-common": "link:packages/core/application/core-application-common", "@kbn/core-apps-browser-internal": "link:packages/core/apps/core-apps-browser-internal", - "@kbn/core-apps-browser-mocks": "link:packages/core/apps/core-apps-browser-mocks", "@kbn/core-apps-server-internal": "link:packages/core/apps/core-apps-server-internal", "@kbn/core-base-browser-internal": "link:packages/core/base/core-base-browser-internal", - "@kbn/core-base-browser-mocks": "link:packages/core/base/core-base-browser-mocks", "@kbn/core-base-common": "link:packages/core/base/core-base-common", "@kbn/core-base-common-internal": "link:packages/core/base/core-base-common-internal", "@kbn/core-base-server-internal": "link:packages/core/base/core-base-server-internal", - "@kbn/core-base-server-mocks": "link:packages/core/base/core-base-server-mocks", "@kbn/core-capabilities-browser-internal": "link:packages/core/capabilities/core-capabilities-browser-internal", - "@kbn/core-capabilities-browser-mocks": "link:packages/core/capabilities/core-capabilities-browser-mocks", "@kbn/core-capabilities-common": "link:packages/core/capabilities/core-capabilities-common", "@kbn/core-capabilities-server": "link:packages/core/capabilities/core-capabilities-server", "@kbn/core-capabilities-server-internal": "link:packages/core/capabilities/core-capabilities-server-internal", - "@kbn/core-capabilities-server-mocks": "link:packages/core/capabilities/core-capabilities-server-mocks", "@kbn/core-chrome-browser": "link:packages/core/chrome/core-chrome-browser", "@kbn/core-chrome-browser-internal": "link:packages/core/chrome/core-chrome-browser-internal", - "@kbn/core-chrome-browser-mocks": "link:packages/core/chrome/core-chrome-browser-mocks", "@kbn/core-config-server-internal": "link:packages/core/config/core-config-server-internal", "@kbn/core-custom-branding-browser": "link:packages/core/custom-branding/core-custom-branding-browser", "@kbn/core-custom-branding-browser-internal": "link:packages/core/custom-branding/core-custom-branding-browser-internal", @@ -187,146 +178,102 @@ "@kbn/core-custom-branding-server-mocks": "link:packages/core/custom-branding/core-custom-branding-server-mocks", "@kbn/core-deprecations-browser": "link:packages/core/deprecations/core-deprecations-browser", "@kbn/core-deprecations-browser-internal": "link:packages/core/deprecations/core-deprecations-browser-internal", - "@kbn/core-deprecations-browser-mocks": "link:packages/core/deprecations/core-deprecations-browser-mocks", "@kbn/core-deprecations-common": "link:packages/core/deprecations/core-deprecations-common", "@kbn/core-deprecations-server": "link:packages/core/deprecations/core-deprecations-server", "@kbn/core-deprecations-server-internal": "link:packages/core/deprecations/core-deprecations-server-internal", - "@kbn/core-deprecations-server-mocks": "link:packages/core/deprecations/core-deprecations-server-mocks", "@kbn/core-doc-links-browser": "link:packages/core/doc-links/core-doc-links-browser", "@kbn/core-doc-links-browser-internal": "link:packages/core/doc-links/core-doc-links-browser-internal", - "@kbn/core-doc-links-browser-mocks": "link:packages/core/doc-links/core-doc-links-browser-mocks", "@kbn/core-doc-links-server": "link:packages/core/doc-links/core-doc-links-server", "@kbn/core-doc-links-server-internal": "link:packages/core/doc-links/core-doc-links-server-internal", - "@kbn/core-doc-links-server-mocks": "link:packages/core/doc-links/core-doc-links-server-mocks", "@kbn/core-elasticsearch-client-server-internal": "link:packages/core/elasticsearch/core-elasticsearch-client-server-internal", - "@kbn/core-elasticsearch-client-server-mocks": "link:packages/core/elasticsearch/core-elasticsearch-client-server-mocks", "@kbn/core-elasticsearch-server": "link:packages/core/elasticsearch/core-elasticsearch-server", "@kbn/core-elasticsearch-server-internal": "link:packages/core/elasticsearch/core-elasticsearch-server-internal", - "@kbn/core-elasticsearch-server-mocks": "link:packages/core/elasticsearch/core-elasticsearch-server-mocks", "@kbn/core-environment-server-internal": "link:packages/core/environment/core-environment-server-internal", - "@kbn/core-environment-server-mocks": "link:packages/core/environment/core-environment-server-mocks", "@kbn/core-execution-context-browser": "link:packages/core/execution-context/core-execution-context-browser", "@kbn/core-execution-context-browser-internal": "link:packages/core/execution-context/core-execution-context-browser-internal", - "@kbn/core-execution-context-browser-mocks": "link:packages/core/execution-context/core-execution-context-browser-mocks", "@kbn/core-execution-context-common": "link:packages/core/execution-context/core-execution-context-common", "@kbn/core-execution-context-server": "link:packages/core/execution-context/core-execution-context-server", "@kbn/core-execution-context-server-internal": "link:packages/core/execution-context/core-execution-context-server-internal", - "@kbn/core-execution-context-server-mocks": "link:packages/core/execution-context/core-execution-context-server-mocks", "@kbn/core-fatal-errors-browser": "link:packages/core/fatal-errors/core-fatal-errors-browser", "@kbn/core-fatal-errors-browser-internal": "link:packages/core/fatal-errors/core-fatal-errors-browser-internal", - "@kbn/core-fatal-errors-browser-mocks": "link:packages/core/fatal-errors/core-fatal-errors-browser-mocks", "@kbn/core-http-browser": "link:packages/core/http/core-http-browser", "@kbn/core-http-browser-internal": "link:packages/core/http/core-http-browser-internal", - "@kbn/core-http-browser-mocks": "link:packages/core/http/core-http-browser-mocks", "@kbn/core-http-common": "link:packages/core/http/core-http-common", "@kbn/core-http-context-server-internal": "link:packages/core/http/core-http-context-server-internal", - "@kbn/core-http-context-server-mocks": "link:packages/core/http/core-http-context-server-mocks", "@kbn/core-http-request-handler-context-server": "link:packages/core/http/core-http-request-handler-context-server", "@kbn/core-http-request-handler-context-server-internal": "link:packages/core/http/core-http-request-handler-context-server-internal", "@kbn/core-http-resources-server": "link:packages/core/http/core-http-resources-server", "@kbn/core-http-resources-server-internal": "link:packages/core/http/core-http-resources-server-internal", - "@kbn/core-http-resources-server-mocks": "link:packages/core/http/core-http-resources-server-mocks", "@kbn/core-http-router-server-internal": "link:packages/core/http/core-http-router-server-internal", - "@kbn/core-http-router-server-mocks": "link:packages/core/http/core-http-router-server-mocks", "@kbn/core-http-server": "link:packages/core/http/core-http-server", "@kbn/core-http-server-internal": "link:packages/core/http/core-http-server-internal", - "@kbn/core-http-server-mocks": "link:packages/core/http/core-http-server-mocks", "@kbn/core-i18n-browser": "link:packages/core/i18n/core-i18n-browser", "@kbn/core-i18n-browser-internal": "link:packages/core/i18n/core-i18n-browser-internal", - "@kbn/core-i18n-browser-mocks": "link:packages/core/i18n/core-i18n-browser-mocks", "@kbn/core-i18n-server": "link:packages/core/i18n/core-i18n-server", "@kbn/core-i18n-server-internal": "link:packages/core/i18n/core-i18n-server-internal", - "@kbn/core-i18n-server-mocks": "link:packages/core/i18n/core-i18n-server-mocks", "@kbn/core-injected-metadata-browser-internal": "link:packages/core/injected-metadata/core-injected-metadata-browser-internal", - "@kbn/core-injected-metadata-browser-mocks": "link:packages/core/injected-metadata/core-injected-metadata-browser-mocks", "@kbn/core-injected-metadata-common-internal": "link:packages/core/injected-metadata/core-injected-metadata-common-internal", "@kbn/core-integrations-browser-internal": "link:packages/core/integrations/core-integrations-browser-internal", - "@kbn/core-integrations-browser-mocks": "link:packages/core/integrations/core-integrations-browser-mocks", "@kbn/core-lifecycle-browser": "link:packages/core/lifecycle/core-lifecycle-browser", "@kbn/core-lifecycle-browser-internal": "link:packages/core/lifecycle/core-lifecycle-browser-internal", - "@kbn/core-lifecycle-browser-mocks": "link:packages/core/lifecycle/core-lifecycle-browser-mocks", "@kbn/core-lifecycle-server": "link:packages/core/lifecycle/core-lifecycle-server", "@kbn/core-lifecycle-server-internal": "link:packages/core/lifecycle/core-lifecycle-server-internal", - "@kbn/core-lifecycle-server-mocks": "link:packages/core/lifecycle/core-lifecycle-server-mocks", "@kbn/core-logging-browser-internal": "link:packages/core/logging/core-logging-browser-internal", - "@kbn/core-logging-browser-mocks": "link:packages/core/logging/core-logging-browser-mocks", "@kbn/core-logging-common-internal": "link:packages/core/logging/core-logging-common-internal", "@kbn/core-logging-server": "link:packages/core/logging/core-logging-server", "@kbn/core-logging-server-internal": "link:packages/core/logging/core-logging-server-internal", - "@kbn/core-logging-server-mocks": "link:packages/core/logging/core-logging-server-mocks", "@kbn/core-metrics-collectors-server-internal": "link:packages/core/metrics/core-metrics-collectors-server-internal", - "@kbn/core-metrics-collectors-server-mocks": "link:packages/core/metrics/core-metrics-collectors-server-mocks", "@kbn/core-metrics-server": "link:packages/core/metrics/core-metrics-server", "@kbn/core-metrics-server-internal": "link:packages/core/metrics/core-metrics-server-internal", - "@kbn/core-metrics-server-mocks": "link:packages/core/metrics/core-metrics-server-mocks", "@kbn/core-mount-utils-browser": "link:packages/core/mount-utils/core-mount-utils-browser", "@kbn/core-mount-utils-browser-internal": "link:packages/core/mount-utils/core-mount-utils-browser-internal", "@kbn/core-node-server": "link:packages/core/node/core-node-server", "@kbn/core-node-server-internal": "link:packages/core/node/core-node-server-internal", - "@kbn/core-node-server-mocks": "link:packages/core/node/core-node-server-mocks", "@kbn/core-notifications-browser": "link:packages/core/notifications/core-notifications-browser", "@kbn/core-notifications-browser-internal": "link:packages/core/notifications/core-notifications-browser-internal", - "@kbn/core-notifications-browser-mocks": "link:packages/core/notifications/core-notifications-browser-mocks", "@kbn/core-overlays-browser": "link:packages/core/overlays/core-overlays-browser", "@kbn/core-overlays-browser-internal": "link:packages/core/overlays/core-overlays-browser-internal", - "@kbn/core-overlays-browser-mocks": "link:packages/core/overlays/core-overlays-browser-mocks", "@kbn/core-plugins-base-server-internal": "link:packages/core/plugins/core-plugins-base-server-internal", "@kbn/core-plugins-browser": "link:packages/core/plugins/core-plugins-browser", "@kbn/core-plugins-browser-internal": "link:packages/core/plugins/core-plugins-browser-internal", - "@kbn/core-plugins-browser-mocks": "link:packages/core/plugins/core-plugins-browser-mocks", "@kbn/core-plugins-server": "link:packages/core/plugins/core-plugins-server", "@kbn/core-plugins-server-internal": "link:packages/core/plugins/core-plugins-server-internal", - "@kbn/core-plugins-server-mocks": "link:packages/core/plugins/core-plugins-server-mocks", "@kbn/core-preboot-server": "link:packages/core/preboot/core-preboot-server", "@kbn/core-preboot-server-internal": "link:packages/core/preboot/core-preboot-server-internal", - "@kbn/core-preboot-server-mocks": "link:packages/core/preboot/core-preboot-server-mocks", "@kbn/core-rendering-browser-internal": "link:packages/core/rendering/core-rendering-browser-internal", - "@kbn/core-rendering-browser-mocks": "link:packages/core/rendering/core-rendering-browser-mocks", "@kbn/core-rendering-server-internal": "link:packages/core/rendering/core-rendering-server-internal", - "@kbn/core-rendering-server-mocks": "link:packages/core/rendering/core-rendering-server-mocks", "@kbn/core-root-browser-internal": "link:packages/core/root/core-root-browser-internal", "@kbn/core-root-server-internal": "link:packages/core/root/core-root-server-internal", "@kbn/core-saved-objects-api-browser": "link:packages/core/saved-objects/core-saved-objects-api-browser", "@kbn/core-saved-objects-api-server": "link:packages/core/saved-objects/core-saved-objects-api-server", "@kbn/core-saved-objects-api-server-internal": "link:packages/core/saved-objects/core-saved-objects-api-server-internal", - "@kbn/core-saved-objects-api-server-mocks": "link:packages/core/saved-objects/core-saved-objects-api-server-mocks", "@kbn/core-saved-objects-base-server-internal": "link:packages/core/saved-objects/core-saved-objects-base-server-internal", - "@kbn/core-saved-objects-base-server-mocks": "link:packages/core/saved-objects/core-saved-objects-base-server-mocks", "@kbn/core-saved-objects-browser": "link:packages/core/saved-objects/core-saved-objects-browser", "@kbn/core-saved-objects-browser-internal": "link:packages/core/saved-objects/core-saved-objects-browser-internal", - "@kbn/core-saved-objects-browser-mocks": "link:packages/core/saved-objects/core-saved-objects-browser-mocks", "@kbn/core-saved-objects-common": "link:packages/core/saved-objects/core-saved-objects-common", "@kbn/core-saved-objects-import-export-server-internal": "link:packages/core/saved-objects/core-saved-objects-import-export-server-internal", - "@kbn/core-saved-objects-import-export-server-mocks": "link:packages/core/saved-objects/core-saved-objects-import-export-server-mocks", "@kbn/core-saved-objects-migration-server-internal": "link:packages/core/saved-objects/core-saved-objects-migration-server-internal", - "@kbn/core-saved-objects-migration-server-mocks": "link:packages/core/saved-objects/core-saved-objects-migration-server-mocks", "@kbn/core-saved-objects-server": "link:packages/core/saved-objects/core-saved-objects-server", "@kbn/core-saved-objects-server-internal": "link:packages/core/saved-objects/core-saved-objects-server-internal", - "@kbn/core-saved-objects-server-mocks": "link:packages/core/saved-objects/core-saved-objects-server-mocks", "@kbn/core-saved-objects-utils-server": "link:packages/core/saved-objects/core-saved-objects-utils-server", "@kbn/core-status-common": "link:packages/core/status/core-status-common", "@kbn/core-status-common-internal": "link:packages/core/status/core-status-common-internal", "@kbn/core-status-server": "link:packages/core/status/core-status-server", "@kbn/core-status-server-internal": "link:packages/core/status/core-status-server-internal", - "@kbn/core-status-server-mocks": "link:packages/core/status/core-status-server-mocks", "@kbn/core-test-helpers-deprecations-getters": "link:packages/core/test-helpers/core-test-helpers-deprecations-getters", "@kbn/core-test-helpers-http-setup-browser": "link:packages/core/test-helpers/core-test-helpers-http-setup-browser", "@kbn/core-test-helpers-so-type-serializer": "link:packages/core/test-helpers/core-test-helpers-so-type-serializer", "@kbn/core-test-helpers-test-utils": "link:packages/core/test-helpers/core-test-helpers-test-utils", "@kbn/core-theme-browser": "link:packages/core/theme/core-theme-browser", "@kbn/core-theme-browser-internal": "link:packages/core/theme/core-theme-browser-internal", - "@kbn/core-theme-browser-mocks": "link:packages/core/theme/core-theme-browser-mocks", "@kbn/core-ui-settings-browser": "link:packages/core/ui-settings/core-ui-settings-browser", "@kbn/core-ui-settings-browser-internal": "link:packages/core/ui-settings/core-ui-settings-browser-internal", - "@kbn/core-ui-settings-browser-mocks": "link:packages/core/ui-settings/core-ui-settings-browser-mocks", "@kbn/core-ui-settings-common": "link:packages/core/ui-settings/core-ui-settings-common", "@kbn/core-ui-settings-server": "link:packages/core/ui-settings/core-ui-settings-server", "@kbn/core-ui-settings-server-internal": "link:packages/core/ui-settings/core-ui-settings-server-internal", - "@kbn/core-ui-settings-server-mocks": "link:packages/core/ui-settings/core-ui-settings-server-mocks", "@kbn/core-usage-data-base-server-internal": "link:packages/core/usage-data/core-usage-data-base-server-internal", "@kbn/core-usage-data-server": "link:packages/core/usage-data/core-usage-data-server", "@kbn/core-usage-data-server-internal": "link:packages/core/usage-data/core-usage-data-server-internal", - "@kbn/core-usage-data-server-mocks": "link:packages/core/usage-data/core-usage-data-server-mocks", "@kbn/crypto": "link:packages/kbn-crypto", "@kbn/crypto-browser": "link:packages/kbn-crypto-browser", "@kbn/datemath": "link:packages/kbn-datemath", @@ -507,7 +454,7 @@ "compare-versions": "3.5.1", "constate": "^3.3.2", "copy-to-clipboard": "^3.0.8", - "core-js": "^3.27.1", + "core-js": "^3.27.2", "cronstrue": "^1.51.0", "cuid": "^2.1.8", "cytoscape": "^3.10.0", @@ -527,7 +474,7 @@ "deepmerge": "^4.2.2", "del": "^6.1.0", "elastic-apm-http-client": "^11.0.1", - "elastic-apm-node": "^3.41.1", + "elastic-apm-node": "^3.42.0", "email-addresses": "^5.0.0", "execa": "^4.0.2", "expiry-js": "0.1.7", @@ -622,7 +569,7 @@ "query-string": "^6.13.2", "rbush": "^3.0.1", "re-resizable": "^6.1.1", - "re2": "1.17.7", + "re2": "1.17.4", "react": "^17.0.2", "react-ace": "^7.0.5", "react-beautiful-dnd": "^13.1.0", @@ -764,8 +711,62 @@ "@kbn/ci-stats-core": "link:packages/kbn-ci-stats-core", "@kbn/ci-stats-performance-metrics": "link:packages/kbn-ci-stats-performance-metrics", "@kbn/ci-stats-reporter": "link:packages/kbn-ci-stats-reporter", + "@kbn/ci-stats-shipper-cli": "link:packages/kbn-ci-stats-shipper-cli", "@kbn/cli-dev-mode": "link:packages/kbn-cli-dev-mode", + "@kbn/core-analytics-browser-mocks": "link:packages/core/analytics/core-analytics-browser-mocks", + "@kbn/core-analytics-server-mocks": "link:packages/core/analytics/core-analytics-server-mocks", + "@kbn/core-application-browser-mocks": "link:packages/core/application/core-application-browser-mocks", + "@kbn/core-apps-browser-mocks": "link:packages/core/apps/core-apps-browser-mocks", + "@kbn/core-base-browser-mocks": "link:packages/core/base/core-base-browser-mocks", + "@kbn/core-base-server-mocks": "link:packages/core/base/core-base-server-mocks", + "@kbn/core-capabilities-browser-mocks": "link:packages/core/capabilities/core-capabilities-browser-mocks", + "@kbn/core-capabilities-server-mocks": "link:packages/core/capabilities/core-capabilities-server-mocks", + "@kbn/core-chrome-browser-mocks": "link:packages/core/chrome/core-chrome-browser-mocks", + "@kbn/core-deprecations-browser-mocks": "link:packages/core/deprecations/core-deprecations-browser-mocks", + "@kbn/core-deprecations-server-mocks": "link:packages/core/deprecations/core-deprecations-server-mocks", + "@kbn/core-doc-links-browser-mocks": "link:packages/core/doc-links/core-doc-links-browser-mocks", + "@kbn/core-doc-links-server-mocks": "link:packages/core/doc-links/core-doc-links-server-mocks", + "@kbn/core-elasticsearch-client-server-mocks": "link:packages/core/elasticsearch/core-elasticsearch-client-server-mocks", + "@kbn/core-elasticsearch-server-mocks": "link:packages/core/elasticsearch/core-elasticsearch-server-mocks", + "@kbn/core-environment-server-mocks": "link:packages/core/environment/core-environment-server-mocks", + "@kbn/core-execution-context-browser-mocks": "link:packages/core/execution-context/core-execution-context-browser-mocks", + "@kbn/core-execution-context-server-mocks": "link:packages/core/execution-context/core-execution-context-server-mocks", + "@kbn/core-fatal-errors-browser-mocks": "link:packages/core/fatal-errors/core-fatal-errors-browser-mocks", + "@kbn/core-http-browser-mocks": "link:packages/core/http/core-http-browser-mocks", + "@kbn/core-http-context-server-mocks": "link:packages/core/http/core-http-context-server-mocks", + "@kbn/core-http-resources-server-mocks": "link:packages/core/http/core-http-resources-server-mocks", + "@kbn/core-http-router-server-mocks": "link:packages/core/http/core-http-router-server-mocks", + "@kbn/core-http-server-mocks": "link:packages/core/http/core-http-server-mocks", + "@kbn/core-i18n-browser-mocks": "link:packages/core/i18n/core-i18n-browser-mocks", + "@kbn/core-i18n-server-mocks": "link:packages/core/i18n/core-i18n-server-mocks", + "@kbn/core-injected-metadata-browser-mocks": "link:packages/core/injected-metadata/core-injected-metadata-browser-mocks", + "@kbn/core-integrations-browser-mocks": "link:packages/core/integrations/core-integrations-browser-mocks", + "@kbn/core-lifecycle-browser-mocks": "link:packages/core/lifecycle/core-lifecycle-browser-mocks", + "@kbn/core-lifecycle-server-mocks": "link:packages/core/lifecycle/core-lifecycle-server-mocks", + "@kbn/core-logging-browser-mocks": "link:packages/core/logging/core-logging-browser-mocks", + "@kbn/core-logging-server-mocks": "link:packages/core/logging/core-logging-server-mocks", + "@kbn/core-metrics-collectors-server-mocks": "link:packages/core/metrics/core-metrics-collectors-server-mocks", + "@kbn/core-metrics-server-mocks": "link:packages/core/metrics/core-metrics-server-mocks", + "@kbn/core-node-server-mocks": "link:packages/core/node/core-node-server-mocks", + "@kbn/core-notifications-browser-mocks": "link:packages/core/notifications/core-notifications-browser-mocks", + "@kbn/core-overlays-browser-mocks": "link:packages/core/overlays/core-overlays-browser-mocks", + "@kbn/core-plugins-browser-mocks": "link:packages/core/plugins/core-plugins-browser-mocks", + "@kbn/core-plugins-server-mocks": "link:packages/core/plugins/core-plugins-server-mocks", + "@kbn/core-preboot-server-mocks": "link:packages/core/preboot/core-preboot-server-mocks", + "@kbn/core-rendering-browser-mocks": "link:packages/core/rendering/core-rendering-browser-mocks", + "@kbn/core-rendering-server-mocks": "link:packages/core/rendering/core-rendering-server-mocks", + "@kbn/core-saved-objects-api-server-mocks": "link:packages/core/saved-objects/core-saved-objects-api-server-mocks", + "@kbn/core-saved-objects-base-server-mocks": "link:packages/core/saved-objects/core-saved-objects-base-server-mocks", + "@kbn/core-saved-objects-browser-mocks": "link:packages/core/saved-objects/core-saved-objects-browser-mocks", + "@kbn/core-saved-objects-import-export-server-mocks": "link:packages/core/saved-objects/core-saved-objects-import-export-server-mocks", + "@kbn/core-saved-objects-migration-server-mocks": "link:packages/core/saved-objects/core-saved-objects-migration-server-mocks", + "@kbn/core-saved-objects-server-mocks": "link:packages/core/saved-objects/core-saved-objects-server-mocks", + "@kbn/core-status-server-mocks": "link:packages/core/status/core-status-server-mocks", "@kbn/core-test-helpers-kbn-server": "link:packages/core/test-helpers/core-test-helpers-kbn-server", + "@kbn/core-theme-browser-mocks": "link:packages/core/theme/core-theme-browser-mocks", + "@kbn/core-ui-settings-browser-mocks": "link:packages/core/ui-settings/core-ui-settings-browser-mocks", + "@kbn/core-ui-settings-server-mocks": "link:packages/core/ui-settings/core-ui-settings-server-mocks", + "@kbn/core-usage-data-server-mocks": "link:packages/core/usage-data/core-usage-data-server-mocks", "@kbn/cypress-config": "link:packages/kbn-cypress-config", "@kbn/dev-cli-errors": "link:packages/kbn-dev-cli-errors", "@kbn/dev-cli-runner": "link:packages/kbn-dev-cli-runner", @@ -856,7 +857,7 @@ "@types/adm-zip": "^0.5.0", "@types/archiver": "^5.3.1", "@types/async": "^3.2.3", - "@types/babel__core": "^7.1.20", + "@types/babel__core": "^7.20.0", "@types/babel__generator": "^7.6.4", "@types/babel__helper-plugin-utils": "^7.10.0", "@types/base64-js": "^1.2.5", @@ -936,7 +937,7 @@ "@types/multistream": "^4.1.0", "@types/mustache": "^0.8.31", "@types/nock": "^10.0.3", - "@types/node": "18.11.18", + "@types/node": "16.11.68", "@types/node-fetch": "^2.6.0", "@types/node-forge": "^1.3.1", "@types/nodemailer": "^6.4.0", diff --git a/packages/core/analytics/core-analytics-browser-mocks/kibana.jsonc b/packages/core/analytics/core-analytics-browser-mocks/kibana.jsonc index 93bbc23fbbb79..34e790b37c1bf 100644 --- a/packages/core/analytics/core-analytics-browser-mocks/kibana.jsonc +++ b/packages/core/analytics/core-analytics-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-analytics-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/analytics/core-analytics-server-mocks/kibana.jsonc b/packages/core/analytics/core-analytics-server-mocks/kibana.jsonc index 319fec0506fe4..53c4ffb2026f5 100644 --- a/packages/core/analytics/core-analytics-server-mocks/kibana.jsonc +++ b/packages/core/analytics/core-analytics-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-analytics-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/application/core-application-browser-mocks/kibana.jsonc b/packages/core/application/core-application-browser-mocks/kibana.jsonc index 35714d9df41d4..dc516ef5c9552 100644 --- a/packages/core/application/core-application-browser-mocks/kibana.jsonc +++ b/packages/core/application/core-application-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-application-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/apps/core-apps-browser-mocks/kibana.jsonc b/packages/core/apps/core-apps-browser-mocks/kibana.jsonc index 970d9411462ad..731bb6ff85d0e 100644 --- a/packages/core/apps/core-apps-browser-mocks/kibana.jsonc +++ b/packages/core/apps/core-apps-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-apps-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/apps/core-apps-server-internal/src/core_app.ts b/packages/core/apps/core-apps-server-internal/src/core_app.ts index 872f3761b327f..c50ddd6e5cc1f 100644 --- a/packages/core/apps/core-apps-server-internal/src/core_app.ts +++ b/packages/core/apps/core-apps-server-internal/src/core_app.ts @@ -179,7 +179,9 @@ export class CoreAppsService { } const querystring = query ? stringify(query) : undefined; - const url = `${requestBasePath}/${rewrittenPath}${querystring ? `?${querystring}` : ''}`; + const url = `${requestBasePath}/${encodeURIComponent(rewrittenPath)}${ + querystring ? `?${querystring}` : '' + }`; return res.redirected({ headers: { diff --git a/packages/core/base/core-base-browser-mocks/kibana.jsonc b/packages/core/base/core-base-browser-mocks/kibana.jsonc index 48c6b95d3afbd..75e25bf270abc 100644 --- a/packages/core/base/core-base-browser-mocks/kibana.jsonc +++ b/packages/core/base/core-base-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-base-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/base/core-base-server-mocks/kibana.jsonc b/packages/core/base/core-base-server-mocks/kibana.jsonc index 438181d917750..1286250c208ce 100644 --- a/packages/core/base/core-base-server-mocks/kibana.jsonc +++ b/packages/core/base/core-base-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-base-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/capabilities/core-capabilities-browser-mocks/kibana.jsonc b/packages/core/capabilities/core-capabilities-browser-mocks/kibana.jsonc index ab693c53daa3f..e359b398d6ecf 100644 --- a/packages/core/capabilities/core-capabilities-browser-mocks/kibana.jsonc +++ b/packages/core/capabilities/core-capabilities-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-capabilities-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/capabilities/core-capabilities-server-mocks/kibana.jsonc b/packages/core/capabilities/core-capabilities-server-mocks/kibana.jsonc index 68739c985d15b..e8e84de6cef6b 100644 --- a/packages/core/capabilities/core-capabilities-server-mocks/kibana.jsonc +++ b/packages/core/capabilities/core-capabilities-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-capabilities-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/chrome/core-chrome-browser-mocks/kibana.jsonc b/packages/core/chrome/core-chrome-browser-mocks/kibana.jsonc index e9283e5dab605..84c0c7c07701d 100644 --- a/packages/core/chrome/core-chrome-browser-mocks/kibana.jsonc +++ b/packages/core/chrome/core-chrome-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-chrome-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/deprecations/core-deprecations-browser-mocks/kibana.jsonc b/packages/core/deprecations/core-deprecations-browser-mocks/kibana.jsonc index 464f09cb0edd1..79a4354f8278c 100644 --- a/packages/core/deprecations/core-deprecations-browser-mocks/kibana.jsonc +++ b/packages/core/deprecations/core-deprecations-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-deprecations-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/deprecations/core-deprecations-server-mocks/kibana.jsonc b/packages/core/deprecations/core-deprecations-server-mocks/kibana.jsonc index f897a7c512b97..7a4729b822579 100644 --- a/packages/core/deprecations/core-deprecations-server-mocks/kibana.jsonc +++ b/packages/core/deprecations/core-deprecations-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-deprecations-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/doc-links/core-doc-links-browser-mocks/kibana.jsonc b/packages/core/doc-links/core-doc-links-browser-mocks/kibana.jsonc index c081dab3fdb64..0bfa8221ad87c 100644 --- a/packages/core/doc-links/core-doc-links-browser-mocks/kibana.jsonc +++ b/packages/core/doc-links/core-doc-links-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-doc-links-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/doc-links/core-doc-links-server-mocks/kibana.jsonc b/packages/core/doc-links/core-doc-links-server-mocks/kibana.jsonc index 76c59c8f5b31a..22a0368bfcda1 100644 --- a/packages/core/doc-links/core-doc-links-server-mocks/kibana.jsonc +++ b/packages/core/doc-links/core-doc-links-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-doc-links-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/elasticsearch/core-elasticsearch-client-server-mocks/kibana.jsonc b/packages/core/elasticsearch/core-elasticsearch-client-server-mocks/kibana.jsonc index 234f583289e7a..9e2eec284c98d 100644 --- a/packages/core/elasticsearch/core-elasticsearch-client-server-mocks/kibana.jsonc +++ b/packages/core/elasticsearch/core-elasticsearch-client-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-elasticsearch-client-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/elasticsearch/core-elasticsearch-server-mocks/kibana.jsonc b/packages/core/elasticsearch/core-elasticsearch-server-mocks/kibana.jsonc index 07c507160e1b3..e08bba9ad0e34 100644 --- a/packages/core/elasticsearch/core-elasticsearch-server-mocks/kibana.jsonc +++ b/packages/core/elasticsearch/core-elasticsearch-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-elasticsearch-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/environment/core-environment-server-mocks/kibana.jsonc b/packages/core/environment/core-environment-server-mocks/kibana.jsonc index 6905db81b1d91..52b0d1fd67358 100644 --- a/packages/core/environment/core-environment-server-mocks/kibana.jsonc +++ b/packages/core/environment/core-environment-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-environment-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/execution-context/core-execution-context-browser-mocks/kibana.jsonc b/packages/core/execution-context/core-execution-context-browser-mocks/kibana.jsonc index 63963af90bdff..2f26eabba462b 100644 --- a/packages/core/execution-context/core-execution-context-browser-mocks/kibana.jsonc +++ b/packages/core/execution-context/core-execution-context-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-execution-context-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/execution-context/core-execution-context-server-mocks/kibana.jsonc b/packages/core/execution-context/core-execution-context-server-mocks/kibana.jsonc index 05ebf05ec64ba..f00127ed53fd3 100644 --- a/packages/core/execution-context/core-execution-context-server-mocks/kibana.jsonc +++ b/packages/core/execution-context/core-execution-context-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-execution-context-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/fatal-errors/core-fatal-errors-browser-mocks/kibana.jsonc b/packages/core/fatal-errors/core-fatal-errors-browser-mocks/kibana.jsonc index 61cb6496a2410..7f109e5a82a33 100644 --- a/packages/core/fatal-errors/core-fatal-errors-browser-mocks/kibana.jsonc +++ b/packages/core/fatal-errors/core-fatal-errors-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-fatal-errors-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/http/core-http-browser-mocks/kibana.jsonc b/packages/core/http/core-http-browser-mocks/kibana.jsonc index 929adb25ee477..1a6824642b610 100644 --- a/packages/core/http/core-http-browser-mocks/kibana.jsonc +++ b/packages/core/http/core-http-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-http-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/http/core-http-context-server-mocks/kibana.jsonc b/packages/core/http/core-http-context-server-mocks/kibana.jsonc index aee5e424e6d33..19c6c700b54e6 100644 --- a/packages/core/http/core-http-context-server-mocks/kibana.jsonc +++ b/packages/core/http/core-http-context-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-http-context-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/http/core-http-resources-server-mocks/kibana.jsonc b/packages/core/http/core-http-resources-server-mocks/kibana.jsonc index fee811ff5d489..3b2bbee18b260 100644 --- a/packages/core/http/core-http-resources-server-mocks/kibana.jsonc +++ b/packages/core/http/core-http-resources-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-http-resources-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/http/core-http-router-server-mocks/kibana.jsonc b/packages/core/http/core-http-router-server-mocks/kibana.jsonc index a00b5ef3bdf10..5c6cbef3e8bd6 100644 --- a/packages/core/http/core-http-router-server-mocks/kibana.jsonc +++ b/packages/core/http/core-http-router-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-http-router-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/http/core-http-server-mocks/kibana.jsonc b/packages/core/http/core-http-server-mocks/kibana.jsonc index 6964e15f6ab82..07b23a084f966 100644 --- a/packages/core/http/core-http-server-mocks/kibana.jsonc +++ b/packages/core/http/core-http-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-http-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/i18n/core-i18n-browser-mocks/kibana.jsonc b/packages/core/i18n/core-i18n-browser-mocks/kibana.jsonc index b53670e4d6265..1c8b1d19d51ee 100644 --- a/packages/core/i18n/core-i18n-browser-mocks/kibana.jsonc +++ b/packages/core/i18n/core-i18n-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-i18n-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/i18n/core-i18n-server-mocks/kibana.jsonc b/packages/core/i18n/core-i18n-server-mocks/kibana.jsonc index 7cd0a24565bd7..1d651ce8a767b 100644 --- a/packages/core/i18n/core-i18n-server-mocks/kibana.jsonc +++ b/packages/core/i18n/core-i18n-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-i18n-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/kibana.jsonc b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/kibana.jsonc index 340968dde25f6..c353636f8b2a6 100644 --- a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/kibana.jsonc +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-injected-metadata-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/integrations/core-integrations-browser-mocks/kibana.jsonc b/packages/core/integrations/core-integrations-browser-mocks/kibana.jsonc index 3231c3e282bcd..c1506381719ad 100644 --- a/packages/core/integrations/core-integrations-browser-mocks/kibana.jsonc +++ b/packages/core/integrations/core-integrations-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-integrations-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/lifecycle/core-lifecycle-browser-mocks/kibana.jsonc b/packages/core/lifecycle/core-lifecycle-browser-mocks/kibana.jsonc index e3dda6943018b..d70f77670c1e4 100644 --- a/packages/core/lifecycle/core-lifecycle-browser-mocks/kibana.jsonc +++ b/packages/core/lifecycle/core-lifecycle-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-lifecycle-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/lifecycle/core-lifecycle-server-mocks/kibana.jsonc b/packages/core/lifecycle/core-lifecycle-server-mocks/kibana.jsonc index abb14b3c14867..4f780278c2806 100644 --- a/packages/core/lifecycle/core-lifecycle-server-mocks/kibana.jsonc +++ b/packages/core/lifecycle/core-lifecycle-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-lifecycle-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/logging/core-logging-browser-mocks/kibana.jsonc b/packages/core/logging/core-logging-browser-mocks/kibana.jsonc index 122934b8cfd18..04b3c2bd699df 100644 --- a/packages/core/logging/core-logging-browser-mocks/kibana.jsonc +++ b/packages/core/logging/core-logging-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-logging-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/logging/core-logging-server-internal/src/__snapshots__/logging_system.test.ts.snap b/packages/core/logging/core-logging-server-internal/src/__snapshots__/logging_system.test.ts.snap index 55a144b92ee26..36fd4b605e579 100644 --- a/packages/core/logging/core-logging-server-internal/src/__snapshots__/logging_system.test.ts.snap +++ b/packages/core/logging/core-logging-server-internal/src/__snapshots__/logging_system.test.ts.snap @@ -16,7 +16,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 1`] = ` Object { "@timestamp": "2012-01-30T22:33:22.011-05:00", "ecs": Object { - "version": "8.4.0", + "version": "8.6.0", }, "log": Object { "level": "TRACE", @@ -33,7 +33,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 2`] = ` Object { "@timestamp": "2012-01-30T17:33:22.011-05:00", "ecs": Object { - "version": "8.4.0", + "version": "8.6.0", }, "log": Object { "level": "INFO", @@ -51,7 +51,7 @@ exports[`asLoggerFactory() only allows to create new loggers. 3`] = ` Object { "@timestamp": "2012-01-30T12:33:22.011-05:00", "ecs": Object { - "version": "8.4.0", + "version": "8.6.0", }, "log": Object { "level": "FATAL", @@ -68,7 +68,7 @@ exports[`flushes memory buffer logger and switches to real logger once config is Object { "@timestamp": "2012-02-01T09:33:22.011-05:00", "ecs": Object { - "version": "8.4.0", + "version": "8.6.0", }, "log": Object { "level": "INFO", @@ -86,7 +86,7 @@ exports[`flushes memory buffer logger and switches to real logger once config is Object { "@timestamp": "2012-01-31T23:33:22.011-05:00", "ecs": Object { - "version": "8.4.0", + "version": "8.6.0", }, "log": Object { "level": "INFO", diff --git a/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.test.ts b/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.test.ts index 1a197883e511d..dfa2144c28015 100644 --- a/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.test.ts +++ b/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.test.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +import { EcsVersion } from '@kbn/ecs'; import { LogLevel, LogRecord } from '@kbn/logging'; import { JsonLayout } from './json_layout'; @@ -81,7 +82,7 @@ test('`format()` correctly formats record and includes correct ECS version.', () for (const record of records) { const { ecs, ...restOfRecord } = JSON.parse(layout.format(record)); - expect(ecs).toStrictEqual({ version: '8.4.0' }); + expect(ecs).toStrictEqual({ version: EcsVersion }); expect(restOfRecord).toMatchSnapshot(); } }); diff --git a/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.ts b/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.ts index 7d9e198565d98..cd41b7675464e 100644 --- a/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.ts +++ b/packages/core/logging/core-logging-server-internal/src/layouts/json_layout.ts @@ -9,7 +9,7 @@ import moment from 'moment-timezone'; import { merge } from '@kbn/std'; import { schema } from '@kbn/config-schema'; -import { Ecs } from '@kbn/ecs'; +import { Ecs, EcsVersion } from '@kbn/ecs'; import { LogRecord, Layout } from '@kbn/logging'; const { literal, object } = schema; @@ -43,7 +43,7 @@ export class JsonLayout implements Layout { const transactionId = record.meta?.transaction?.id ?? record.transactionId; const log: Ecs = { - ecs: { version: '8.4.0' }, + ecs: { version: EcsVersion }, '@timestamp': moment(record.timestamp).format('YYYY-MM-DDTHH:mm:ss.SSSZ'), message: record.message, error: JsonLayout.errorToSerializableObject(record.error), diff --git a/packages/core/logging/core-logging-server-internal/src/logging_system.test.ts b/packages/core/logging/core-logging-server-internal/src/logging_system.test.ts index bffe062118c5b..b28a95f731f72 100644 --- a/packages/core/logging/core-logging-server-internal/src/logging_system.test.ts +++ b/packages/core/logging/core-logging-server-internal/src/logging_system.test.ts @@ -8,7 +8,7 @@ import { mockStreamWrite, mockGetFlattenedObject } from './logging_system.test.mocks'; -const dynamicProps = { process: { pid: expect.any(Number) } }; +const dynamicProps = { process: { pid: expect.any(Number) }, ecs: { version: EcsVersion } }; const timestamp = new Date(Date.UTC(2012, 1, 1, 14, 33, 22, 11)); let mockConsoleLog: jest.SpyInstance; @@ -17,6 +17,7 @@ import { createWriteStream } from 'fs'; const mockCreateWriteStream = createWriteStream as unknown as jest.Mock; import { LoggingSystem, config } from '..'; +import { EcsVersion } from '@kbn/ecs'; let system: LoggingSystem; beforeEach(() => { diff --git a/packages/core/logging/core-logging-server-mocks/kibana.jsonc b/packages/core/logging/core-logging-server-mocks/kibana.jsonc index 3408f6692746c..443efb6cdcfe6 100644 --- a/packages/core/logging/core-logging-server-mocks/kibana.jsonc +++ b/packages/core/logging/core-logging-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-logging-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/metrics/core-metrics-collectors-server-mocks/kibana.jsonc b/packages/core/metrics/core-metrics-collectors-server-mocks/kibana.jsonc index 3b24f1787e049..7629dd18a55b5 100644 --- a/packages/core/metrics/core-metrics-collectors-server-mocks/kibana.jsonc +++ b/packages/core/metrics/core-metrics-collectors-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-metrics-collectors-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/metrics/core-metrics-server-mocks/kibana.jsonc b/packages/core/metrics/core-metrics-server-mocks/kibana.jsonc index 4e55b952f1321..b722ae6c1e702 100644 --- a/packages/core/metrics/core-metrics-server-mocks/kibana.jsonc +++ b/packages/core/metrics/core-metrics-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-metrics-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/node/core-node-server-mocks/kibana.jsonc b/packages/core/node/core-node-server-mocks/kibana.jsonc index 1f1b6639042ec..4a04e244899e5 100644 --- a/packages/core/node/core-node-server-mocks/kibana.jsonc +++ b/packages/core/node/core-node-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-node-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/notifications/core-notifications-browser-mocks/kibana.jsonc b/packages/core/notifications/core-notifications-browser-mocks/kibana.jsonc index 1705ff3144b48..e5971c404204f 100644 --- a/packages/core/notifications/core-notifications-browser-mocks/kibana.jsonc +++ b/packages/core/notifications/core-notifications-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-notifications-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/overlays/core-overlays-browser-mocks/kibana.jsonc b/packages/core/overlays/core-overlays-browser-mocks/kibana.jsonc index f157b590fb35b..ee4989cc38d1f 100644 --- a/packages/core/overlays/core-overlays-browser-mocks/kibana.jsonc +++ b/packages/core/overlays/core-overlays-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-overlays-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/plugins/core-plugins-browser-mocks/kibana.jsonc b/packages/core/plugins/core-plugins-browser-mocks/kibana.jsonc index 1a3f5258dca2d..8dd092a0835d1 100644 --- a/packages/core/plugins/core-plugins-browser-mocks/kibana.jsonc +++ b/packages/core/plugins/core-plugins-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-plugins-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/plugins/core-plugins-server-mocks/kibana.jsonc b/packages/core/plugins/core-plugins-server-mocks/kibana.jsonc index 62d8b6d118156..f56fe9da7ab06 100644 --- a/packages/core/plugins/core-plugins-server-mocks/kibana.jsonc +++ b/packages/core/plugins/core-plugins-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-plugins-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/preboot/core-preboot-server-mocks/kibana.jsonc b/packages/core/preboot/core-preboot-server-mocks/kibana.jsonc index 91e60bd62b1e1..de65649980659 100644 --- a/packages/core/preboot/core-preboot-server-mocks/kibana.jsonc +++ b/packages/core/preboot/core-preboot-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-preboot-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/rendering/core-rendering-browser-mocks/kibana.jsonc b/packages/core/rendering/core-rendering-browser-mocks/kibana.jsonc index 38be88afd1499..25279626447cb 100644 --- a/packages/core/rendering/core-rendering-browser-mocks/kibana.jsonc +++ b/packages/core/rendering/core-rendering-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-rendering-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/rendering/core-rendering-server-mocks/kibana.jsonc b/packages/core/rendering/core-rendering-server-mocks/kibana.jsonc index 8d836f9acddaa..f56b1a1c735b3 100644 --- a/packages/core/rendering/core-rendering-server-mocks/kibana.jsonc +++ b/packages/core/rendering/core-rendering-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-rendering-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-api-server-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-api-server-mocks/kibana.jsonc index 0bb78d126e72d..396eaf6911868 100644 --- a/packages/core/saved-objects/core-saved-objects-api-server-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-api-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-api-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-base-server-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-base-server-mocks/kibana.jsonc index 29356da39ae30..ec80952e8e88a 100644 --- a/packages/core/saved-objects/core-saved-objects-base-server-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-base-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-base-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-browser-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-browser-mocks/kibana.jsonc index 105338611b28f..d23c1c7eaf8fb 100644 --- a/packages/core/saved-objects/core-saved-objects-browser-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-import-export-server-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-import-export-server-mocks/kibana.jsonc index 20b09ed4cf69a..94155855e5a69 100644 --- a/packages/core/saved-objects/core-saved-objects-import-export-server-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-import-export-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-import-export-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-migration-server-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-migration-server-mocks/kibana.jsonc index 49e49c7d12b4f..3085afaf90d13 100644 --- a/packages/core/saved-objects/core-saved-objects-migration-server-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-migration-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-migration-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-server-mocks/kibana.jsonc b/packages/core/saved-objects/core-saved-objects-server-mocks/kibana.jsonc index 4e9f3fa49b016..ed6812237c399 100644 --- a/packages/core/saved-objects/core-saved-objects-server-mocks/kibana.jsonc +++ b/packages/core/saved-objects/core-saved-objects-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-saved-objects-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts b/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts index 7ad9c37062a3d..1805e79b74340 100644 --- a/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts +++ b/packages/core/saved-objects/core-saved-objects-server/src/extensions/security.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import type { EcsEventOutcome } from '@kbn/ecs'; -import type { SavedObject } from '../..'; +import type { SavedObject } from '@kbn/core-saved-objects-common'; +import type { EcsEvent } from '@kbn/ecs'; /** * The PerformAuthorizationParams interface contains settings for checking @@ -169,7 +169,7 @@ export interface AddAuditEventParams { * The outcome of the operation * 'failure' | 'success' | 'unknown' */ - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; /** * relevant saved object information * object containing type & id strings diff --git a/packages/core/status/core-status-server-mocks/kibana.jsonc b/packages/core/status/core-status-server-mocks/kibana.jsonc index ebb50f47fb40f..91ee9ce8065bd 100644 --- a/packages/core/status/core-status-server-mocks/kibana.jsonc +++ b/packages/core/status/core-status-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-status-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/theme/core-theme-browser-mocks/kibana.jsonc b/packages/core/theme/core-theme-browser-mocks/kibana.jsonc index f04c78bf09fe5..5955ef8eb8beb 100644 --- a/packages/core/theme/core-theme-browser-mocks/kibana.jsonc +++ b/packages/core/theme/core-theme-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-theme-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/ui-settings/core-ui-settings-browser-mocks/kibana.jsonc b/packages/core/ui-settings/core-ui-settings-browser-mocks/kibana.jsonc index fe1b1c48238cd..8f3d630732b6d 100644 --- a/packages/core/ui-settings/core-ui-settings-browser-mocks/kibana.jsonc +++ b/packages/core/ui-settings/core-ui-settings-browser-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-ui-settings-browser-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/ui-settings/core-ui-settings-server-mocks/kibana.jsonc b/packages/core/ui-settings/core-ui-settings-server-mocks/kibana.jsonc index b82edffb705dd..f55c1ada332ee 100644 --- a/packages/core/ui-settings/core-ui-settings-server-mocks/kibana.jsonc +++ b/packages/core/ui-settings/core-ui-settings-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-ui-settings-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/core/usage-data/core-usage-data-server-mocks/kibana.jsonc b/packages/core/usage-data/core-usage-data-server-mocks/kibana.jsonc index f916d41050f66..65dd20ad22ece 100644 --- a/packages/core/usage-data/core-usage-data-server-mocks/kibana.jsonc +++ b/packages/core/usage-data/core-usage-data-server-mocks/kibana.jsonc @@ -1,5 +1,6 @@ { "type": "shared-common", "id": "@kbn/core-usage-data-server-mocks", + "devOnly": true, "owner": "@elastic/kibana-core" } diff --git a/packages/kbn-babel-preset/node_preset.js b/packages/kbn-babel-preset/node_preset.js index 54efea1cebb5a..0d8173308bd78 100644 --- a/packages/kbn-babel-preset/node_preset.js +++ b/packages/kbn-babel-preset/node_preset.js @@ -31,7 +31,7 @@ module.exports = (_, options = {}) => { // Because of that we should use for that value the same version we install // in the package.json in order to have the same polyfills between the environment // and the tests - corejs: '3.27.1', + corejs: '3.27.2', bugfixes: true, ...(options['@babel/preset-env'] || {}), diff --git a/packages/kbn-babel-preset/webpack_preset.js b/packages/kbn-babel-preset/webpack_preset.js index 7dfe996b91faf..ddcc165c5a9e2 100644 --- a/packages/kbn-babel-preset/webpack_preset.js +++ b/packages/kbn-babel-preset/webpack_preset.js @@ -19,7 +19,7 @@ module.exports = (api, options = {}) => { modules: false, // Please read the explanation for this // in node_preset.js - corejs: '3.27.1', + corejs: '3.27.2', bugfixes: true, browserslistEnv: api.env('production') ? 'production' : 'dev', }, diff --git a/packages/kbn-ci-stats-shipper-cli/README.md b/packages/kbn-ci-stats-shipper-cli/README.md new file mode 100644 index 0000000000000..ee25c556845cf --- /dev/null +++ b/packages/kbn-ci-stats-shipper-cli/README.md @@ -0,0 +1,5 @@ +# @kbn/ci-stats-shipper-cli + +Simple CLI that runs in CI to ship the metrics produced by the build process. We used to ship these metrics as part of the build, but in order to enable distributed caching of optimizer bundles (which we still don't do) we broke the metrics out of the build and write them to disk instead, to be shipped at a later time. + +Run `node scripts/ship_ci_stats --help` for usage information. \ No newline at end of file diff --git a/packages/kbn-ecs/src/ecs/vlan.ts b/packages/kbn-ci-stats-shipper-cli/jest.config.js similarity index 71% rename from packages/kbn-ecs/src/ecs/vlan.ts rename to packages/kbn-ci-stats-shipper-cli/jest.config.js index e2a45f30cb484..ef7da75f533e0 100644 --- a/packages/kbn-ecs/src/ecs/vlan.ts +++ b/packages/kbn-ci-stats-shipper-cli/jest.config.js @@ -6,12 +6,8 @@ * Side Public License, v 1. */ -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-vlan.html - * - * @internal - */ -export interface EcsVlan { - id?: string; - name?: string; -} +module.exports = { + preset: '@kbn/test/jest_node', + rootDir: '../..', + roots: ['/packages/kbn-ci-stats-shipper-cli'], +}; diff --git a/packages/kbn-ci-stats-shipper-cli/kibana.jsonc b/packages/kbn-ci-stats-shipper-cli/kibana.jsonc new file mode 100644 index 0000000000000..725b15f63e988 --- /dev/null +++ b/packages/kbn-ci-stats-shipper-cli/kibana.jsonc @@ -0,0 +1,6 @@ +{ + "type": "shared-common", + "id": "@kbn/ci-stats-shipper-cli", + "owner": "@elastic/kibana-operations", + "devOnly": true +} diff --git a/packages/kbn-ci-stats-shipper-cli/package.json b/packages/kbn-ci-stats-shipper-cli/package.json new file mode 100644 index 0000000000000..249e9cb36373c --- /dev/null +++ b/packages/kbn-ci-stats-shipper-cli/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/ci-stats-shipper-cli", + "private": true, + "version": "1.0.0", + "license": "SSPL-1.0 OR Elastic License 2.0", + "main": "./ship_ci_stats_cli" +} \ No newline at end of file diff --git a/packages/kbn-ci-stats-shipper-cli/ship_ci_stats_cli.ts b/packages/kbn-ci-stats-shipper-cli/ship_ci_stats_cli.ts new file mode 100644 index 0000000000000..216a3c5bd04a3 --- /dev/null +++ b/packages/kbn-ci-stats-shipper-cli/ship_ci_stats_cli.ts @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import Path from 'path'; +import Fs from 'fs'; + +import { CiStatsReporter, CiStatsMetric } from '@kbn/ci-stats-reporter'; + +import { createFailError } from '@kbn/dev-cli-errors'; +import { run } from '@kbn/dev-cli-runner'; + +run( + async ({ log, flagsReader }) => { + const validate = flagsReader.boolean('validate'); + const metricPaths = flagsReader.arrayOfStrings('metrics') ?? []; + + const maybeFail = (message: string) => { + const error = createFailError(message); + if (process.env.IGNORE_SHIP_CI_STATS_ERROR === 'true') { + error.exitCode = 0; + } + return error; + }; + + const reporter = CiStatsReporter.fromEnv(log); + + if (!reporter.isEnabled()) { + throw maybeFail('unable to initilize the CI Stats reporter'); + } + + const overLimit: string[] = []; + + for (const path of metricPaths) { + // resolve path from CLI relative to CWD + const abs = Path.resolve(path); + const json = Fs.readFileSync(abs, 'utf8'); + const metrics: CiStatsMetric[] = JSON.parse(json); + if (await reporter.metrics(metrics)) { + log.success('shipped metrics from', path); + } else { + throw maybeFail('failed to ship metrics'); + } + + for (const metric of metrics) { + if (metric.limit !== undefined && metric.limit < metric.value) { + overLimit.push( + `${metric.group} > ${metric.id} with value of ${metric.value} is greater than the limit of ${metric.limit}` + ); + } + } + } + + if (validate && overLimit.length) { + throw maybeFail(`Metric overages:\n${overLimit.map((l) => ` ${l}`).join('\n')}`); + } + }, + { + description: 'ship ci-stats which have been written to files', + usage: `node scripts/ship_ci_stats`, + log: { + defaultLevel: 'debug', + }, + flags: { + string: ['metrics'], + boolean: ['validate'], + help: ` + --metrics [path] A path to a JSON file that includes metrics which should be sent. Multiple instances supported + --validate When passed, the process will exit with an error message and a non-zero exit status if any of the bundle limits are exceeded. + `, + }, + } +); diff --git a/packages/kbn-ci-stats-shipper-cli/tsconfig.json b/packages/kbn-ci-stats-shipper-cli/tsconfig.json new file mode 100644 index 0000000000000..ded872f5961b3 --- /dev/null +++ b/packages/kbn-ci-stats-shipper-cli/tsconfig.json @@ -0,0 +1,21 @@ +{ + "extends": "../../tsconfig.base.json", + "compilerOptions": { + "outDir": "target/types", + "types": [ + "jest", + "node" + ] + }, + "include": [ + "**/*.ts", + ], + "exclude": [ + "target/**/*" + ], + "kbn_references": [ + "@kbn/ci-stats-reporter", + "@kbn/dev-cli-errors", + "@kbn/dev-cli-runner", + ] +} diff --git a/packages/kbn-dev-utils/index.ts b/packages/kbn-dev-utils/index.ts index c1ee96a2a35ab..86bdafebccf97 100644 --- a/packages/kbn-dev-utils/index.ts +++ b/packages/kbn-dev-utils/index.ts @@ -20,7 +20,6 @@ export { KBN_P12_PASSWORD, } from './src/certs'; export * from './src/axios'; -export * from './src/ship_ci_stats_cli'; export * from './src/plugin_list'; export * from './src/streams'; export * from './src/extract'; diff --git a/packages/kbn-dev-utils/src/ship_ci_stats_cli.ts b/packages/kbn-dev-utils/src/ship_ci_stats_cli.ts deleted file mode 100644 index 6f80a22a32ed9..0000000000000 --- a/packages/kbn-dev-utils/src/ship_ci_stats_cli.ts +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import Path from 'path'; -import Fs from 'fs'; - -import { CiStatsReporter } from '@kbn/ci-stats-reporter'; - -import { createFlagError, createFailError } from '@kbn/dev-cli-errors'; -import { run } from '@kbn/dev-cli-runner'; - -export function shipCiStatsCli() { - run( - async ({ log, flags }) => { - let metricPaths = flags.metrics; - if (typeof metricPaths === 'string') { - metricPaths = [metricPaths]; - } else if (!Array.isArray(metricPaths) || !metricPaths.every((p) => typeof p === 'string')) { - throw createFlagError('expected --metrics to be a string'); - } - - const maybeFail = (message: string) => { - const error = createFailError(message); - if (process.env.IGNORE_SHIP_CI_STATS_ERROR === 'true') { - error.exitCode = 0; - } - return error; - }; - - const reporter = CiStatsReporter.fromEnv(log); - - if (!reporter.isEnabled()) { - throw maybeFail('unable to initilize the CI Stats reporter'); - } - - for (const path of metricPaths) { - // resolve path from CLI relative to CWD - const abs = Path.resolve(path); - const json = Fs.readFileSync(abs, 'utf8'); - if (await reporter.metrics(JSON.parse(json))) { - log.success('shipped metrics from', path); - } else { - throw maybeFail('failed to ship metrics'); - } - } - }, - { - description: 'ship ci-stats which have been written to files', - usage: `node scripts/ship_ci_stats`, - log: { - defaultLevel: 'debug', - }, - flags: { - string: ['metrics'], - help: ` - --metrics [path] A path to a JSON file that includes metrics which should be sent. Multiple instances supported - `, - }, - } - ); -} diff --git a/packages/kbn-dev-utils/tsconfig.json b/packages/kbn-dev-utils/tsconfig.json index a4ad2f1db3a71..d66b40e46e31a 100644 --- a/packages/kbn-dev-utils/tsconfig.json +++ b/packages/kbn-dev-utils/tsconfig.json @@ -14,7 +14,6 @@ "@kbn/dev-cli-runner", "@kbn/dev-cli-errors", "@kbn/plugin-discovery", - "@kbn/ci-stats-reporter", "@kbn/repo-info", ], "exclude": [ diff --git a/packages/kbn-ecs/README.md b/packages/kbn-ecs/README.md index 8e57bb8f56691..7034a25d0108f 100644 --- a/packages/kbn-ecs/README.md +++ b/packages/kbn-ecs/README.md @@ -2,4 +2,6 @@ Base types for Elastic common schema. These types are used for `logging` and any extensions to the types declared in this package need to be in their own dedicated packages. -https://www.elastic.co/guide/en/ecs/current/index.html \ No newline at end of file +https://www.elastic.co/guide/en/ecs/current/index.html + +Type definitions are autogenerated with https://github.com/elastic/ecs-typescript \ No newline at end of file diff --git a/packages/kbn-ecs/generated/agent.ts b/packages/kbn-ecs/generated/agent.ts new file mode 100644 index 0000000000000..8c38bfdc09e4f --- /dev/null +++ b/packages/kbn-ecs/generated/agent.ts @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. + * Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + */ +export interface EcsAgent { + build?: { + /** + * Extended build information for the agent. + * This field is intended to contain any build information that a data source may provide, no specific formatting is required. + */ + original?: string; + }; + + /** + * Ephemeral identifier of this agent (if one exists). + * This id normally changes across restarts, but `agent.id` does not. + */ + ephemeral_id?: string; + /** + * Unique identifier of this agent (if one exists). + * Example: For Beats this would be beat.id. + */ + id?: string; + /** + * Custom name of the agent. + * This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + */ + name?: string; + /** + * Type of the agent. + * The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + */ + type?: string; + /** + * Version of the agent. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/as.ts b/packages/kbn-ecs/generated/as.ts new file mode 100644 index 0000000000000..7b1b78e45d3dd --- /dev/null +++ b/packages/kbn-ecs/generated/as.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. + */ +export interface EcsAs { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; +} diff --git a/packages/kbn-ecs/generated/base.ts b/packages/kbn-ecs/generated/base.ts new file mode 100644 index 0000000000000..f9568a9f5b957 --- /dev/null +++ b/packages/kbn-ecs/generated/base.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The `base` field set contains all fields which are at the root of the events. These fields are common across all types of events. + */ +export interface EcsBase { + /** + * Date/time when the event originated. + * This is the date/time extracted from the event, typically representing when the event was generated by the source. + * If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + * Required field for all events. + */ + '@timestamp': string; + /** + * Custom key/value pairs. + * Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + * Example: `docker` and `k8s` labels. + */ + labels?: Record; + /** + * For log events the message field contains the log message, optimized for viewing in a log viewer. + * For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + * If multiple messages exist, they can be combined into one message. + */ + message?: string; + /** + * List of keywords used to tag each event. + */ + tags?: string[]; +} diff --git a/packages/kbn-ecs/generated/client.ts b/packages/kbn-ecs/generated/client.ts new file mode 100644 index 0000000000000..21fe4898e2c9e --- /dev/null +++ b/packages/kbn-ecs/generated/client.ts @@ -0,0 +1,186 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. + * For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. + * Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + */ +export interface EcsClient { + /** + * Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + * Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + */ + address?: string; + as?: { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; + }; + + /** + * Bytes sent from the client to the server. + */ + bytes?: number; + /** + * The domain name of the client system. + * This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + */ + domain?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * IP address of the client (IPv4 or IPv6). + */ + ip?: string; + /** + * MAC address of the client. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string; + nat?: { + /** + * Translated IP of source based NAT sessions (e.g. internal client to internet). + * Typically connections traversing load balancers, firewalls, or routers. + */ + ip?: string; + /** + * Translated port of source based NAT sessions (e.g. internal client to internet). + * Typically connections traversing load balancers, firewalls, or routers. + */ + port?: number; + }; + + /** + * Packets sent from the client to the server. + */ + packets?: number; + /** + * Port of the client. + */ + port?: number; + /** + * The highest registered client domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + user?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; +} diff --git a/packages/kbn-ecs/generated/cloud.ts b/packages/kbn-ecs/generated/cloud.ts new file mode 100644 index 0000000000000..6d9e138bc1b45 --- /dev/null +++ b/packages/kbn-ecs/generated/cloud.ts @@ -0,0 +1,208 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields related to the cloud or infrastructure the events are coming from. + */ +export interface EcsCloud { + account?: { + /** + * The cloud account or organization id used to identify different entities in a multi-tenant environment. + * Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + */ + id?: string; + /** + * The cloud account name or alias used to identify different entities in a multi-tenant environment. + * Examples: AWS account name, Google Cloud ORG display name. + */ + name?: string; + }; + + /** + * Availability zone in which this host, resource, or service is located. + */ + availability_zone?: string; + instance?: { + /** + * Instance ID of the host machine. + */ + id?: string; + /** + * Instance name of the host machine. + */ + name?: string; + }; + + machine?: { + /** + * Machine type of the host machine. + */ + type?: string; + }; + + origin?: { + account?: { + /** + * The cloud account or organization id used to identify different entities in a multi-tenant environment. + * Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + */ + id?: string; + /** + * The cloud account name or alias used to identify different entities in a multi-tenant environment. + * Examples: AWS account name, Google Cloud ORG display name. + */ + name?: string; + }; + + /** + * Availability zone in which this host, resource, or service is located. + */ + availability_zone?: string; + instance?: { + /** + * Instance ID of the host machine. + */ + id?: string; + /** + * Instance name of the host machine. + */ + name?: string; + }; + + machine?: { + /** + * Machine type of the host machine. + */ + type?: string; + }; + + project?: { + /** + * The cloud project identifier. + * Examples: Google Cloud Project id, Azure Project id. + */ + id?: string; + /** + * The cloud project name. + * Examples: Google Cloud Project name, Azure Project name. + */ + name?: string; + }; + + /** + * Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + */ + provider?: string; + /** + * Region in which this host, resource, or service is located. + */ + region?: string; + service?: { + /** + * The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. + * Examples: app engine, app service, cloud run, fargate, lambda. + */ + name?: string; + }; + }; + + project?: { + /** + * The cloud project identifier. + * Examples: Google Cloud Project id, Azure Project id. + */ + id?: string; + /** + * The cloud project name. + * Examples: Google Cloud Project name, Azure Project name. + */ + name?: string; + }; + + /** + * Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + */ + provider?: string; + /** + * Region in which this host, resource, or service is located. + */ + region?: string; + service?: { + /** + * The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. + * Examples: app engine, app service, cloud run, fargate, lambda. + */ + name?: string; + }; + + target?: { + account?: { + /** + * The cloud account or organization id used to identify different entities in a multi-tenant environment. + * Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + */ + id?: string; + /** + * The cloud account name or alias used to identify different entities in a multi-tenant environment. + * Examples: AWS account name, Google Cloud ORG display name. + */ + name?: string; + }; + + /** + * Availability zone in which this host, resource, or service is located. + */ + availability_zone?: string; + instance?: { + /** + * Instance ID of the host machine. + */ + id?: string; + /** + * Instance name of the host machine. + */ + name?: string; + }; + + machine?: { + /** + * Machine type of the host machine. + */ + type?: string; + }; + + project?: { + /** + * The cloud project identifier. + * Examples: Google Cloud Project id, Azure Project id. + */ + id?: string; + /** + * The cloud project name. + * Examples: Google Cloud Project name, Azure Project name. + */ + name?: string; + }; + + /** + * Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + */ + provider?: string; + /** + * Region in which this host, resource, or service is located. + */ + region?: string; + service?: { + /** + * The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. + * Examples: app engine, app service, cloud run, fargate, lambda. + */ + name?: string; + }; + }; +} diff --git a/packages/kbn-ecs/generated/code_signature.ts b/packages/kbn-ecs/generated/code_signature.ts new file mode 100644 index 0000000000000..0a7509b175207 --- /dev/null +++ b/packages/kbn-ecs/generated/code_signature.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain information about binary code signatures. + */ +export interface EcsCodeSignature { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; +} diff --git a/packages/kbn-ecs/generated/container.ts b/packages/kbn-ecs/generated/container.ts new file mode 100644 index 0000000000000..d7c760d2ca803 --- /dev/null +++ b/packages/kbn-ecs/generated/container.ts @@ -0,0 +1,94 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Container fields are used for meta information about the specific container that is the source of information. + * These fields help correlate data based containers from any runtime. + */ +export interface EcsContainer { + cpu?: { + /** + * Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. + */ + usage?: number; + }; + + disk?: { + read?: { + /** + * The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + */ + bytes?: number; + }; + + write?: { + /** + * The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + */ + bytes?: number; + }; + }; + + /** + * Unique container id. + */ + id?: string; + image?: { + hash?: { + /** + * An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set. + */ + all?: string[]; + }; + + /** + * Name of the image the container was built on. + */ + name?: string; + /** + * Container image tags. + */ + tag?: string[]; + }; + + /** + * Image labels. + */ + labels?: Record; + memory?: { + /** + * Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000. + */ + usage?: number; + }; + + /** + * Container name. + */ + name?: string; + network?: { + egress?: { + /** + * The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection. + */ + bytes?: number; + }; + + ingress?: { + /** + * The number of bytes received (gauge) on all network interfaces by the container since the last metric collection. + */ + bytes?: number; + }; + }; + + /** + * Runtime managing this container. + */ + runtime?: string; +} diff --git a/packages/kbn-ecs/generated/data_stream.ts b/packages/kbn-ecs/generated/data_stream.ts new file mode 100644 index 0000000000000..42dde7dc158cb --- /dev/null +++ b/packages/kbn-ecs/generated/data_stream.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The data_stream fields take part in defining the new data stream naming scheme. + * In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. + * An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. + */ +export interface EcsDataStream { + /** + * The field can contain anything that makes sense to signify the source of the data. + * Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. + * Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: + * * Must not contain `-` + * * No longer than 100 characters + */ + dataset?: string; + /** + * A user defined namespace. Namespaces are useful to allow grouping of data. + * Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. + * Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: + * * Must not contain `-` + * * No longer than 100 characters + */ + namespace?: string; + /** + * An overarching type for the data stream. + * Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. + */ + type?: string; +} diff --git a/packages/kbn-ecs/generated/destination.ts b/packages/kbn-ecs/generated/destination.ts new file mode 100644 index 0000000000000..351e14526b9d8 --- /dev/null +++ b/packages/kbn-ecs/generated/destination.ts @@ -0,0 +1,185 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. + * Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. + */ +export interface EcsDestination { + /** + * Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + * Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + */ + address?: string; + as?: { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; + }; + + /** + * Bytes sent from the destination to the source. + */ + bytes?: number; + /** + * The domain name of the destination system. + * This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + */ + domain?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * IP address of the destination (IPv4 or IPv6). + */ + ip?: string; + /** + * MAC address of the destination. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string; + nat?: { + /** + * Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + * Typically used with load balancers, firewalls, or routers. + */ + ip?: string; + /** + * Port the source session is translated to by NAT Device. + * Typically used with load balancers, firewalls, or routers. + */ + port?: number; + }; + + /** + * Packets sent from the destination to the source. + */ + packets?: number; + /** + * Port of the destination. + */ + port?: number; + /** + * The highest registered destination domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + user?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; +} diff --git a/packages/kbn-ecs/generated/device.ts b/packages/kbn-ecs/generated/device.ts new file mode 100644 index 0000000000000..83969cc6b4a56 --- /dev/null +++ b/packages/kbn-ecs/generated/device.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. + * This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/). + */ +export interface EcsDevice { + /** + * The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. + * On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. + * For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. + */ + id?: string; + /** + * The vendor name of the device manufacturer. + */ + manufacturer?: string; + model?: { + /** + * The machine readable identifier of the device model. + */ + identifier?: string; + /** + * The human readable marketing name of the device model. + */ + name?: string; + }; +} diff --git a/packages/kbn-ecs/generated/dll.ts b/packages/kbn-ecs/generated/dll.ts new file mode 100644 index 0000000000000..aec7584e5e937 --- /dev/null +++ b/packages/kbn-ecs/generated/dll.ts @@ -0,0 +1,139 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain information about code libraries dynamically loaded into processes. + * + * Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: + * * Dynamic-link library (`.dll`) commonly used on Windows + * * Shared Object (`.so`) commonly used on Unix-like operating systems + * * Dynamic library (`.dylib`) commonly used on macOS + */ +export interface EcsDll { + code_signature?: { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; + }; + + hash?: { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; + }; + + /** + * Name of the library. + * This generally maps to the name of the file on disk. + */ + name?: string; + /** + * Full file path of the library. + */ + path?: string; + pe?: { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; + }; +} diff --git a/packages/kbn-ecs/generated/dns.ts b/packages/kbn-ecs/generated/dns.ts new file mode 100644 index 0000000000000..e2a8b122d3308 --- /dev/null +++ b/packages/kbn-ecs/generated/dns.ts @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields describing DNS queries and answers. + * DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). + */ +export interface EcsDns { + /** + * An array containing an object for each answer section returned by the server. + * The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + * Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + */ + answers?: Array>; + /** + * Array of 2 letter DNS header flags. + */ + header_flags?: string[]; + /** + * The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + */ + id?: string; + /** + * The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + */ + op_code?: string; + question?: { + /** + * The class of records being queried. + */ + class?: string; + /** + * The name being queried. + * If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + */ + name?: string; + /** + * The highest registered domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * The subdomain is all of the labels under the registered_domain. + * If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + /** + * The type of record being queried. + */ + type?: string; + }; + + /** + * Array containing all IPs seen in `answers.data`. + * The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + */ + resolved_ip?: string[]; + /** + * The DNS response code. + */ + response_code?: string; + /** + * The type of DNS event captured, query or answer. + * If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + * If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + */ + type?: string; +} diff --git a/packages/kbn-ecs/generated/ecs.ts b/packages/kbn-ecs/generated/ecs.ts new file mode 100644 index 0000000000000..995c86f910e04 --- /dev/null +++ b/packages/kbn-ecs/generated/ecs.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Meta-information specific to ECS. + */ +export interface EcsEcs { + /** + * ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + * When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + */ + version: '8.6.0'; +} diff --git a/packages/kbn-ecs/generated/ecs_flat.ts b/packages/kbn-ecs/generated/ecs_flat.ts new file mode 100644 index 0000000000000..63ce568d0d6f5 --- /dev/null +++ b/packages/kbn-ecs/generated/ecs_flat.ts @@ -0,0 +1,19303 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export const EcsFlat = { + '@timestamp': { + dashed_name: 'timestamp', + description: + 'Date/time when the event originated.\nThis is the date/time extracted from the event, typically representing when the event was generated by the source.\nIf the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.\nRequired field for all events.', + example: '2016-05-23T08:05:34.853Z', + flat_name: '@timestamp', + level: 'core', + name: '@timestamp', + normalize: [], + required: true, + short: 'Date/time when the event originated.', + type: 'date', + }, + 'agent.build.original': { + dashed_name: 'agent-build-original', + description: + 'Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required.', + example: + 'metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]', + flat_name: 'agent.build.original', + ignore_above: 1024, + level: 'core', + name: 'build.original', + normalize: [], + short: 'Extended build information for the agent.', + type: 'keyword', + }, + 'agent.ephemeral_id': { + dashed_name: 'agent-ephemeral-id', + description: + 'Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not.', + example: '8a4f500f', + flat_name: 'agent.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this agent.', + type: 'keyword', + }, + 'agent.id': { + dashed_name: 'agent-id', + description: + 'Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id.', + example: '8a4f500d', + flat_name: 'agent.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of this agent.', + type: 'keyword', + }, + 'agent.name': { + dashed_name: 'agent-name', + description: + 'Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.', + example: 'foo', + flat_name: 'agent.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Custom name of the agent.', + type: 'keyword', + }, + 'agent.type': { + dashed_name: 'agent-type', + description: + 'Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + example: 'filebeat', + flat_name: 'agent.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of the agent.', + type: 'keyword', + }, + 'agent.version': { + dashed_name: 'agent-version', + description: 'Version of the agent.', + example: '6.0.0-rc2', + flat_name: 'agent.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the agent.', + type: 'keyword', + }, + 'client.address': { + dashed_name: 'client-address', + description: + 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'client.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Client network address.', + type: 'keyword', + }, + 'client.as.number': { + dashed_name: 'client-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'client.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'client.as.organization.name': { + dashed_name: 'client-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'client.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'client.bytes': { + dashed_name: 'client-bytes', + description: 'Bytes sent from the client to the server.', + example: 184, + flat_name: 'client.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the client to the server.', + type: 'long', + }, + 'client.domain': { + dashed_name: 'client-domain', + description: + 'The domain name of the client system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'client.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the client.', + type: 'keyword', + }, + 'client.geo.city_name': { + dashed_name: 'client-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'client.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'client.geo.continent_code': { + dashed_name: 'client-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'client.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'client.geo.continent_name': { + dashed_name: 'client-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'client.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'client.geo.country_iso_code': { + dashed_name: 'client-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'client.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'client.geo.country_name': { + dashed_name: 'client-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'client.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'client.geo.location': { + dashed_name: 'client-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'client.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'client.geo.name': { + dashed_name: 'client-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'client.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'client.geo.postal_code': { + dashed_name: 'client-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'client.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'client.geo.region_iso_code': { + dashed_name: 'client-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'client.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'client.geo.region_name': { + dashed_name: 'client-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'client.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'client.geo.timezone': { + dashed_name: 'client-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'client.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'client.ip': { + dashed_name: 'client-ip', + description: 'IP address of the client (IPv4 or IPv6).', + flat_name: 'client.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the client.', + type: 'ip', + }, + 'client.mac': { + dashed_name: 'client-mac', + description: + 'MAC address of the client.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'client.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the client.', + type: 'keyword', + }, + 'client.nat.ip': { + dashed_name: 'client-nat-ip', + description: + 'Translated IP of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Client NAT ip address', + type: 'ip', + }, + 'client.nat.port': { + dashed_name: 'client-nat-port', + description: + 'Translated port of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Client NAT port', + type: 'long', + }, + 'client.packets': { + dashed_name: 'client-packets', + description: 'Packets sent from the client to the server.', + example: 12, + flat_name: 'client.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the client to the server.', + type: 'long', + }, + 'client.port': { + dashed_name: 'client-port', + description: 'Port of the client.', + flat_name: 'client.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the client.', + type: 'long', + }, + 'client.registered_domain': { + dashed_name: 'client-registered-domain', + description: + 'The highest registered client domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'client.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered client domain, stripped of the subdomain.', + type: 'keyword', + }, + 'client.subdomain': { + dashed_name: 'client-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'client.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'client.top_level_domain': { + dashed_name: 'client-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'client.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'client.user.domain': { + dashed_name: 'client-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'client.user.email': { + dashed_name: 'client-user-email', + description: 'User email address.', + flat_name: 'client.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'client.user.full_name': { + dashed_name: 'client-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'client.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'client.user.group.domain': { + dashed_name: 'client-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'client.user.group.id': { + dashed_name: 'client-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'client.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'client.user.group.name': { + dashed_name: 'client-user-group-name', + description: 'Name of the group.', + flat_name: 'client.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'client.user.hash': { + dashed_name: 'client-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'client.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'client.user.id': { + dashed_name: 'client-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'client.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'client.user.name': { + dashed_name: 'client-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'client.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'client.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'client.user.roles': { + dashed_name: 'client-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'client.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'cloud.account.id': { + dashed_name: 'cloud-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.account.name': { + dashed_name: 'cloud-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.availability_zone': { + dashed_name: 'cloud-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.instance.id': { + dashed_name: 'cloud-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.instance.name': { + dashed_name: 'cloud-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.machine.type': { + dashed_name: 'cloud-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.account.id': { + dashed_name: 'cloud-origin-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.origin.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.origin.account.name': { + dashed_name: 'cloud-origin-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.origin.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.origin.availability_zone': { + dashed_name: 'cloud-origin-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.origin.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.instance.id': { + dashed_name: 'cloud-origin-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.origin.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.origin.instance.name': { + dashed_name: 'cloud-origin-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.origin.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.origin.machine.type': { + dashed_name: 'cloud-origin-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.origin.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.project.id': { + dashed_name: 'cloud-origin-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.origin.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.origin.project.name': { + dashed_name: 'cloud-origin-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.origin.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.origin.provider': { + dashed_name: 'cloud-origin-provider', + description: 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.origin.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.origin.region': { + dashed_name: 'cloud-origin-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.origin.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.service.name': { + dashed_name: 'cloud-origin-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.origin.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.project.id': { + dashed_name: 'cloud-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.project.name': { + dashed_name: 'cloud-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.provider': { + dashed_name: 'cloud-provider', + description: 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.region': { + dashed_name: 'cloud-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.service.name': { + dashed_name: 'cloud-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.target.account.id': { + dashed_name: 'cloud-target-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.target.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.target.account.name': { + dashed_name: 'cloud-target-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.target.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.target.availability_zone': { + dashed_name: 'cloud-target-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.target.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.instance.id': { + dashed_name: 'cloud-target-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.target.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.target.instance.name': { + dashed_name: 'cloud-target-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.target.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.target.machine.type': { + dashed_name: 'cloud-target-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.target.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.target.project.id': { + dashed_name: 'cloud-target-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.target.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.target.project.name': { + dashed_name: 'cloud-target-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.target.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.target.provider': { + dashed_name: 'cloud-target-provider', + description: 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.target.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.target.region': { + dashed_name: 'cloud-target-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.target.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.service.name': { + dashed_name: 'cloud-target-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.target.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + 'container.cpu.usage': { + dashed_name: 'container-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.disk.read.bytes': { + dashed_name: 'container-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'container.disk.write.bytes': { + dashed_name: 'container-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'container.id': { + dashed_name: 'container-id', + description: 'Unique container id.', + flat_name: 'container.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique container id.', + type: 'keyword', + }, + 'container.image.hash.all': { + dashed_name: 'container-image-hash-all', + description: + 'An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.', + example: '[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]', + flat_name: 'container.image.hash.all', + ignore_above: 1024, + level: 'extended', + name: 'image.hash.all', + normalize: ['array'], + short: 'An array of digests of the image the container was built on.', + type: 'keyword', + }, + 'container.image.name': { + dashed_name: 'container-image-name', + description: 'Name of the image the container was built on.', + flat_name: 'container.image.name', + ignore_above: 1024, + level: 'extended', + name: 'image.name', + normalize: [], + short: 'Name of the image the container was built on.', + type: 'keyword', + }, + 'container.image.tag': { + dashed_name: 'container-image-tag', + description: 'Container image tags.', + flat_name: 'container.image.tag', + ignore_above: 1024, + level: 'extended', + name: 'image.tag', + normalize: ['array'], + short: 'Container image tags.', + type: 'keyword', + }, + 'container.labels': { + dashed_name: 'container-labels', + description: 'Image labels.', + flat_name: 'container.labels', + level: 'extended', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Image labels.', + type: 'object', + }, + 'container.memory.usage': { + dashed_name: 'container-memory-usage', + description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.memory.usage', + level: 'extended', + name: 'memory.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent memory used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.name': { + dashed_name: 'container-name', + description: 'Container name.', + flat_name: 'container.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Container name.', + type: 'keyword', + }, + 'container.network.egress.bytes': { + dashed_name: 'container-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'container.network.ingress.bytes': { + dashed_name: 'container-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'container.runtime': { + dashed_name: 'container-runtime', + description: 'Runtime managing this container.', + example: 'docker', + flat_name: 'container.runtime', + ignore_above: 1024, + level: 'extended', + name: 'runtime', + normalize: [], + short: 'Runtime managing this container.', + type: 'keyword', + }, + 'data_stream.dataset': { + dashed_name: 'data-stream-dataset', + description: + 'The field can contain anything that makes sense to signify the source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'nginx.access', + flat_name: 'data_stream.dataset', + level: 'extended', + name: 'dataset', + normalize: [], + short: 'The field can contain anything that makes sense to signify the source of the data.', + type: 'constant_keyword', + }, + 'data_stream.namespace': { + dashed_name: 'data-stream-namespace', + description: + 'A user defined namespace. Namespaces are useful to allow grouping of data.\nMany users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.\nBeyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'production', + flat_name: 'data_stream.namespace', + level: 'extended', + name: 'namespace', + normalize: [], + short: 'A user defined namespace. Namespaces are useful to allow grouping of data.', + type: 'constant_keyword', + }, + 'data_stream.type': { + dashed_name: 'data-stream-type', + description: + 'An overarching type for the data stream.\nCurrently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.', + example: 'logs', + flat_name: 'data_stream.type', + level: 'extended', + name: 'type', + normalize: [], + short: 'An overarching type for the data stream.', + type: 'constant_keyword', + }, + 'destination.address': { + dashed_name: 'destination-address', + description: + 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'destination.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Destination network address.', + type: 'keyword', + }, + 'destination.as.number': { + dashed_name: 'destination-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'destination.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'destination.as.organization.name': { + dashed_name: 'destination-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'destination.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'destination.bytes': { + dashed_name: 'destination-bytes', + description: 'Bytes sent from the destination to the source.', + example: 184, + flat_name: 'destination.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the destination to the source.', + type: 'long', + }, + 'destination.domain': { + dashed_name: 'destination-domain', + description: + 'The domain name of the destination system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'destination.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the destination.', + type: 'keyword', + }, + 'destination.geo.city_name': { + dashed_name: 'destination-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'destination.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'destination.geo.continent_code': { + dashed_name: 'destination-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'destination.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'destination.geo.continent_name': { + dashed_name: 'destination-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'destination.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'destination.geo.country_iso_code': { + dashed_name: 'destination-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'destination.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'destination.geo.country_name': { + dashed_name: 'destination-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'destination.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'destination.geo.location': { + dashed_name: 'destination-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'destination.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'destination.geo.name': { + dashed_name: 'destination-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'destination.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'destination.geo.postal_code': { + dashed_name: 'destination-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'destination.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'destination.geo.region_iso_code': { + dashed_name: 'destination-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'destination.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'destination.geo.region_name': { + dashed_name: 'destination-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'destination.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'destination.geo.timezone': { + dashed_name: 'destination-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'destination.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'destination.ip': { + dashed_name: 'destination-ip', + description: 'IP address of the destination (IPv4 or IPv6).', + flat_name: 'destination.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the destination.', + type: 'ip', + }, + 'destination.mac': { + dashed_name: 'destination-mac', + description: + 'MAC address of the destination.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'destination.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the destination.', + type: 'keyword', + }, + 'destination.nat.ip': { + dashed_name: 'destination-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Destination NAT ip', + type: 'ip', + }, + 'destination.nat.port': { + dashed_name: 'destination-nat-port', + description: + 'Port the source session is translated to by NAT Device.\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Destination NAT Port', + type: 'long', + }, + 'destination.packets': { + dashed_name: 'destination-packets', + description: 'Packets sent from the destination to the source.', + example: 12, + flat_name: 'destination.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the destination to the source.', + type: 'long', + }, + 'destination.port': { + dashed_name: 'destination-port', + description: 'Port of the destination.', + flat_name: 'destination.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the destination.', + type: 'long', + }, + 'destination.registered_domain': { + dashed_name: 'destination-registered-domain', + description: + 'The highest registered destination domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'destination.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered destination domain, stripped of the subdomain.', + type: 'keyword', + }, + 'destination.subdomain': { + dashed_name: 'destination-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'destination.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'destination.top_level_domain': { + dashed_name: 'destination-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'destination.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'destination.user.domain': { + dashed_name: 'destination-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'destination.user.email': { + dashed_name: 'destination-user-email', + description: 'User email address.', + flat_name: 'destination.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'destination.user.full_name': { + dashed_name: 'destination-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'destination.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'destination.user.group.domain': { + dashed_name: 'destination-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'destination.user.group.id': { + dashed_name: 'destination-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'destination.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'destination.user.group.name': { + dashed_name: 'destination-user-group-name', + description: 'Name of the group.', + flat_name: 'destination.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'destination.user.hash': { + dashed_name: 'destination-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'destination.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'destination.user.id': { + dashed_name: 'destination-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'destination.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'destination.user.name': { + dashed_name: 'destination-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'destination.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'destination.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'destination.user.roles': { + dashed_name: 'destination-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'destination.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'device.id': { + dashed_name: 'device-id', + description: + 'The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.\nFor GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.', + example: '00000000-54b3-e7c7-0000-000046bffd97', + flat_name: 'device.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a device.', + type: 'keyword', + }, + 'device.manufacturer': { + dashed_name: 'device-manufacturer', + description: 'The vendor name of the device manufacturer.', + example: 'Samsung', + flat_name: 'device.manufacturer', + ignore_above: 1024, + level: 'extended', + name: 'manufacturer', + normalize: [], + short: 'The vendor name of the device manufacturer.', + type: 'keyword', + }, + 'device.model.identifier': { + dashed_name: 'device-model-identifier', + description: 'The machine readable identifier of the device model.', + example: 'SM-G920F', + flat_name: 'device.model.identifier', + ignore_above: 1024, + level: 'extended', + name: 'model.identifier', + normalize: [], + short: 'The machine readable identifier of the device model.', + type: 'keyword', + }, + 'device.model.name': { + dashed_name: 'device-model-name', + description: 'The human readable marketing name of the device model.', + example: 'Samsung Galaxy S6', + flat_name: 'device.model.name', + ignore_above: 1024, + level: 'extended', + name: 'model.name', + normalize: [], + short: 'The human readable marketing name of the device model.', + type: 'keyword', + }, + 'dll.code_signature.digest_algorithm': { + dashed_name: 'dll-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'dll.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.exists': { + dashed_name: 'dll-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'dll.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'dll.code_signature.signing_id': { + dashed_name: 'dll-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'dll.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.status': { + dashed_name: 'dll-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'dll.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'dll.code_signature.subject_name': { + dashed_name: 'dll-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'dll.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'dll.code_signature.team_id': { + dashed_name: 'dll-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'dll.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.timestamp': { + dashed_name: 'dll-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'dll.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'dll.code_signature.trusted': { + dashed_name: 'dll-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'dll.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'dll.code_signature.valid': { + dashed_name: 'dll-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'dll.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'dll.hash.md5': { + dashed_name: 'dll-hash-md5', + description: 'MD5 hash.', + flat_name: 'dll.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'dll.hash.sha1': { + dashed_name: 'dll-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'dll.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'dll.hash.sha256': { + dashed_name: 'dll-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'dll.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'dll.hash.sha384': { + dashed_name: 'dll-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'dll.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'dll.hash.sha512': { + dashed_name: 'dll-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'dll.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'dll.hash.ssdeep': { + dashed_name: 'dll-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'dll.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'dll.hash.tlsh': { + dashed_name: 'dll-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'dll.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'dll.name': { + dashed_name: 'dll-name', + description: 'Name of the library.\nThis generally maps to the name of the file on disk.', + example: 'kernel32.dll', + flat_name: 'dll.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the library.', + type: 'keyword', + }, + 'dll.path': { + dashed_name: 'dll-path', + description: 'Full file path of the library.', + example: 'C:\\Windows\\System32\\kernel32.dll', + flat_name: 'dll.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Full file path of the library.', + type: 'keyword', + }, + 'dll.pe.architecture': { + dashed_name: 'dll-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'dll.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'dll.pe.company': { + dashed_name: 'dll-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'dll.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.description': { + dashed_name: 'dll-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'dll.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.file_version': { + dashed_name: 'dll-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'dll.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'dll.pe.imphash': { + dashed_name: 'dll-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'dll.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'dll.pe.original_file_name': { + dashed_name: 'dll-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'dll.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.pehash': { + dashed_name: 'dll-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'dll.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'dll.pe.product': { + dashed_name: 'dll-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'dll.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dns.answers': { + dashed_name: 'dns-answers', + description: + 'An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.', + flat_name: 'dns.answers', + level: 'extended', + name: 'answers', + normalize: ['array'], + short: 'Array of DNS answers.', + type: 'object', + }, + 'dns.answers.class': { + dashed_name: 'dns-answers-class', + description: 'The class of DNS data contained in this resource record.', + example: 'IN', + flat_name: 'dns.answers.class', + ignore_above: 1024, + level: 'extended', + name: 'answers.class', + normalize: [], + short: 'The class of DNS data contained in this resource record.', + type: 'keyword', + }, + 'dns.answers.data': { + dashed_name: 'dns-answers-data', + description: + 'The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record.', + example: '10.10.10.10', + flat_name: 'dns.answers.data', + ignore_above: 1024, + level: 'extended', + name: 'answers.data', + normalize: [], + short: 'The data describing the resource.', + type: 'keyword', + }, + 'dns.answers.name': { + dashed_name: 'dns-answers-name', + description: + "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.", + example: 'www.example.com', + flat_name: 'dns.answers.name', + ignore_above: 1024, + level: 'extended', + name: 'answers.name', + normalize: [], + short: 'The domain name to which this resource record pertains.', + type: 'keyword', + }, + 'dns.answers.ttl': { + dashed_name: 'dns-answers-ttl', + description: + 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.', + example: 180, + flat_name: 'dns.answers.ttl', + level: 'extended', + name: 'answers.ttl', + normalize: [], + short: + 'The time interval in seconds that this resource record may be cached before it should be discarded.', + type: 'long', + }, + 'dns.answers.type': { + dashed_name: 'dns-answers-type', + description: 'The type of data contained in this resource record.', + example: 'CNAME', + flat_name: 'dns.answers.type', + ignore_above: 1024, + level: 'extended', + name: 'answers.type', + normalize: [], + short: 'The type of data contained in this resource record.', + type: 'keyword', + }, + 'dns.header_flags': { + dashed_name: 'dns-header-flags', + description: 'Array of 2 letter DNS header flags.', + example: '["RD", "RA"]', + expected_values: ['AA', 'TC', 'RD', 'RA', 'AD', 'CD', 'DO'], + flat_name: 'dns.header_flags', + ignore_above: 1024, + level: 'extended', + name: 'header_flags', + normalize: ['array'], + short: 'Array of DNS header flags.', + type: 'keyword', + }, + 'dns.id': { + dashed_name: 'dns-id', + description: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + example: 62111, + flat_name: 'dns.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + type: 'keyword', + }, + 'dns.op_code': { + dashed_name: 'dns-op-code', + description: + 'The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.', + example: 'QUERY', + flat_name: 'dns.op_code', + ignore_above: 1024, + level: 'extended', + name: 'op_code', + normalize: [], + short: 'The DNS operation code that specifies the kind of query in the message.', + type: 'keyword', + }, + 'dns.question.class': { + dashed_name: 'dns-question-class', + description: 'The class of records being queried.', + example: 'IN', + flat_name: 'dns.question.class', + ignore_above: 1024, + level: 'extended', + name: 'question.class', + normalize: [], + short: 'The class of records being queried.', + type: 'keyword', + }, + 'dns.question.name': { + dashed_name: 'dns-question-name', + description: + 'The name being queried.\nIf the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \\t, \\r, and \\n respectively.', + example: 'www.example.com', + flat_name: 'dns.question.name', + ignore_above: 1024, + level: 'extended', + name: 'question.name', + normalize: [], + short: 'The name being queried.', + type: 'keyword', + }, + 'dns.question.registered_domain': { + dashed_name: 'dns-question-registered-domain', + description: + 'The highest registered domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'dns.question.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.registered_domain', + normalize: [], + short: 'The highest registered domain, stripped of the subdomain.', + type: 'keyword', + }, + 'dns.question.subdomain': { + dashed_name: 'dns-question-subdomain', + description: + 'The subdomain is all of the labels under the registered_domain.\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'www', + flat_name: 'dns.question.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'question.subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'dns.question.top_level_domain': { + dashed_name: 'dns-question-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'dns.question.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'dns.question.type': { + dashed_name: 'dns-question-type', + description: 'The type of record being queried.', + example: 'AAAA', + flat_name: 'dns.question.type', + ignore_above: 1024, + level: 'extended', + name: 'question.type', + normalize: [], + short: 'The type of record being queried.', + type: 'keyword', + }, + 'dns.resolved_ip': { + dashed_name: 'dns-resolved-ip', + description: + 'Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.', + example: '["10.10.10.10", "10.10.10.11"]', + flat_name: 'dns.resolved_ip', + level: 'extended', + name: 'resolved_ip', + normalize: ['array'], + short: 'Array containing all IPs seen in answers.data', + type: 'ip', + }, + 'dns.response_code': { + dashed_name: 'dns-response-code', + description: 'The DNS response code.', + example: 'NOERROR', + flat_name: 'dns.response_code', + ignore_above: 1024, + level: 'extended', + name: 'response_code', + normalize: [], + short: 'The DNS response code.', + type: 'keyword', + }, + 'dns.type': { + dashed_name: 'dns-type', + description: + 'The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.', + example: 'answer', + flat_name: 'dns.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of DNS event captured, query or answer.', + type: 'keyword', + }, + 'ecs.version': { + dashed_name: 'ecs-version', + description: + 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.', + example: '1.0.0', + flat_name: 'ecs.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + required: true, + short: 'ECS version this event conforms to.', + type: 'keyword', + }, + 'email.attachments': { + dashed_name: 'email-attachments', + description: + 'A list of objects describing the attachment files sent along with an email message.', + flat_name: 'email.attachments', + level: 'extended', + name: 'attachments', + normalize: ['array'], + short: 'List of objects describing the attachments.', + type: 'nested', + }, + 'email.attachments.file.extension': { + dashed_name: 'email-attachments-file-extension', + description: 'Attachment file extension, excluding the leading dot.', + example: 'txt', + flat_name: 'email.attachments.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.extension', + normalize: [], + short: 'Attachment file extension.', + type: 'keyword', + }, + 'email.attachments.file.hash.md5': { + dashed_name: 'email-attachments-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'email.attachments.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha1': { + dashed_name: 'email-attachments-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'email.attachments.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha256': { + dashed_name: 'email-attachments-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'email.attachments.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha384': { + dashed_name: 'email-attachments-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'email.attachments.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha512': { + dashed_name: 'email-attachments-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'email.attachments.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.ssdeep': { + dashed_name: 'email-attachments-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'email.attachments.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.tlsh': { + dashed_name: 'email-attachments-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'email.attachments.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'email.attachments.file.mime_type': { + dashed_name: 'email-attachments-file-mime-type', + description: + 'The MIME media type of the attachment.\nThis value will typically be extracted from the `Content-Type` MIME header field.', + example: 'text/plain', + flat_name: 'email.attachments.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.mime_type', + normalize: [], + short: 'MIME type of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.name': { + dashed_name: 'email-attachments-file-name', + description: 'Name of the attachment file including the file extension.', + example: 'attachment.txt', + flat_name: 'email.attachments.file.name', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.name', + normalize: [], + short: 'Name of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.size': { + dashed_name: 'email-attachments-file-size', + description: 'Attachment file size in bytes.', + example: 64329, + flat_name: 'email.attachments.file.size', + level: 'extended', + name: 'attachments.file.size', + normalize: [], + short: 'Attachment file size.', + type: 'long', + }, + 'email.bcc.address': { + dashed_name: 'email-bcc-address', + description: 'The email address of BCC recipient', + example: 'bcc.user1@example.com', + flat_name: 'email.bcc.address', + ignore_above: 1024, + level: 'extended', + name: 'bcc.address', + normalize: ['array'], + short: 'Email address of BCC recipient', + type: 'keyword', + }, + 'email.cc.address': { + dashed_name: 'email-cc-address', + description: 'The email address of CC recipient', + example: 'cc.user1@example.com', + flat_name: 'email.cc.address', + ignore_above: 1024, + level: 'extended', + name: 'cc.address', + normalize: ['array'], + short: 'Email address of CC recipient', + type: 'keyword', + }, + 'email.content_type': { + dashed_name: 'email-content-type', + description: 'Information about how the message is to be displayed.\nTypically a MIME type.', + example: 'text/plain', + flat_name: 'email.content_type', + ignore_above: 1024, + level: 'extended', + name: 'content_type', + normalize: [], + short: 'MIME type of the email message.', + type: 'keyword', + }, + 'email.delivery_timestamp': { + dashed_name: 'email-delivery-timestamp', + description: 'The date and time when the email message was received by the service or client.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.delivery_timestamp', + level: 'extended', + name: 'delivery_timestamp', + normalize: [], + short: 'Date and time when message was delivered.', + type: 'date', + }, + 'email.direction': { + dashed_name: 'email-direction', + description: 'The direction of the message based on the sending and receiving domains.', + example: 'inbound', + flat_name: 'email.direction', + ignore_above: 1024, + level: 'extended', + name: 'direction', + normalize: [], + short: 'Direction of the message.', + type: 'keyword', + }, + 'email.from.address': { + dashed_name: 'email-from-address', + description: + 'The email address of the sender, typically from the RFC 5322 `From:` header field.', + example: 'sender@example.com', + flat_name: 'email.from.address', + ignore_above: 1024, + level: 'extended', + name: 'from.address', + normalize: ['array'], + short: "The sender's email address.", + type: 'keyword', + }, + 'email.local_id': { + dashed_name: 'email-local-id', + description: + 'Unique identifier given to the email by the source that created the event.\nIdentifier is not persistent across hops.', + example: 'c26dbea0-80d5-463b-b93c-4e8b708219ce', + flat_name: 'email.local_id', + ignore_above: 1024, + level: 'extended', + name: 'local_id', + normalize: [], + short: 'Unique identifier given by the source.', + type: 'keyword', + }, + 'email.message_id': { + dashed_name: 'email-message-id', + description: + 'Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message.', + example: '81ce15$8r2j59@mail01.example.com', + flat_name: 'email.message_id', + level: 'extended', + name: 'message_id', + normalize: [], + short: 'Value from the Message-ID header.', + type: 'wildcard', + }, + 'email.origination_timestamp': { + dashed_name: 'email-origination-timestamp', + description: + 'The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.origination_timestamp', + level: 'extended', + name: 'origination_timestamp', + normalize: [], + short: 'Date and time the email was composed.', + type: 'date', + }, + 'email.reply_to.address': { + dashed_name: 'email-reply-to-address', + description: + 'The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.', + example: 'reply.here@example.com', + flat_name: 'email.reply_to.address', + ignore_above: 1024, + level: 'extended', + name: 'reply_to.address', + normalize: ['array'], + short: 'Address replies should be delivered to.', + type: 'keyword', + }, + 'email.sender.address': { + dashed_name: 'email-sender-address', + description: + 'Per RFC 5322, specifies the address responsible for the actual transmission of the message.', + flat_name: 'email.sender.address', + ignore_above: 1024, + level: 'extended', + name: 'sender.address', + normalize: [], + short: 'Address of the message sender.', + type: 'keyword', + }, + 'email.subject': { + dashed_name: 'email-subject', + description: 'A brief summary of the topic of the message.', + example: 'Please see this important message.', + flat_name: 'email.subject', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'email.subject.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'subject', + normalize: [], + short: 'The subject of the email message.', + type: 'keyword', + }, + 'email.to.address': { + dashed_name: 'email-to-address', + description: 'The email address of recipient', + example: 'user1@example.com', + flat_name: 'email.to.address', + ignore_above: 1024, + level: 'extended', + name: 'to.address', + normalize: ['array'], + short: 'Email address of recipient', + type: 'keyword', + }, + 'email.x_mailer': { + dashed_name: 'email-x-mailer', + description: + 'The name of the application that was used to draft and send the original email message.', + example: 'Spambot v2.5', + flat_name: 'email.x_mailer', + ignore_above: 1024, + level: 'extended', + name: 'x_mailer', + normalize: [], + short: 'Application that drafted email.', + type: 'keyword', + }, + 'error.code': { + dashed_name: 'error-code', + description: 'Error code describing the error.', + flat_name: 'error.code', + ignore_above: 1024, + level: 'core', + name: 'code', + normalize: [], + short: 'Error code describing the error.', + type: 'keyword', + }, + 'error.id': { + dashed_name: 'error-id', + description: 'Unique identifier for the error.', + flat_name: 'error.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier for the error.', + type: 'keyword', + }, + 'error.message': { + dashed_name: 'error-message', + description: 'Error message.', + flat_name: 'error.message', + level: 'core', + name: 'message', + normalize: [], + short: 'Error message.', + type: 'match_only_text', + }, + 'error.stack_trace': { + dashed_name: 'error-stack-trace', + description: 'The stack trace of this error in plain text.', + flat_name: 'error.stack_trace', + level: 'extended', + multi_fields: [ + { + flat_name: 'error.stack_trace.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'stack_trace', + normalize: [], + short: 'The stack trace of this error in plain text.', + type: 'wildcard', + }, + 'error.type': { + dashed_name: 'error-type', + description: 'The type of the error, for example the class name of the exception.', + example: 'java.lang.NullPointerException', + flat_name: 'error.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of the error, for example the class name of the exception.', + type: 'keyword', + }, + 'event.action': { + dashed_name: 'event-action', + description: + 'The action captured by the event.\nThis describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.', + example: 'user-password-change', + flat_name: 'event.action', + ignore_above: 1024, + level: 'core', + name: 'action', + normalize: [], + short: 'The action captured by the event.', + type: 'keyword', + }, + 'event.agent_id_status': { + dashed_name: 'event-agent-id-status', + description: + "Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.\nFor example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.\nIf no validation is performed then the field should be omitted.\nThe allowed values are:\n`verified` - The `agent.id` field value matches expected value obtained from auth metadata.\n`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.\n`missing` - There was no `agent.id` field in the event to validate.\n`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.", + example: 'verified', + flat_name: 'event.agent_id_status', + ignore_above: 1024, + level: 'extended', + name: 'agent_id_status', + normalize: [], + short: "Validation status of the event's agent.id field.", + type: 'keyword', + }, + 'event.category': { + allowed_values: [ + { + description: + 'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.', + expected_event_types: ['start', 'end', 'info'], + name: 'authentication', + }, + { + description: + 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.', + expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'], + name: 'configuration', + }, + { + description: + 'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.', + expected_event_types: ['access', 'change', 'info', 'error'], + name: 'database', + }, + { + description: + 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.', + expected_event_types: ['change', 'end', 'info', 'start'], + name: 'driver', + }, + { + description: + 'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.', + expected_event_types: ['info'], + name: 'email', + }, + { + description: + 'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.', + expected_event_types: ['change', 'creation', 'deletion', 'info'], + name: 'file', + }, + { + description: + 'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'host', + }, + { + description: + 'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.', + expected_event_types: ['admin', 'change', 'creation', 'deletion', 'group', 'info', 'user'], + name: 'iam', + }, + { + description: + 'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.', + expected_event_types: ['allowed', 'denied', 'info'], + name: 'intrusion_detection', + }, + { + description: + 'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.', + expected_event_types: ['info'], + name: 'malware', + }, + { + description: + 'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.', + expected_event_types: [ + 'access', + 'allowed', + 'connection', + 'denied', + 'end', + 'info', + 'protocol', + 'start', + ], + name: 'network', + }, + { + description: + 'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.', + expected_event_types: ['access', 'change', 'deletion', 'info', 'installation', 'start'], + name: 'package', + }, + { + description: + 'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'process', + }, + { + description: + 'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.', + expected_event_types: ['access', 'change', 'creation', 'deletion'], + name: 'registry', + }, + { + description: + 'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.', + expected_event_types: ['start', 'end', 'info'], + name: 'session', + }, + { + description: + "Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.", + expected_event_types: ['indicator'], + name: 'threat', + }, + { + description: + 'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.', + expected_event_types: ['info'], + name: 'vulnerability', + }, + { + description: + 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.', + expected_event_types: ['access', 'error', 'info'], + name: 'web', + }, + ], + dashed_name: 'event-category', + description: + 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.', + example: 'authentication', + flat_name: 'event.category', + ignore_above: 1024, + level: 'core', + name: 'category', + normalize: ['array'], + short: 'Event category. The second categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.code': { + dashed_name: 'event-code', + description: + 'Identification code for this event, if one exists.\nSome event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.', + example: 4648, + flat_name: 'event.code', + ignore_above: 1024, + level: 'extended', + name: 'code', + normalize: [], + short: 'Identification code for this event.', + type: 'keyword', + }, + 'event.created': { + dashed_name: 'event-created', + description: + "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used.", + example: '2016-05-23T08:05:34.857Z', + flat_name: 'event.created', + level: 'core', + name: 'created', + normalize: [], + short: 'Time when the event was first read by an agent or by your pipeline.', + type: 'date', + }, + 'event.dataset': { + dashed_name: 'event-dataset', + description: + "Name of the dataset.\nIf an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.\nIt's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.", + example: 'apache.access', + flat_name: 'event.dataset', + ignore_above: 1024, + level: 'core', + name: 'dataset', + normalize: [], + short: 'Name of the dataset.', + type: 'keyword', + }, + 'event.duration': { + dashed_name: 'event-duration', + description: + 'Duration of the event in nanoseconds.\nIf event.start and event.end are known this value should be the difference between the end and start time.', + flat_name: 'event.duration', + format: 'duration', + input_format: 'nanoseconds', + level: 'core', + name: 'duration', + normalize: [], + output_format: 'asMilliseconds', + output_precision: 1, + short: 'Duration of the event in nanoseconds.', + type: 'long', + }, + 'event.end': { + dashed_name: 'event-end', + description: + 'event.end contains the date when the event ended or when the activity was last observed.', + flat_name: 'event.end', + level: 'extended', + name: 'end', + normalize: [], + short: + 'event.end contains the date when the event ended or when the activity was last observed.', + type: 'date', + }, + 'event.hash': { + dashed_name: 'event-hash', + description: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + example: '123456789012345678901234567890ABCD', + flat_name: 'event.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + type: 'keyword', + }, + 'event.id': { + dashed_name: 'event-id', + description: 'Unique ID to describe the event.', + example: '8a4f500d', + flat_name: 'event.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique ID to describe the event.', + type: 'keyword', + }, + 'event.ingested': { + dashed_name: 'event-ingested', + description: + "Timestamp when an event arrived in the central data store.\nThis is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.\nIn normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.", + example: '2016-05-23T08:05:35.101Z', + flat_name: 'event.ingested', + level: 'core', + name: 'ingested', + normalize: [], + short: 'Timestamp when an event arrived in the central data store.', + type: 'date', + }, + 'event.kind': { + allowed_values: [ + { + description: + 'This value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack.\n`event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on.\nThis value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.', + name: 'alert', + }, + { + description: + 'The `enrichment` value indicates an event collected to provide additional context, often to other events.\nAn example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.', + name: 'enrichment', + }, + { + description: + 'This value is the most general and most common value for this field. It is used to represent events that indicate that something happened.', + name: 'event', + }, + { + description: + 'This value is used to indicate that this event describes a numeric measurement taken at given point in time.\nExamples include CPU utilization, memory usage, or device temperature.\nMetric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries.', + name: 'metric', + }, + { + description: + "The state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states.\nExamples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant).\nNote that an event that describes a change of state would not use `event.kind:state`, but instead would use 'event.kind:event' since a state change fits the more general event definition of something that happened.\nState events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries.", + name: 'state', + }, + { + description: + 'This value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors.', + name: 'pipeline_error', + }, + { + description: + 'This value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework.\nUsage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal".', + name: 'signal', + }, + ], + dashed_name: 'event-kind', + description: + 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.\n`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.\nThe value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.', + example: 'alert', + flat_name: 'event.kind', + ignore_above: 1024, + level: 'core', + name: 'kind', + normalize: [], + short: 'The kind of the event. The highest categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.module': { + dashed_name: 'event-module', + description: + 'Name of the module this data is coming from.\nIf your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.', + example: 'apache', + flat_name: 'event.module', + ignore_above: 1024, + level: 'core', + name: 'module', + normalize: [], + short: 'Name of the module this data is coming from.', + type: 'keyword', + }, + 'event.original': { + dashed_name: 'event-original', + description: + 'Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.', + doc_values: false, + example: + 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232', + flat_name: 'event.original', + index: false, + level: 'core', + name: 'original', + normalize: [], + short: 'Raw text message of entire event.', + type: 'keyword', + }, + 'event.outcome': { + allowed_values: [ + { + description: + 'Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful.', + name: 'failure', + }, + { + description: + 'Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created.', + name: 'success', + }, + { + description: + "Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated.", + name: 'unknown', + }, + ], + dashed_name: 'event-outcome', + description: + 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.\n`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.\nNote that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.\nAlso note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.\nFurther note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.', + example: 'success', + flat_name: 'event.outcome', + ignore_above: 1024, + level: 'core', + name: 'outcome', + normalize: [], + short: 'The outcome of the event. The lowest level categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.provider': { + dashed_name: 'event-provider', + description: + 'Source of the event.\nEvent transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).', + example: 'kernel', + flat_name: 'event.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Source of the event.', + type: 'keyword', + }, + 'event.reason': { + dashed_name: 'event-reason', + description: + 'Reason why this event happened, according to the source.\nThis describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).', + example: 'Terminated an unexpected process', + flat_name: 'event.reason', + ignore_above: 1024, + level: 'extended', + name: 'reason', + normalize: [], + short: 'Reason why this event happened, according to the source', + type: 'keyword', + }, + 'event.reference': { + dashed_name: 'event-reference', + description: + 'Reference URL linking to additional information about this event.\nThis URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://system.example.com/event/#0001234', + flat_name: 'event.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Event reference URL', + type: 'keyword', + }, + 'event.risk_score': { + dashed_name: 'event-risk-score', + description: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + flat_name: 'event.risk_score', + level: 'core', + name: 'risk_score', + normalize: [], + short: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + type: 'float', + }, + 'event.risk_score_norm': { + dashed_name: 'event-risk-score-norm', + description: + 'Normalized risk score or priority of the event, on a scale of 0 to 100.\nThis is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.', + flat_name: 'event.risk_score_norm', + level: 'extended', + name: 'risk_score_norm', + normalize: [], + short: 'Normalized risk score or priority of the event (0-100).', + type: 'float', + }, + 'event.sequence': { + dashed_name: 'event-sequence', + description: + 'Sequence number of the event.\nThe sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.', + flat_name: 'event.sequence', + format: 'string', + level: 'extended', + name: 'sequence', + normalize: [], + short: 'Sequence number of the event.', + type: 'long', + }, + 'event.severity': { + dashed_name: 'event-severity', + description: + "The numeric severity of the event according to your event source.\nWhat the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.", + example: 7, + flat_name: 'event.severity', + format: 'string', + level: 'core', + name: 'severity', + normalize: [], + short: 'Numeric severity of the event.', + type: 'long', + }, + 'event.start': { + dashed_name: 'event-start', + description: + 'event.start contains the date when the event started or when the activity was first observed.', + flat_name: 'event.start', + level: 'extended', + name: 'start', + normalize: [], + short: + 'event.start contains the date when the event started or when the activity was first observed.', + type: 'date', + }, + 'event.timezone': { + dashed_name: 'event-timezone', + description: + 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise.\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").', + flat_name: 'event.timezone', + ignore_above: 1024, + level: 'extended', + name: 'timezone', + normalize: [], + short: 'Event time zone.', + type: 'keyword', + }, + 'event.type': { + allowed_values: [ + { + description: + 'The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field.', + name: 'access', + }, + { + description: + 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.', + name: 'admin', + }, + { + description: + 'The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass".', + name: 'allowed', + }, + { + description: + 'The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field.', + name: 'change', + }, + { + description: + 'Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset".', + name: 'connection', + }, + { + description: + 'The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`.', + name: 'creation', + }, + { + description: + 'The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted.', + name: 'deletion', + }, + { + description: + 'The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined".', + name: 'denied', + }, + { + description: + 'The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`.', + name: 'end', + }, + { + description: + 'The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`.', + name: 'error', + }, + { + description: + 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.', + name: 'group', + }, + { + description: + 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs).\nA common example is `event.category:threat AND event.type:indicator`.', + name: 'indicator', + }, + { + description: + 'The info event type is used for the subset of events within a category that indicate that they are purely informational, and don\'t report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`.', + name: 'info', + }, + { + description: + 'The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`.', + name: 'installation', + }, + { + description: + 'The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field.', + name: 'protocol', + }, + { + description: + 'The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`.', + name: 'start', + }, + { + description: + 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.', + name: 'user', + }, + ], + dashed_name: 'event-type', + description: + 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.\n`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.\nThis field is an array. This will allow proper categorization of some events that fall in multiple event types.', + flat_name: 'event.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: ['array'], + short: 'Event type. The third categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.url': { + dashed_name: 'event-url', + description: + 'URL linking to an external system to continue investigation of this event.\nThis URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe', + flat_name: 'event.url', + ignore_above: 1024, + level: 'extended', + name: 'url', + normalize: [], + short: 'Event investigation URL', + type: 'keyword', + }, + 'faas.coldstart': { + dashed_name: 'faas-coldstart', + description: 'Boolean value indicating a cold start of a function.', + flat_name: 'faas.coldstart', + level: 'extended', + name: 'coldstart', + normalize: [], + short: 'Boolean value indicating a cold start of a function.', + type: 'boolean', + }, + 'faas.execution': { + dashed_name: 'faas-execution', + description: 'The execution ID of the current function execution.', + example: 'af9d5aa4-a685-4c5f-a22b-444f80b3cc28', + flat_name: 'faas.execution', + ignore_above: 1024, + level: 'extended', + name: 'execution', + normalize: [], + short: 'The execution ID of the current function execution.', + type: 'keyword', + }, + 'faas.id': { + dashed_name: 'faas-id', + description: + "The unique identifier of a serverless function.\nFor AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix.", + example: 'arn:aws:lambda:us-west-2:123456789012:function:my-function', + flat_name: 'faas.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a serverless function.', + type: 'keyword', + }, + 'faas.name': { + dashed_name: 'faas-name', + description: 'The name of a serverless function.', + example: 'my-function', + flat_name: 'faas.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'The name of a serverless function.', + type: 'keyword', + }, + 'faas.trigger': { + dashed_name: 'faas-trigger', + description: 'Details about the function trigger.', + flat_name: 'faas.trigger', + level: 'extended', + name: 'trigger', + normalize: [], + short: 'Details about the function trigger.', + type: 'nested', + }, + 'faas.trigger.request_id': { + dashed_name: 'faas-trigger-request-id', + description: 'The ID of the trigger request , message, event, etc.', + example: 123456789, + flat_name: 'faas.trigger.request_id', + ignore_above: 1024, + level: 'extended', + name: 'trigger.request_id', + normalize: [], + short: 'The ID of the trigger request , message, event, etc.', + type: 'keyword', + }, + 'faas.trigger.type': { + dashed_name: 'faas-trigger-type', + description: 'The trigger for the function execution.', + example: 'http', + expected_values: ['http', 'pubsub', 'datasource', 'timer', 'other'], + flat_name: 'faas.trigger.type', + ignore_above: 1024, + level: 'extended', + name: 'trigger.type', + normalize: [], + short: 'The trigger for the function execution.', + type: 'keyword', + }, + 'faas.version': { + dashed_name: 'faas-version', + description: 'The version of a serverless function.', + example: '123', + flat_name: 'faas.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'The version of a serverless function.', + type: 'keyword', + }, + 'file.accessed': { + dashed_name: 'file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + short: 'Last time the file was accessed.', + type: 'date', + }, + 'file.attributes': { + dashed_name: 'file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + short: 'Array of file attributes.', + type: 'keyword', + }, + 'file.code_signature.digest_algorithm': { + dashed_name: 'file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.exists': { + dashed_name: 'file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'file.code_signature.signing_id': { + dashed_name: 'file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.status': { + dashed_name: 'file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'file.code_signature.subject_name': { + dashed_name: 'file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'file.code_signature.team_id': { + dashed_name: 'file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.timestamp': { + dashed_name: 'file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'file.code_signature.trusted': { + dashed_name: 'file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'file.code_signature.valid': { + dashed_name: 'file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'file.created': { + dashed_name: 'file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'file.created', + level: 'extended', + name: 'created', + normalize: [], + short: 'File creation time.', + type: 'date', + }, + 'file.ctime': { + dashed_name: 'file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'file.device': { + dashed_name: 'file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'file.directory': { + dashed_name: 'file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'file.drive_letter': { + dashed_name: 'file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'file.elf.architecture': { + dashed_name: 'file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'file.elf.byte_order': { + dashed_name: 'file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'file.elf.cpu_type': { + dashed_name: 'file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'file.elf.creation_date': { + dashed_name: 'file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'file.elf.exports': { + dashed_name: 'file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'file.elf.header.abi_version': { + dashed_name: 'file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'file.elf.header.class': { + dashed_name: 'file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.data': { + dashed_name: 'file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'file.elf.header.entrypoint': { + dashed_name: 'file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'file.elf.header.object_version': { + dashed_name: 'file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'file.elf.header.os_abi': { + dashed_name: 'file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'file.elf.header.type': { + dashed_name: 'file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.version': { + dashed_name: 'file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'file.elf.imports': { + dashed_name: 'file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'file.elf.sections': { + dashed_name: 'file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'file.elf.sections.chi2': { + dashed_name: 'file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'file.elf.sections.entropy': { + dashed_name: 'file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'file.elf.sections.flags': { + dashed_name: 'file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'file.elf.sections.name': { + dashed_name: 'file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'file.elf.sections.physical_offset': { + dashed_name: 'file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'file.elf.sections.physical_size': { + dashed_name: 'file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'file.elf.sections.type': { + dashed_name: 'file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'file.elf.sections.virtual_address': { + dashed_name: 'file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'file.elf.sections.virtual_size': { + dashed_name: 'file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'file.elf.segments': { + dashed_name: 'file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'file.elf.segments.sections': { + dashed_name: 'file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'file.elf.segments.type': { + dashed_name: 'file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'file.elf.shared_libraries': { + dashed_name: 'file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'file.elf.telfhash': { + dashed_name: 'file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'file.extension': { + dashed_name: 'file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'file.fork_name': { + dashed_name: 'file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'file.gid': { + dashed_name: 'file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'file.group': { + dashed_name: 'file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'file.hash.md5': { + dashed_name: 'file-hash-md5', + description: 'MD5 hash.', + flat_name: 'file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'file.hash.sha1': { + dashed_name: 'file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'file.hash.sha256': { + dashed_name: 'file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'file.hash.sha384': { + dashed_name: 'file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'file.hash.sha512': { + dashed_name: 'file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'file.hash.ssdeep': { + dashed_name: 'file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'file.hash.tlsh': { + dashed_name: 'file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'file.inode': { + dashed_name: 'file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'file.mime_type': { + dashed_name: 'file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'file.mode': { + dashed_name: 'file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'file.mtime': { + dashed_name: 'file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + short: 'Last time the file content was modified.', + type: 'date', + }, + 'file.name': { + dashed_name: 'file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'file.owner': { + dashed_name: 'file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + short: "File owner's username.", + type: 'keyword', + }, + 'file.path': { + dashed_name: 'file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'file.path.text', name: 'text', type: 'match_only_text' }], + name: 'path', + normalize: [], + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'file.pe.architecture': { + dashed_name: 'file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'file.pe.company': { + dashed_name: 'file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.description': { + dashed_name: 'file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.file_version': { + dashed_name: 'file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'file.pe.imphash': { + dashed_name: 'file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'file.pe.original_file_name': { + dashed_name: 'file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.pehash': { + dashed_name: 'file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'file.pe.product': { + dashed_name: 'file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.size': { + dashed_name: 'file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'file.size', + level: 'extended', + name: 'size', + normalize: [], + short: 'File size in bytes.', + type: 'long', + }, + 'file.target_path': { + dashed_name: 'file-target-path', + description: 'Target path for symlinks.', + flat_name: 'file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'file.type': { + dashed_name: 'file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'file.uid': { + dashed_name: 'file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'file.x509.alternative_names': { + dashed_name: 'file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'file.x509.issuer.common_name': { + dashed_name: 'file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.country': { + dashed_name: 'file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'file.x509.issuer.distinguished_name': { + dashed_name: 'file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.locality': { + dashed_name: 'file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.issuer.organization': { + dashed_name: 'file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.organizational_unit': { + dashed_name: 'file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.state_or_province': { + dashed_name: 'file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.not_after': { + dashed_name: 'file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'file.x509.not_before': { + dashed_name: 'file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'file.x509.public_key_algorithm': { + dashed_name: 'file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'file.x509.public_key_curve': { + dashed_name: 'file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'file.x509.public_key_exponent': { + dashed_name: 'file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'file.x509.public_key_size': { + dashed_name: 'file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'file.x509.serial_number': { + dashed_name: 'file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'file.x509.signature_algorithm': { + dashed_name: 'file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'file.x509.subject.common_name': { + dashed_name: 'file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'file.x509.subject.country': { + dashed_name: 'file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'file.x509.subject.distinguished_name': { + dashed_name: 'file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'file.x509.subject.locality': { + dashed_name: 'file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.subject.organization': { + dashed_name: 'file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'file.x509.subject.organizational_unit': { + dashed_name: 'file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'file.x509.subject.state_or_province': { + dashed_name: 'file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.version_number': { + dashed_name: 'file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'group.domain': { + dashed_name: 'group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'group.id': { + dashed_name: 'group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'group.name': { + dashed_name: 'group-name', + description: 'Name of the group.', + flat_name: 'group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + 'host.architecture': { + dashed_name: 'host-architecture', + description: 'Operating system architecture.', + example: 'x86_64', + flat_name: 'host.architecture', + ignore_above: 1024, + level: 'core', + name: 'architecture', + normalize: [], + short: 'Operating system architecture.', + type: 'keyword', + }, + 'host.boot.id': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-boot-id', + description: + 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.', + example: '88a1f0ed-5ae5-41ee-af6b-41921c311872', + flat_name: 'host.boot.id', + ignore_above: 1024, + level: 'extended', + name: 'boot.id', + normalize: [], + short: 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id', + type: 'keyword', + }, + 'host.cpu.usage': { + dashed_name: 'host-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.\nScaling factor: 1000.\nFor example: For a two core host, this value should be the average of the two cores, between 0 and 1.', + flat_name: 'host.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'host.disk.read.bytes': { + dashed_name: 'host-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'host.disk.write.bytes': { + dashed_name: 'host-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'host.domain': { + dashed_name: 'host-domain', + description: + "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.", + example: 'CONTOSO', + flat_name: 'host.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'host.geo.city_name': { + dashed_name: 'host-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'host.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'host.geo.continent_code': { + dashed_name: 'host-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'host.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'host.geo.continent_name': { + dashed_name: 'host-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'host.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'host.geo.country_iso_code': { + dashed_name: 'host-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'host.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'host.geo.country_name': { + dashed_name: 'host-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'host.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'host.geo.location': { + dashed_name: 'host-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'host.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'host.geo.name': { + dashed_name: 'host-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'host.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'host.geo.postal_code': { + dashed_name: 'host-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'host.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'host.geo.region_iso_code': { + dashed_name: 'host-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'host.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'host.geo.region_name': { + dashed_name: 'host-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'host.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'host.geo.timezone': { + dashed_name: 'host-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'host.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'host.hostname': { + dashed_name: 'host-hostname', + description: + 'Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine.', + flat_name: 'host.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the host.', + type: 'keyword', + }, + 'host.id': { + dashed_name: 'host-id', + description: + 'Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`.', + flat_name: 'host.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique host id.', + type: 'keyword', + }, + 'host.ip': { + dashed_name: 'host-ip', + description: 'Host ip addresses.', + flat_name: 'host.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'Host ip addresses.', + type: 'ip', + }, + 'host.mac': { + dashed_name: 'host-mac', + description: + 'Host MAC addresses.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'host.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'Host MAC addresses.', + type: 'keyword', + }, + 'host.name': { + dashed_name: 'host-name', + description: + 'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.', + flat_name: 'host.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the host.', + type: 'keyword', + }, + 'host.network.egress.bytes': { + dashed_name: 'host-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'host.network.egress.packets': { + dashed_name: 'host-network-egress-packets', + description: + 'The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.packets', + level: 'extended', + name: 'network.egress.packets', + normalize: [], + short: 'The number of packets sent on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.bytes': { + dashed_name: 'host-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.packets': { + dashed_name: 'host-network-ingress-packets', + description: + 'The number of packets (gauge) received on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.packets', + level: 'extended', + name: 'network.ingress.packets', + normalize: [], + short: 'The number of packets received on all network interfaces.', + type: 'long', + }, + 'host.os.family': { + dashed_name: 'host-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'host.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'host.os.full': { + dashed_name: 'host-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'host.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'host.os.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'host.os.kernel': { + dashed_name: 'host-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'host.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'host.os.name': { + dashed_name: 'host-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'host.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'host.os.name.text', name: 'text', type: 'match_only_text' }], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'host.os.platform': { + dashed_name: 'host-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'host.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'host.os.type': { + dashed_name: 'host-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'host.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'host.os.version': { + dashed_name: 'host-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'host.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'host.pid_ns_ino': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-pid-ns-ino', + description: + 'This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.', + example: 256383, + flat_name: 'host.pid_ns_ino', + ignore_above: 1024, + level: 'extended', + name: 'pid_ns_ino', + normalize: [], + short: 'Pid namespace inode', + type: 'keyword', + }, + 'host.risk.calculated_level': { + dashed_name: 'host-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'host.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'host.risk.calculated_score': { + dashed_name: 'host-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'host.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'host.risk.calculated_score_norm': { + dashed_name: 'host-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'host.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'host.risk.static_level': { + dashed_name: 'host-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'host.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'host.risk.static_score': { + dashed_name: 'host-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'host.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'host.risk.static_score_norm': { + dashed_name: 'host-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'host.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'host.type': { + dashed_name: 'host-type', + description: + 'Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.', + flat_name: 'host.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of host.', + type: 'keyword', + }, + 'host.uptime': { + dashed_name: 'host-uptime', + description: 'Seconds the host has been up.', + example: 1325, + flat_name: 'host.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the host has been up.', + type: 'long', + }, + 'http.request.body.bytes': { + dashed_name: 'http-request-body-bytes', + description: 'Size in bytes of the request body.', + example: 887, + flat_name: 'http.request.body.bytes', + format: 'bytes', + level: 'extended', + name: 'request.body.bytes', + normalize: [], + short: 'Size in bytes of the request body.', + type: 'long', + }, + 'http.request.body.content': { + dashed_name: 'http-request-body-content', + description: 'The full HTTP request body.', + example: 'Hello world', + flat_name: 'http.request.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.request.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'request.body.content', + normalize: [], + short: 'The full HTTP request body.', + type: 'wildcard', + }, + 'http.request.bytes': { + dashed_name: 'http-request-bytes', + description: 'Total size in bytes of the request (body and headers).', + example: 1437, + flat_name: 'http.request.bytes', + format: 'bytes', + level: 'extended', + name: 'request.bytes', + normalize: [], + short: 'Total size in bytes of the request (body and headers).', + type: 'long', + }, + 'http.request.id': { + dashed_name: 'http-request-id', + description: + 'A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.\nThe id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.', + example: '123e4567-e89b-12d3-a456-426614174000', + flat_name: 'http.request.id', + ignore_above: 1024, + level: 'extended', + name: 'request.id', + normalize: [], + short: 'HTTP request ID.', + type: 'keyword', + }, + 'http.request.method': { + dashed_name: 'http-request-method', + description: + 'HTTP request method.\nThe value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.', + example: 'POST', + flat_name: 'http.request.method', + ignore_above: 1024, + level: 'extended', + name: 'request.method', + normalize: [], + short: 'HTTP request method.', + type: 'keyword', + }, + 'http.request.mime_type': { + dashed_name: 'http-request-mime-type', + description: + "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.", + example: 'image/gif', + flat_name: 'http.request.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'request.mime_type', + normalize: [], + short: 'Mime type of the body of the request.', + type: 'keyword', + }, + 'http.request.referrer': { + dashed_name: 'http-request-referrer', + description: 'Referrer for this HTTP request.', + example: 'https://blog.example.com/', + flat_name: 'http.request.referrer', + ignore_above: 1024, + level: 'extended', + name: 'request.referrer', + normalize: [], + short: 'Referrer for this HTTP request.', + type: 'keyword', + }, + 'http.response.body.bytes': { + dashed_name: 'http-response-body-bytes', + description: 'Size in bytes of the response body.', + example: 887, + flat_name: 'http.response.body.bytes', + format: 'bytes', + level: 'extended', + name: 'response.body.bytes', + normalize: [], + short: 'Size in bytes of the response body.', + type: 'long', + }, + 'http.response.body.content': { + dashed_name: 'http-response-body-content', + description: 'The full HTTP response body.', + example: 'Hello world', + flat_name: 'http.response.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.response.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'response.body.content', + normalize: [], + short: 'The full HTTP response body.', + type: 'wildcard', + }, + 'http.response.bytes': { + dashed_name: 'http-response-bytes', + description: 'Total size in bytes of the response (body and headers).', + example: 1437, + flat_name: 'http.response.bytes', + format: 'bytes', + level: 'extended', + name: 'response.bytes', + normalize: [], + short: 'Total size in bytes of the response (body and headers).', + type: 'long', + }, + 'http.response.mime_type': { + dashed_name: 'http-response-mime-type', + description: + "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.", + example: 'image/gif', + flat_name: 'http.response.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'response.mime_type', + normalize: [], + short: 'Mime type of the body of the response.', + type: 'keyword', + }, + 'http.response.status_code': { + dashed_name: 'http-response-status-code', + description: 'HTTP response status code.', + example: 404, + flat_name: 'http.response.status_code', + format: 'string', + level: 'extended', + name: 'response.status_code', + normalize: [], + short: 'HTTP response status code.', + type: 'long', + }, + 'http.version': { + dashed_name: 'http-version', + description: 'HTTP version.', + example: 1.1, + flat_name: 'http.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'HTTP version.', + type: 'keyword', + }, + labels: { + dashed_name: 'labels', + description: + 'Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels.', + example: '{"application": "foo-bar", "env": "production"}', + flat_name: 'labels', + level: 'core', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Custom key/value pairs.', + type: 'object', + }, + 'log.file.path': { + dashed_name: 'log-file-path', + description: + "Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.\nIf the event wasn't read from a log file, do not populate this field.", + example: '/var/log/fun-times.log', + flat_name: 'log.file.path', + ignore_above: 1024, + level: 'extended', + name: 'file.path', + normalize: [], + short: 'Full path to the log file this event came from.', + type: 'keyword', + }, + 'log.level': { + dashed_name: 'log-level', + description: + "Original log level of the log event.\nIf the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).\nSome examples are `warn`, `err`, `i`, `informational`.", + example: 'error', + flat_name: 'log.level', + ignore_above: 1024, + level: 'core', + name: 'level', + normalize: [], + short: 'Log level of the log event.', + type: 'keyword', + }, + 'log.logger': { + dashed_name: 'log-logger', + description: + 'The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.', + example: 'org.elasticsearch.bootstrap.Bootstrap', + flat_name: 'log.logger', + ignore_above: 1024, + level: 'core', + name: 'logger', + normalize: [], + short: 'Name of the logger.', + type: 'keyword', + }, + 'log.origin.file.line': { + dashed_name: 'log-origin-file-line', + description: + 'The line number of the file containing the source code which originated the log event.', + example: 42, + flat_name: 'log.origin.file.line', + level: 'extended', + name: 'origin.file.line', + normalize: [], + short: 'The line number of the file which originated the log event.', + type: 'long', + }, + 'log.origin.file.name': { + dashed_name: 'log-origin-file-name', + description: + 'The name of the file containing the source code which originated the log event.\nNote that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.', + example: 'Bootstrap.java', + flat_name: 'log.origin.file.name', + ignore_above: 1024, + level: 'extended', + name: 'origin.file.name', + normalize: [], + short: 'The code file which originated the log event.', + type: 'keyword', + }, + 'log.origin.function': { + dashed_name: 'log-origin-function', + description: 'The name of the function or method which originated the log event.', + example: 'init', + flat_name: 'log.origin.function', + ignore_above: 1024, + level: 'extended', + name: 'origin.function', + normalize: [], + short: 'The function which originated the log event.', + type: 'keyword', + }, + 'log.syslog': { + dashed_name: 'log-syslog', + description: + 'The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.', + flat_name: 'log.syslog', + level: 'extended', + name: 'syslog', + normalize: [], + short: 'Syslog metadata', + type: 'object', + }, + 'log.syslog.appname': { + dashed_name: 'log-syslog-appname', + description: 'The device or application that originated the Syslog message, if available.', + example: 'sshd', + flat_name: 'log.syslog.appname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.appname', + normalize: [], + short: 'The device or application that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.facility.code': { + dashed_name: 'log-syslog-facility-code', + description: + 'The Syslog numeric facility of the log event, if available.\nAccording to RFCs 5424 and 3164, this value should be an integer between 0 and 23.', + example: 23, + flat_name: 'log.syslog.facility.code', + format: 'string', + level: 'extended', + name: 'syslog.facility.code', + normalize: [], + short: 'Syslog numeric facility of the event.', + type: 'long', + }, + 'log.syslog.facility.name': { + dashed_name: 'log-syslog-facility-name', + description: 'The Syslog text-based facility of the log event, if available.', + example: 'local7', + flat_name: 'log.syslog.facility.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.facility.name', + normalize: [], + short: 'Syslog text-based facility of the event.', + type: 'keyword', + }, + 'log.syslog.hostname': { + dashed_name: 'log-syslog-hostname', + description: + 'The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.', + example: 'example-host', + flat_name: 'log.syslog.hostname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.hostname', + normalize: [], + short: 'The host that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.msgid': { + dashed_name: 'log-syslog-msgid', + description: + 'An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages.', + example: 'ID47', + flat_name: 'log.syslog.msgid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.msgid', + normalize: [], + short: 'An identifier for the type of Syslog message.', + type: 'keyword', + }, + 'log.syslog.priority': { + dashed_name: 'log-syslog-priority', + description: + 'Syslog numeric priority of the event, if available.\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.', + example: 135, + flat_name: 'log.syslog.priority', + format: 'string', + level: 'extended', + name: 'syslog.priority', + normalize: [], + short: 'Syslog priority of the event.', + type: 'long', + }, + 'log.syslog.procid': { + dashed_name: 'log-syslog-procid', + description: 'The process name or ID that originated the Syslog message, if available.', + example: 12345, + flat_name: 'log.syslog.procid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.procid', + normalize: [], + short: 'The process name or ID that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.severity.code': { + dashed_name: 'log-syslog-severity-code', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.", + example: 3, + flat_name: 'log.syslog.severity.code', + level: 'extended', + name: 'syslog.severity.code', + normalize: [], + short: 'Syslog numeric severity of the event.', + type: 'long', + }, + 'log.syslog.severity.name': { + dashed_name: 'log-syslog-severity-name', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.", + example: 'Error', + flat_name: 'log.syslog.severity.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.severity.name', + normalize: [], + short: 'Syslog text-based severity of the event.', + type: 'keyword', + }, + 'log.syslog.structured_data': { + dashed_name: 'log-syslog-structured-data', + description: + 'Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3.', + flat_name: 'log.syslog.structured_data', + level: 'extended', + name: 'syslog.structured_data', + normalize: [], + short: 'Structured data expressed in RFC 5424 messages.', + type: 'flattened', + }, + 'log.syslog.version': { + dashed_name: 'log-syslog-version', + description: + 'The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.', + example: 1, + flat_name: 'log.syslog.version', + ignore_above: 1024, + level: 'extended', + name: 'syslog.version', + normalize: [], + short: 'Syslog protocol version.', + type: 'keyword', + }, + message: { + dashed_name: 'message', + description: + 'For log events the message field contains the log message, optimized for viewing in a log viewer.\nFor structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.\nIf multiple messages exist, they can be combined into one message.', + example: 'Hello World', + flat_name: 'message', + level: 'core', + name: 'message', + normalize: [], + short: 'Log message optimized for viewing in a log viewer.', + type: 'match_only_text', + }, + 'network.application': { + dashed_name: 'network-application', + description: + "When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.\nFor example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.\nThe field value must be normalized to lowercase for querying.", + example: 'aim', + flat_name: 'network.application', + ignore_above: 1024, + level: 'extended', + name: 'application', + normalize: [], + short: 'Application level protocol name.', + type: 'keyword', + }, + 'network.bytes': { + dashed_name: 'network-bytes', + description: + 'Total bytes transferred in both directions.\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.', + example: 368, + flat_name: 'network.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Total bytes transferred in both directions.', + type: 'long', + }, + 'network.community_id': { + dashed_name: 'network-community-id', + description: + 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.\nLearn more at https://github.com/corelight/community-id-spec.', + example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=', + flat_name: 'network.community_id', + ignore_above: 1024, + level: 'extended', + name: 'community_id', + normalize: [], + short: 'A hash of source and destination IPs and ports.', + type: 'keyword', + }, + 'network.direction': { + dashed_name: 'network-direction', + description: + 'Direction of the network traffic.\nWhen mapping events from a host-based monitoring context, populate this field from the host\'s point of view, using the values "ingress" or "egress".\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".\nNote that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.', + example: 'inbound', + expected_values: [ + 'ingress', + 'egress', + 'inbound', + 'outbound', + 'internal', + 'external', + 'unknown', + ], + flat_name: 'network.direction', + ignore_above: 1024, + level: 'core', + name: 'direction', + normalize: [], + short: 'Direction of the network traffic.', + type: 'keyword', + }, + 'network.forwarded_ip': { + dashed_name: 'network-forwarded-ip', + description: 'Host IP address when the source IP address is the proxy.', + example: '192.1.1.2', + flat_name: 'network.forwarded_ip', + level: 'core', + name: 'forwarded_ip', + normalize: [], + short: 'Host IP address when the source IP address is the proxy.', + type: 'ip', + }, + 'network.iana_number': { + dashed_name: 'network-iana-number', + description: + 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.', + example: 6, + flat_name: 'network.iana_number', + ignore_above: 1024, + level: 'extended', + name: 'iana_number', + normalize: [], + short: 'IANA Protocol Number.', + type: 'keyword', + }, + 'network.inner': { + dashed_name: 'network-inner', + description: + 'Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)', + flat_name: 'network.inner', + level: 'extended', + name: 'inner', + normalize: [], + short: 'Inner VLAN tag information', + type: 'object', + }, + 'network.inner.vlan.id': { + dashed_name: 'network-inner-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.inner.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.inner.vlan.name': { + dashed_name: 'network-inner-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.inner.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'network.name': { + dashed_name: 'network-name', + description: 'Name given by operators to sections of their network.', + example: 'Guest Wifi', + flat_name: 'network.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name given by operators to sections of their network.', + type: 'keyword', + }, + 'network.packets': { + dashed_name: 'network-packets', + description: + 'Total packets transferred in both directions.\nIf `source.packets` and `destination.packets` are known, `network.packets` is their sum.', + example: 24, + flat_name: 'network.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Total packets transferred in both directions.', + type: 'long', + }, + 'network.protocol': { + dashed_name: 'network-protocol', + description: + 'In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.\nThe field value must be normalized to lowercase for querying.', + example: 'http', + flat_name: 'network.protocol', + ignore_above: 1024, + level: 'core', + name: 'protocol', + normalize: [], + short: 'Application protocol name.', + type: 'keyword', + }, + 'network.transport': { + dashed_name: 'network-transport', + description: + 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)\nThe field value must be normalized to lowercase for querying.', + example: 'tcp', + flat_name: 'network.transport', + ignore_above: 1024, + level: 'core', + name: 'transport', + normalize: [], + short: 'Protocol Name corresponding to the field `iana_number`.', + type: 'keyword', + }, + 'network.type': { + dashed_name: 'network-type', + description: + 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc\nThe field value must be normalized to lowercase for querying.', + example: 'ipv4', + flat_name: 'network.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc', + type: 'keyword', + }, + 'network.vlan.id': { + dashed_name: 'network-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.vlan.name': { + dashed_name: 'network-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.egress': { + dashed_name: 'observer-egress', + description: + 'Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.egress', + level: 'extended', + name: 'egress', + normalize: [], + short: 'Object field for egress information', + type: 'object', + }, + 'observer.egress.interface.alias': { + dashed_name: 'observer-egress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.egress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.egress.interface.id': { + dashed_name: 'observer-egress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.egress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.egress.interface.name': { + dashed_name: 'observer-egress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.egress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.egress.vlan.id': { + dashed_name: 'observer-egress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.egress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.vlan.name': { + dashed_name: 'observer-egress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.egress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.zone': { + dashed_name: 'observer-egress-zone', + description: + 'Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.', + example: 'Public_Internet', + flat_name: 'observer.egress.zone', + ignore_above: 1024, + level: 'extended', + name: 'egress.zone', + normalize: [], + short: 'Observer Egress zone', + type: 'keyword', + }, + 'observer.geo.city_name': { + dashed_name: 'observer-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'observer.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'observer.geo.continent_code': { + dashed_name: 'observer-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'observer.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'observer.geo.continent_name': { + dashed_name: 'observer-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'observer.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'observer.geo.country_iso_code': { + dashed_name: 'observer-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'observer.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'observer.geo.country_name': { + dashed_name: 'observer-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'observer.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'observer.geo.location': { + dashed_name: 'observer-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'observer.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'observer.geo.name': { + dashed_name: 'observer-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'observer.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'observer.geo.postal_code': { + dashed_name: 'observer-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'observer.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'observer.geo.region_iso_code': { + dashed_name: 'observer-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'observer.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'observer.geo.region_name': { + dashed_name: 'observer-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'observer.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'observer.geo.timezone': { + dashed_name: 'observer-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'observer.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'observer.hostname': { + dashed_name: 'observer-hostname', + description: 'Hostname of the observer.', + flat_name: 'observer.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the observer.', + type: 'keyword', + }, + 'observer.ingress': { + dashed_name: 'observer-ingress', + description: + 'Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.ingress', + level: 'extended', + name: 'ingress', + normalize: [], + short: 'Object field for ingress information', + type: 'object', + }, + 'observer.ingress.interface.alias': { + dashed_name: 'observer-ingress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.ingress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.ingress.interface.id': { + dashed_name: 'observer-ingress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.ingress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.ingress.interface.name': { + dashed_name: 'observer-ingress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.ingress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.ingress.vlan.id': { + dashed_name: 'observer-ingress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.ingress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.vlan.name': { + dashed_name: 'observer-ingress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.ingress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.zone': { + dashed_name: 'observer-ingress-zone', + description: + 'Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.', + example: 'DMZ', + flat_name: 'observer.ingress.zone', + ignore_above: 1024, + level: 'extended', + name: 'ingress.zone', + normalize: [], + short: 'Observer ingress zone', + type: 'keyword', + }, + 'observer.ip': { + dashed_name: 'observer-ip', + description: 'IP addresses of the observer.', + flat_name: 'observer.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'IP addresses of the observer.', + type: 'ip', + }, + 'observer.mac': { + dashed_name: 'observer-mac', + description: + 'MAC addresses of the observer.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'observer.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC addresses of the observer.', + type: 'keyword', + }, + 'observer.name': { + dashed_name: 'observer-name', + description: + 'Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty.', + example: '1_proxySG', + flat_name: 'observer.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Custom name of the observer.', + type: 'keyword', + }, + 'observer.os.family': { + dashed_name: 'observer-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'observer.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'observer.os.full': { + dashed_name: 'observer-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'observer.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'observer.os.kernel': { + dashed_name: 'observer-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'observer.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'observer.os.name': { + dashed_name: 'observer-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'observer.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'observer.os.platform': { + dashed_name: 'observer-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'observer.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'observer.os.type': { + dashed_name: 'observer-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'observer.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'observer.os.version': { + dashed_name: 'observer-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'observer.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'observer.product': { + dashed_name: 'observer-product', + description: 'The product name of the observer.', + example: 's200', + flat_name: 'observer.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + short: 'The product name of the observer.', + type: 'keyword', + }, + 'observer.serial_number': { + dashed_name: 'observer-serial-number', + description: 'Observer serial number.', + flat_name: 'observer.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + short: 'Observer serial number.', + type: 'keyword', + }, + 'observer.type': { + dashed_name: 'observer-type', + description: + 'The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.', + example: 'firewall', + flat_name: 'observer.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the observer the data is coming from.', + type: 'keyword', + }, + 'observer.vendor': { + dashed_name: 'observer-vendor', + description: 'Vendor name of the observer.', + example: 'Symantec', + flat_name: 'observer.vendor', + ignore_above: 1024, + level: 'core', + name: 'vendor', + normalize: [], + short: 'Vendor name of the observer.', + type: 'keyword', + }, + 'observer.version': { + dashed_name: 'observer-version', + description: 'Observer version.', + flat_name: 'observer.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Observer version.', + type: 'keyword', + }, + 'orchestrator.api_version': { + dashed_name: 'orchestrator-api-version', + description: 'API version being used to carry out the action', + example: 'v1beta1', + flat_name: 'orchestrator.api_version', + ignore_above: 1024, + level: 'extended', + name: 'api_version', + normalize: [], + short: 'API version being used to carry out the action', + type: 'keyword', + }, + 'orchestrator.cluster.id': { + dashed_name: 'orchestrator-cluster-id', + description: 'Unique ID of the cluster.', + flat_name: 'orchestrator.cluster.id', + ignore_above: 1024, + level: 'extended', + name: 'cluster.id', + normalize: [], + short: 'Unique ID of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.name': { + dashed_name: 'orchestrator-cluster-name', + description: 'Name of the cluster.', + flat_name: 'orchestrator.cluster.name', + ignore_above: 1024, + level: 'extended', + name: 'cluster.name', + normalize: [], + short: 'Name of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.url': { + dashed_name: 'orchestrator-cluster-url', + description: 'URL of the API used to manage the cluster.', + flat_name: 'orchestrator.cluster.url', + ignore_above: 1024, + level: 'extended', + name: 'cluster.url', + normalize: [], + short: 'URL of the API used to manage the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.version': { + dashed_name: 'orchestrator-cluster-version', + description: 'The version of the cluster.', + flat_name: 'orchestrator.cluster.version', + ignore_above: 1024, + level: 'extended', + name: 'cluster.version', + normalize: [], + short: 'The version of the cluster.', + type: 'keyword', + }, + 'orchestrator.namespace': { + dashed_name: 'orchestrator-namespace', + description: 'Namespace in which the action is taking place.', + example: 'kube-system', + flat_name: 'orchestrator.namespace', + ignore_above: 1024, + level: 'extended', + name: 'namespace', + normalize: [], + short: 'Namespace in which the action is taking place.', + type: 'keyword', + }, + 'orchestrator.organization': { + dashed_name: 'orchestrator-organization', + description: 'Organization affected by the event (for multi-tenant orchestrator setups).', + example: 'elastic', + flat_name: 'orchestrator.organization', + ignore_above: 1024, + level: 'extended', + name: 'organization', + normalize: [], + short: 'Organization affected by the event (for multi-tenant orchestrator setups).', + type: 'keyword', + }, + 'orchestrator.resource.id': { + dashed_name: 'orchestrator-resource-id', + description: 'Unique ID of the resource being acted upon.', + flat_name: 'orchestrator.resource.id', + ignore_above: 1024, + level: 'extended', + name: 'resource.id', + normalize: [], + short: 'Unique ID of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.ip': { + dashed_name: 'orchestrator-resource-ip', + description: + 'IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).', + flat_name: 'orchestrator.resource.ip', + level: 'extended', + name: 'resource.ip', + normalize: ['array'], + short: 'IP address assigned to the resource associated with the event being observed.', + type: 'ip', + }, + 'orchestrator.resource.name': { + dashed_name: 'orchestrator-resource-name', + description: 'Name of the resource being acted upon.', + example: 'test-pod-cdcws', + flat_name: 'orchestrator.resource.name', + ignore_above: 1024, + level: 'extended', + name: 'resource.name', + normalize: [], + short: 'Name of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.parent.type': { + dashed_name: 'orchestrator-resource-parent-type', + description: + 'Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet).', + example: 'DaemonSet', + flat_name: 'orchestrator.resource.parent.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.parent.type', + normalize: [], + short: 'Type or kind of the parent resource associated with the event being observed.', + type: 'keyword', + }, + 'orchestrator.resource.type': { + dashed_name: 'orchestrator-resource-type', + description: 'Type of resource being acted upon.', + example: 'service', + flat_name: 'orchestrator.resource.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.type', + normalize: [], + short: 'Type of resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.type': { + dashed_name: 'orchestrator-type', + description: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + example: 'kubernetes', + flat_name: 'orchestrator.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + type: 'keyword', + }, + 'organization.id': { + dashed_name: 'organization-id', + description: 'Unique identifier for the organization.', + flat_name: 'organization.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the organization.', + type: 'keyword', + }, + 'organization.name': { + dashed_name: 'organization-name', + description: 'Organization name.', + flat_name: 'organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Organization name.', + type: 'keyword', + }, + 'package.architecture': { + dashed_name: 'package-architecture', + description: 'Package architecture.', + example: 'x86_64', + flat_name: 'package.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'Package architecture.', + type: 'keyword', + }, + 'package.build_version': { + dashed_name: 'package-build-version', + description: + 'Additional information about the build version of the installed package.\nFor example use the commit SHA of a non-released package.', + example: '36f4f7e89dd61b0988b12ee000b98966867710cd', + flat_name: 'package.build_version', + ignore_above: 1024, + level: 'extended', + name: 'build_version', + normalize: [], + short: 'Build version information', + type: 'keyword', + }, + 'package.checksum': { + dashed_name: 'package-checksum', + description: 'Checksum of the installed package for verification.', + example: '68b329da9893e34099c7d8ad5cb9c940', + flat_name: 'package.checksum', + ignore_above: 1024, + level: 'extended', + name: 'checksum', + normalize: [], + short: 'Checksum of the installed package for verification.', + type: 'keyword', + }, + 'package.description': { + dashed_name: 'package-description', + description: 'Description of the package.', + example: 'Open source programming language to build simple/reliable/efficient software.', + flat_name: 'package.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Description of the package.', + type: 'keyword', + }, + 'package.install_scope': { + dashed_name: 'package-install-scope', + description: 'Indicating how the package was installed, e.g. user-local, global.', + example: 'global', + flat_name: 'package.install_scope', + ignore_above: 1024, + level: 'extended', + name: 'install_scope', + normalize: [], + short: 'Indicating how the package was installed, e.g. user-local, global.', + type: 'keyword', + }, + 'package.installed': { + dashed_name: 'package-installed', + description: 'Time when package was installed.', + flat_name: 'package.installed', + level: 'extended', + name: 'installed', + normalize: [], + short: 'Time when package was installed.', + type: 'date', + }, + 'package.license': { + dashed_name: 'package-license', + description: + 'License under which the package was released.\nUse a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).', + example: 'Apache License 2.0', + flat_name: 'package.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Package license', + type: 'keyword', + }, + 'package.name': { + dashed_name: 'package-name', + description: 'Package name', + example: 'go', + flat_name: 'package.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Package name', + type: 'keyword', + }, + 'package.path': { + dashed_name: 'package-path', + description: 'Path where the package is installed.', + example: '/usr/local/Cellar/go/1.12.9/', + flat_name: 'package.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Path where the package is installed.', + type: 'keyword', + }, + 'package.reference': { + dashed_name: 'package-reference', + description: 'Home page or reference URL of the software in this package, if available.', + example: 'https://golang.org', + flat_name: 'package.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Package home page or reference URL', + type: 'keyword', + }, + 'package.size': { + dashed_name: 'package-size', + description: 'Package size in bytes.', + example: 62231, + flat_name: 'package.size', + format: 'string', + level: 'extended', + name: 'size', + normalize: [], + short: 'Package size in bytes.', + type: 'long', + }, + 'package.type': { + dashed_name: 'package-type', + description: + 'Type of package.\nThis should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.', + example: 'rpm', + flat_name: 'package.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Package type', + type: 'keyword', + }, + 'package.version': { + dashed_name: 'package-version', + description: 'Package version', + example: '1.12.9', + flat_name: 'package.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Package version', + type: 'keyword', + }, + 'process.args': { + dashed_name: 'process-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.args_count': { + dashed_name: 'process-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.code_signature.digest_algorithm': { + dashed_name: 'process-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.exists': { + dashed_name: 'process-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.code_signature.signing_id': { + dashed_name: 'process-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.status': { + dashed_name: 'process-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.code_signature.subject_name': { + dashed_name: 'process-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.code_signature.team_id': { + dashed_name: 'process-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.timestamp': { + dashed_name: 'process-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.code_signature.trusted': { + dashed_name: 'process-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.code_signature.valid': { + dashed_name: 'process-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.command_line': { + dashed_name: 'process-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.elf.architecture': { + dashed_name: 'process-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.elf.byte_order': { + dashed_name: 'process-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.elf.cpu_type': { + dashed_name: 'process-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.elf.creation_date': { + dashed_name: 'process-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.elf.exports': { + dashed_name: 'process-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.elf.header.abi_version': { + dashed_name: 'process-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.elf.header.class': { + dashed_name: 'process-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.data': { + dashed_name: 'process-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.elf.header.entrypoint': { + dashed_name: 'process-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.elf.header.object_version': { + dashed_name: 'process-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.elf.header.os_abi': { + dashed_name: 'process-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.elf.header.type': { + dashed_name: 'process-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.version': { + dashed_name: 'process-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.elf.imports': { + dashed_name: 'process-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.elf.sections': { + dashed_name: 'process-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.elf.sections.chi2': { + dashed_name: 'process-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.elf.sections.entropy': { + dashed_name: 'process-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.elf.sections.flags': { + dashed_name: 'process-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.elf.sections.name': { + dashed_name: 'process-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.elf.sections.physical_offset': { + dashed_name: 'process-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.elf.sections.physical_size': { + dashed_name: 'process-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.elf.sections.type': { + dashed_name: 'process-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.elf.sections.virtual_address': { + dashed_name: 'process-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.elf.sections.virtual_size': { + dashed_name: 'process-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.elf.segments': { + dashed_name: 'process-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.elf.segments.sections': { + dashed_name: 'process-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.elf.segments.type': { + dashed_name: 'process-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.elf.shared_libraries': { + dashed_name: 'process-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.elf.telfhash': { + dashed_name: 'process-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.end': { + dashed_name: 'process-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.end', + level: 'extended', + name: 'end', + normalize: [], + short: 'The time the process ended.', + type: 'date', + }, + 'process.entity_id': { + dashed_name: 'process-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.args': { + dashed_name: 'process-entry-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.entry_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.entry_leader.args_count': { + dashed_name: 'process-entry-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.entry_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.entry_leader.attested_groups.name': { + dashed_name: 'process-entry-leader-attested-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.attested_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.id': { + dashed_name: 'process-entry-leader-attested-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.attested_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.name': { + dashed_name: 'process-entry-leader-attested-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.attested_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.attested_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.command_line': { + dashed_name: 'process-entry-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.entry_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.entry_leader.entity_id': { + dashed_name: 'process-entry-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.entry_meta.source.ip': { + dashed_name: 'process-entry-leader-entry-meta-source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'process.entry_leader.entry_meta.source.ip', + level: 'core', + name: 'ip', + normalize: [], + original_fieldset: 'source', + short: 'IP address of the source.', + type: 'ip', + }, + 'process.entry_leader.entry_meta.type': { + dashed_name: 'process-entry-leader-entry-meta-type', + description: + 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console\nNote: This field is only set on process.session_leader.', + flat_name: 'process.entry_leader.entry_meta.type', + ignore_above: 1024, + level: 'extended', + name: 'entry_meta.type', + normalize: [], + original_fieldset: 'process', + short: 'The entry type for the entry session leader.', + type: 'keyword', + }, + 'process.entry_leader.executable': { + dashed_name: 'process-entry-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.entry_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.entry_leader.group.id': { + dashed_name: 'process-entry-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.group.name': { + dashed_name: 'process-entry-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.interactive': { + dashed_name: 'process-entry-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.entry_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.entry_leader.name': { + dashed_name: 'process-entry-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.entry_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.entry_leader.parent.entity_id': { + dashed_name: 'process-entry-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.pid': { + dashed_name: 'process-entry-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.entity_id': { + dashed_name: 'process-entry-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.session_leader.pid': { + dashed_name: 'process-entry-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.start': { + dashed_name: 'process-entry-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.parent.start': { + dashed_name: 'process-entry-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.pid': { + dashed_name: 'process-entry-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.real_group.id': { + dashed_name: 'process-entry-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.real_group.name': { + dashed_name: 'process-entry-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.real_user.id': { + dashed_name: 'process-entry-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.real_user.name': { + dashed_name: 'process-entry-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.same_as_process': { + dashed_name: 'process-entry-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.entry_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.entry_leader.saved_group.id': { + dashed_name: 'process-entry-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.saved_group.name': { + dashed_name: 'process-entry-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.id': { + dashed_name: 'process-entry-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.name': { + dashed_name: 'process-entry-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.start': { + dashed_name: 'process-entry-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.supplemental_groups.id': { + dashed_name: 'process-entry-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.supplemental_groups.name': { + dashed_name: 'process-entry-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.tty': { + dashed_name: 'process-entry-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.entry_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.entry_leader.tty.char_device.major': { + dashed_name: 'process-entry-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.entry_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.entry_leader.tty.char_device.minor': { + dashed_name: 'process-entry-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.entry_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.entry_leader.user.id': { + dashed_name: 'process-entry-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.user.name': { + dashed_name: 'process-entry-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.working_directory': { + dashed_name: 'process-entry-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.entry_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.env_vars': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-env-vars', + description: + 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.\nMay be filtered to protect sensitive information.', + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]', + flat_name: 'process.env_vars', + ignore_above: 1024, + level: 'extended', + name: 'env_vars', + normalize: ['array'], + short: 'Array of environment variable bindings.', + type: 'keyword', + }, + 'process.executable': { + dashed_name: 'process-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.exit_code': { + dashed_name: 'process-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + short: 'The exit code of the process.', + type: 'long', + }, + 'process.group_leader.args': { + dashed_name: 'process-group-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.group_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.group_leader.args_count': { + dashed_name: 'process-group-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.group_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.group_leader.command_line': { + dashed_name: 'process-group-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.group_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.group_leader.entity_id': { + dashed_name: 'process-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.group_leader.executable': { + dashed_name: 'process-group-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.group_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.group_leader.group.id': { + dashed_name: 'process-group-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.group.name': { + dashed_name: 'process-group-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.interactive': { + dashed_name: 'process-group-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.group_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.group_leader.name': { + dashed_name: 'process-group-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.group_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.group_leader.pid': { + dashed_name: 'process-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.group_leader.real_group.id': { + dashed_name: 'process-group-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.real_group.name': { + dashed_name: 'process-group-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.real_user.id': { + dashed_name: 'process-group-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.real_user.name': { + dashed_name: 'process-group-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.same_as_process': { + dashed_name: 'process-group-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.group_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.group_leader.saved_group.id': { + dashed_name: 'process-group-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.saved_group.name': { + dashed_name: 'process-group-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.saved_user.id': { + dashed_name: 'process-group-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.saved_user.name': { + dashed_name: 'process-group-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.start': { + dashed_name: 'process-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.group_leader.supplemental_groups.id': { + dashed_name: 'process-group-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.supplemental_groups.name': { + dashed_name: 'process-group-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.tty': { + dashed_name: 'process-group-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.group_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.group_leader.tty.char_device.major': { + dashed_name: 'process-group-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.group_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.group_leader.tty.char_device.minor': { + dashed_name: 'process-group-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.group_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.group_leader.user.id': { + dashed_name: 'process-group-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.user.name': { + dashed_name: 'process-group-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.working_directory': { + dashed_name: 'process-group-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.group_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.hash.md5': { + dashed_name: 'process-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.hash.sha1': { + dashed_name: 'process-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.hash.sha256': { + dashed_name: 'process-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.hash.sha384': { + dashed_name: 'process-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.hash.sha512': { + dashed_name: 'process-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.hash.ssdeep': { + dashed_name: 'process-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.hash.tlsh': { + dashed_name: 'process-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.interactive': { + dashed_name: 'process-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.io': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io', + description: + 'A chunk of input or output (IO) from a single process.\nThis field only appears on the top level process object, which is the process that wrote the output or read the input.', + flat_name: 'process.io', + level: 'extended', + name: 'io', + normalize: [], + short: 'A chunk of input or output (IO) from a single process.', + type: 'object', + }, + 'process.io.bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped', + description: 'An array of byte offsets and lengths denoting where IO data has been skipped.', + flat_name: 'process.io.bytes_skipped', + level: 'extended', + name: 'io.bytes_skipped', + normalize: ['array'], + short: 'An array of byte offsets and lengths denoting where IO data has been skipped.', + type: 'object', + }, + 'process.io.bytes_skipped.length': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-length', + description: 'The length of bytes skipped.', + flat_name: 'process.io.bytes_skipped.length', + level: 'extended', + name: 'io.bytes_skipped.length', + normalize: [], + short: 'The length of bytes skipped.', + type: 'long', + }, + 'process.io.bytes_skipped.offset': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-offset', + description: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + flat_name: 'process.io.bytes_skipped.offset', + level: 'extended', + name: 'io.bytes_skipped.offset', + normalize: [], + short: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + type: 'long', + }, + 'process.io.max_bytes_per_process_exceeded': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-max-bytes-per-process-exceeded', + description: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + flat_name: 'process.io.max_bytes_per_process_exceeded', + level: 'extended', + name: 'io.max_bytes_per_process_exceeded', + normalize: [], + short: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + type: 'boolean', + }, + 'process.io.text': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-text', + description: + 'A chunk of output or input sanitized to UTF-8.\nBest efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.', + flat_name: 'process.io.text', + level: 'extended', + name: 'io.text', + normalize: [], + short: 'A chunk of output or input sanitized to UTF-8.', + type: 'wildcard', + }, + 'process.io.total_bytes_captured': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-captured', + description: 'The total number of bytes captured in this event.', + flat_name: 'process.io.total_bytes_captured', + level: 'extended', + name: 'io.total_bytes_captured', + normalize: [], + short: 'The total number of bytes captured in this event.', + type: 'long', + }, + 'process.io.total_bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-skipped', + description: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero', + flat_name: 'process.io.total_bytes_skipped', + level: 'extended', + name: 'io.total_bytes_skipped', + normalize: [], + short: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.', + type: 'long', + }, + 'process.io.type': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-type', + description: + "The type of object on which the IO action (read or write) was taken.\nCurrently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.", + flat_name: 'process.io.type', + ignore_above: 1024, + level: 'extended', + name: 'io.type', + normalize: [], + short: 'The type of object on which the IO action (read or write) was taken.', + type: 'keyword', + }, + 'process.name': { + dashed_name: 'process-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'process.name.text', name: 'text', type: 'match_only_text' }], + name: 'name', + normalize: [], + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.args': { + dashed_name: 'process-parent-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.parent.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.parent.args_count': { + dashed_name: 'process-parent-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.parent.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.parent.code_signature.digest_algorithm': { + dashed_name: 'process-parent-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.parent.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.exists': { + dashed_name: 'process-parent-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.parent.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.parent.code_signature.signing_id': { + dashed_name: 'process-parent-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.parent.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.status': { + dashed_name: 'process-parent-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.parent.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.parent.code_signature.subject_name': { + dashed_name: 'process-parent-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.parent.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.parent.code_signature.team_id': { + dashed_name: 'process-parent-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.parent.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.timestamp': { + dashed_name: 'process-parent-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.parent.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.parent.code_signature.trusted': { + dashed_name: 'process-parent-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.parent.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.parent.code_signature.valid': { + dashed_name: 'process-parent-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.parent.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.parent.command_line': { + dashed_name: 'process-parent-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.parent.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.parent.elf.architecture': { + dashed_name: 'process-parent-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.parent.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.byte_order': { + dashed_name: 'process-parent-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.parent.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.parent.elf.cpu_type': { + dashed_name: 'process-parent-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.parent.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.creation_date': { + dashed_name: 'process-parent-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.parent.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.parent.elf.exports': { + dashed_name: 'process-parent-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.parent.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.header.abi_version': { + dashed_name: 'process-parent-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.parent.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.parent.elf.header.class': { + dashed_name: 'process-parent-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.parent.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.data': { + dashed_name: 'process-parent-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.parent.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.header.entrypoint': { + dashed_name: 'process-parent-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.parent.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.parent.elf.header.object_version': { + dashed_name: 'process-parent-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.parent.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.parent.elf.header.os_abi': { + dashed_name: 'process-parent-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.parent.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.parent.elf.header.type': { + dashed_name: 'process-parent-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.parent.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.version': { + dashed_name: 'process-parent-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.parent.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.imports': { + dashed_name: 'process-parent-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.parent.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.sections': { + dashed_name: 'process-parent-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.parent.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.parent.elf.sections.chi2': { + dashed_name: 'process-parent-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.parent.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.parent.elf.sections.entropy': { + dashed_name: 'process-parent-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.parent.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.parent.elf.sections.flags': { + dashed_name: 'process-parent-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.parent.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.parent.elf.sections.name': { + dashed_name: 'process-parent-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.parent.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_offset': { + dashed_name: 'process-parent-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.parent.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_size': { + dashed_name: 'process-parent-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.parent.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.parent.elf.sections.type': { + dashed_name: 'process-parent-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.parent.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.parent.elf.sections.virtual_address': { + dashed_name: 'process-parent-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.parent.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.parent.elf.sections.virtual_size': { + dashed_name: 'process-parent-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.parent.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.parent.elf.segments': { + dashed_name: 'process-parent-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.parent.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.parent.elf.segments.sections': { + dashed_name: 'process-parent-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.parent.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.parent.elf.segments.type': { + dashed_name: 'process-parent-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.parent.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.parent.elf.shared_libraries': { + dashed_name: 'process-parent-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.parent.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.parent.elf.telfhash': { + dashed_name: 'process-parent-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.parent.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.parent.end': { + dashed_name: 'process-parent-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.end', + level: 'extended', + name: 'end', + normalize: [], + original_fieldset: 'process', + short: 'The time the process ended.', + type: 'date', + }, + 'process.parent.entity_id': { + dashed_name: 'process-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.executable': { + dashed_name: 'process-parent-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.parent.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.parent.exit_code': { + dashed_name: 'process-parent-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.parent.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + original_fieldset: 'process', + short: 'The exit code of the process.', + type: 'long', + }, + 'process.parent.group.id': { + dashed_name: 'process-parent-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.group.name': { + dashed_name: 'process-parent-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.group_leader.entity_id': { + dashed_name: 'process-parent-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.group_leader.pid': { + dashed_name: 'process-parent-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.group_leader.start': { + dashed_name: 'process-parent-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.hash.md5': { + dashed_name: 'process-parent-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.parent.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha1': { + dashed_name: 'process-parent-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.parent.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha256': { + dashed_name: 'process-parent-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.parent.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha384': { + dashed_name: 'process-parent-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.parent.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha512': { + dashed_name: 'process-parent-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.parent.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.parent.hash.ssdeep': { + dashed_name: 'process-parent-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.parent.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.parent.hash.tlsh': { + dashed_name: 'process-parent-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.parent.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.parent.interactive': { + dashed_name: 'process-parent-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.parent.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.parent.name': { + dashed_name: 'process-parent-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.parent.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.architecture': { + dashed_name: 'process-parent-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.parent.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.parent.pe.company': { + dashed_name: 'process-parent-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.parent.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.description': { + dashed_name: 'process-parent-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.parent.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.file_version': { + dashed_name: 'process-parent-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.parent.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.imphash': { + dashed_name: 'process-parent-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.parent.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.parent.pe.original_file_name': { + dashed_name: 'process-parent-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.parent.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.pehash': { + dashed_name: 'process-parent-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.parent.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.parent.pe.product': { + dashed_name: 'process-parent-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.parent.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pgid': { + dashed_name: 'process-parent-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.parent.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + original_fieldset: 'process', + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.parent.pid': { + dashed_name: 'process-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.real_group.id': { + dashed_name: 'process-parent-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.real_group.name': { + dashed_name: 'process-parent-real-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.real_user.id': { + dashed_name: 'process-parent-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.real_user.name': { + dashed_name: 'process-parent-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.saved_group.id': { + dashed_name: 'process-parent-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.saved_group.name': { + dashed_name: 'process-parent-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.saved_user.id': { + dashed_name: 'process-parent-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.saved_user.name': { + dashed_name: 'process-parent-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.start': { + dashed_name: 'process-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.supplemental_groups.id': { + dashed_name: 'process-parent-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.supplemental_groups.name': { + dashed_name: 'process-parent-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.parent.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.thread.id': { + dashed_name: 'process-parent-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.parent.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + original_fieldset: 'process', + short: 'Thread ID.', + type: 'long', + }, + 'process.parent.thread.name': { + dashed_name: 'process-parent-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.parent.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + original_fieldset: 'process', + short: 'Thread name.', + type: 'keyword', + }, + 'process.parent.title': { + dashed_name: 'process-parent-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.parent.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + original_fieldset: 'process', + short: 'Process title.', + type: 'keyword', + }, + 'process.parent.tty': { + dashed_name: 'process-parent-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.parent.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.parent.tty.char_device.major': { + dashed_name: 'process-parent-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.parent.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.parent.tty.char_device.minor': { + dashed_name: 'process-parent-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.parent.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.parent.uptime': { + dashed_name: 'process-parent-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.parent.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + original_fieldset: 'process', + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.parent.user.id': { + dashed_name: 'process-parent-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.user.name': { + dashed_name: 'process-parent-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.working_directory': { + dashed_name: 'process-parent-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.parent.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.pe.architecture': { + dashed_name: 'process-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.pe.company': { + dashed_name: 'process-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.description': { + dashed_name: 'process-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.file_version': { + dashed_name: 'process-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.pe.imphash': { + dashed_name: 'process-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.pe.original_file_name': { + dashed_name: 'process-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.pehash': { + dashed_name: 'process-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.pe.product': { + dashed_name: 'process-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pgid': { + dashed_name: 'process-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.pid': { + dashed_name: 'process-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + short: 'Process id.', + type: 'long', + }, + 'process.previous.args': { + dashed_name: 'process-previous-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.previous.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.previous.args_count': { + dashed_name: 'process-previous-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.previous.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.previous.executable': { + dashed_name: 'process-previous-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.previous.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.previous.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.real_group.id': { + dashed_name: 'process-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.real_group.name': { + dashed_name: 'process-real-group-name', + description: 'Name of the group.', + flat_name: 'process.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.real_user.id': { + dashed_name: 'process-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.real_user.name': { + dashed_name: 'process-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.saved_group.id': { + dashed_name: 'process-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.saved_group.name': { + dashed_name: 'process-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.saved_user.id': { + dashed_name: 'process-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.saved_user.name': { + dashed_name: 'process-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.args': { + dashed_name: 'process-session-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.session_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.session_leader.args_count': { + dashed_name: 'process-session-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.session_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.session_leader.command_line': { + dashed_name: 'process-session-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.session_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.session_leader.entity_id': { + dashed_name: 'process-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.executable': { + dashed_name: 'process-session-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.session_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.session_leader.group.id': { + dashed_name: 'process-session-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.group.name': { + dashed_name: 'process-session-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.interactive': { + dashed_name: 'process-session-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.session_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.session_leader.name': { + dashed_name: 'process-session-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.session_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.session_leader.parent.entity_id': { + dashed_name: 'process-session-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.pid': { + dashed_name: 'process-session-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.entity_id': { + dashed_name: 'process-session-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.session_leader.pid': { + dashed_name: 'process-session-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.start': { + dashed_name: 'process-session-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.parent.start': { + dashed_name: 'process-session-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.pid': { + dashed_name: 'process-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.real_group.id': { + dashed_name: 'process-session-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.real_group.name': { + dashed_name: 'process-session-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.real_user.id': { + dashed_name: 'process-session-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.real_user.name': { + dashed_name: 'process-session-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.same_as_process': { + dashed_name: 'process-session-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.session_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.session_leader.saved_group.id': { + dashed_name: 'process-session-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.saved_group.name': { + dashed_name: 'process-session-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.saved_user.id': { + dashed_name: 'process-session-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.saved_user.name': { + dashed_name: 'process-session-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.start': { + dashed_name: 'process-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.supplemental_groups.id': { + dashed_name: 'process-session-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.supplemental_groups.name': { + dashed_name: 'process-session-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.tty': { + dashed_name: 'process-session-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.session_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.session_leader.tty.char_device.major': { + dashed_name: 'process-session-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.session_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.session_leader.tty.char_device.minor': { + dashed_name: 'process-session-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.session_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.session_leader.user.id': { + dashed_name: 'process-session-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.user.name': { + dashed_name: 'process-session-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.working_directory': { + dashed_name: 'process-session-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.session_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.start': { + dashed_name: 'process-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.start', + level: 'extended', + name: 'start', + normalize: [], + short: 'The time the process started.', + type: 'date', + }, + 'process.supplemental_groups.id': { + dashed_name: 'process-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.supplemental_groups.name': { + dashed_name: 'process-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.thread.id': { + dashed_name: 'process-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + short: 'Thread ID.', + type: 'long', + }, + 'process.thread.name': { + dashed_name: 'process-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + short: 'Thread name.', + type: 'keyword', + }, + 'process.title': { + dashed_name: 'process-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + short: 'Process title.', + type: 'keyword', + }, + 'process.tty': { + dashed_name: 'process-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.tty', + level: 'extended', + name: 'tty', + normalize: [], + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.tty.char_device.major': { + dashed_name: 'process-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.tty.char_device.minor': { + dashed_name: 'process-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.tty.columns': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-columns', + description: + "The number of character columns per line. e.g terminal width\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 80, + flat_name: 'process.tty.columns', + level: 'extended', + name: 'tty.columns', + normalize: [], + short: 'The number of character columns per line. e.g terminal width', + type: 'long', + }, + 'process.tty.rows': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-rows', + description: + "The number of character rows in the terminal. e.g terminal height\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 24, + flat_name: 'process.tty.rows', + level: 'extended', + name: 'tty.rows', + normalize: [], + short: 'The number of character rows in the terminal. e.g terminal height', + type: 'long', + }, + 'process.uptime': { + dashed_name: 'process-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.user.id': { + dashed_name: 'process-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.user.name': { + dashed_name: 'process-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.working_directory': { + dashed_name: 'process-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + short: 'The working directory of the process.', + type: 'keyword', + }, + 'registry.data.bytes': { + dashed_name: 'registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'registry.data.strings': { + dashed_name: 'registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'registry.data.type': { + dashed_name: 'registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'registry.hive': { + dashed_name: 'registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'registry.key': { + dashed_name: 'registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'registry.path': { + dashed_name: 'registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'registry.value': { + dashed_name: 'registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + short: 'Name of the value written.', + type: 'keyword', + }, + 'related.hash': { + dashed_name: 'related-hash', + description: + "All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).", + flat_name: 'related.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: ['array'], + short: 'All the hashes seen on your event.', + type: 'keyword', + }, + 'related.hosts': { + dashed_name: 'related-hosts', + description: + 'All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.', + flat_name: 'related.hosts', + ignore_above: 1024, + level: 'extended', + name: 'hosts', + normalize: ['array'], + short: 'All the host identifiers seen on your event.', + type: 'keyword', + }, + 'related.ip': { + dashed_name: 'related-ip', + description: 'All of the IPs seen on your event.', + flat_name: 'related.ip', + level: 'extended', + name: 'ip', + normalize: ['array'], + short: 'All of the IPs seen on your event.', + type: 'ip', + }, + 'related.user': { + dashed_name: 'related-user', + description: 'All the user names or other user identifiers seen on the event.', + flat_name: 'related.user', + ignore_above: 1024, + level: 'extended', + name: 'user', + normalize: ['array'], + short: 'All the user names or other user identifiers seen on the event.', + type: 'keyword', + }, + 'rule.author': { + dashed_name: 'rule-author', + description: + 'Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.', + example: '["Star-Lord"]', + flat_name: 'rule.author', + ignore_above: 1024, + level: 'extended', + name: 'author', + normalize: ['array'], + short: 'Rule author', + type: 'keyword', + }, + 'rule.category': { + dashed_name: 'rule-category', + description: + 'A categorization value keyword used by the entity using the rule for detection of this event.', + example: 'Attempted Information Leak', + flat_name: 'rule.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: [], + short: 'Rule category', + type: 'keyword', + }, + 'rule.description': { + dashed_name: 'rule-description', + description: 'The description of the rule generating the event.', + example: 'Block requests to public DNS over HTTPS / TLS protocols', + flat_name: 'rule.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Rule description', + type: 'keyword', + }, + 'rule.id': { + dashed_name: 'rule-id', + description: + 'A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.', + example: 101, + flat_name: 'rule.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Rule ID', + type: 'keyword', + }, + 'rule.license': { + dashed_name: 'rule-license', + description: + 'Name of the license under which the rule used to generate this event is made available.', + example: 'Apache 2.0', + flat_name: 'rule.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Rule license', + type: 'keyword', + }, + 'rule.name': { + dashed_name: 'rule-name', + description: 'The name of the rule or signature generating the event.', + example: 'BLOCK_DNS_over_TLS', + flat_name: 'rule.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Rule name', + type: 'keyword', + }, + 'rule.reference': { + dashed_name: 'rule-reference', + description: + "Reference URL to additional information about the rule used to generate this event.\nThe URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.", + example: 'https://en.wikipedia.org/wiki/DNS_over_TLS', + flat_name: 'rule.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Rule reference URL', + type: 'keyword', + }, + 'rule.ruleset': { + dashed_name: 'rule-ruleset', + description: + 'Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.', + example: 'Standard_Protocol_Filters', + flat_name: 'rule.ruleset', + ignore_above: 1024, + level: 'extended', + name: 'ruleset', + normalize: [], + short: 'Rule ruleset', + type: 'keyword', + }, + 'rule.uuid': { + dashed_name: 'rule-uuid', + description: + 'A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.', + example: 1100110011, + flat_name: 'rule.uuid', + ignore_above: 1024, + level: 'extended', + name: 'uuid', + normalize: [], + short: 'Rule UUID', + type: 'keyword', + }, + 'rule.version': { + dashed_name: 'rule-version', + description: 'The version / revision of the rule being used for analysis.', + example: 1.1, + flat_name: 'rule.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Rule version', + type: 'keyword', + }, + 'server.address': { + dashed_name: 'server-address', + description: + 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'server.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Server network address.', + type: 'keyword', + }, + 'server.as.number': { + dashed_name: 'server-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'server.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'server.as.organization.name': { + dashed_name: 'server-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'server.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'server.bytes': { + dashed_name: 'server-bytes', + description: 'Bytes sent from the server to the client.', + example: 184, + flat_name: 'server.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the server to the client.', + type: 'long', + }, + 'server.domain': { + dashed_name: 'server-domain', + description: + 'The domain name of the server system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'server.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the server.', + type: 'keyword', + }, + 'server.geo.city_name': { + dashed_name: 'server-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'server.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'server.geo.continent_code': { + dashed_name: 'server-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'server.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'server.geo.continent_name': { + dashed_name: 'server-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'server.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'server.geo.country_iso_code': { + dashed_name: 'server-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'server.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'server.geo.country_name': { + dashed_name: 'server-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'server.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'server.geo.location': { + dashed_name: 'server-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'server.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'server.geo.name': { + dashed_name: 'server-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'server.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'server.geo.postal_code': { + dashed_name: 'server-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'server.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'server.geo.region_iso_code': { + dashed_name: 'server-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'server.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'server.geo.region_name': { + dashed_name: 'server-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'server.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'server.geo.timezone': { + dashed_name: 'server-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'server.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'server.ip': { + dashed_name: 'server-ip', + description: 'IP address of the server (IPv4 or IPv6).', + flat_name: 'server.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the server.', + type: 'ip', + }, + 'server.mac': { + dashed_name: 'server-mac', + description: + 'MAC address of the server.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'server.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the server.', + type: 'keyword', + }, + 'server.nat.ip': { + dashed_name: 'server-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Server NAT ip', + type: 'ip', + }, + 'server.nat.port': { + dashed_name: 'server-nat-port', + description: + 'Translated port of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Server NAT port', + type: 'long', + }, + 'server.packets': { + dashed_name: 'server-packets', + description: 'Packets sent from the server to the client.', + example: 12, + flat_name: 'server.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the server to the client.', + type: 'long', + }, + 'server.port': { + dashed_name: 'server-port', + description: 'Port of the server.', + flat_name: 'server.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the server.', + type: 'long', + }, + 'server.registered_domain': { + dashed_name: 'server-registered-domain', + description: + 'The highest registered server domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'server.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered server domain, stripped of the subdomain.', + type: 'keyword', + }, + 'server.subdomain': { + dashed_name: 'server-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'server.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'server.top_level_domain': { + dashed_name: 'server-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'server.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'server.user.domain': { + dashed_name: 'server-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'server.user.email': { + dashed_name: 'server-user-email', + description: 'User email address.', + flat_name: 'server.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'server.user.full_name': { + dashed_name: 'server-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'server.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'server.user.group.domain': { + dashed_name: 'server-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'server.user.group.id': { + dashed_name: 'server-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'server.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'server.user.group.name': { + dashed_name: 'server-user-group-name', + description: 'Name of the group.', + flat_name: 'server.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'server.user.hash': { + dashed_name: 'server-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'server.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'server.user.id': { + dashed_name: 'server-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'server.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'server.user.name': { + dashed_name: 'server-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'server.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'server.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'server.user.roles': { + dashed_name: 'server-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'server.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'service.address': { + dashed_name: 'service-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Address of this service.', + type: 'keyword', + }, + 'service.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.ephemeral_id': { + dashed_name: 'service-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.id': { + dashed_name: 'service-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.name': { + dashed_name: 'service-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the service.', + type: 'keyword', + }, + 'service.node.name': { + dashed_name: 'service-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.node.role': { + dashed_name: 'service-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.node.roles': { + dashed_name: 'service-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.address': { + dashed_name: 'service-origin-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.origin.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.origin.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-origin-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.origin.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.origin.ephemeral_id': { + dashed_name: 'service-origin-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.origin.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.origin.id': { + dashed_name: 'service-origin-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.origin.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.origin.name': { + dashed_name: 'service-origin-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.origin.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.origin.node.name': { + dashed_name: 'service-origin-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.origin.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.origin.node.role': { + dashed_name: 'service-origin-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.origin.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.origin.node.roles': { + dashed_name: 'service-origin-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.origin.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.state': { + dashed_name: 'service-origin-state', + description: 'Current state of the service.', + flat_name: 'service.origin.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.origin.type': { + dashed_name: 'service-origin-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.origin.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.origin.version': { + dashed_name: 'service-origin-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.origin.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.state': { + dashed_name: 'service-state', + description: 'Current state of the service.', + flat_name: 'service.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.address': { + dashed_name: 'service-target-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.target.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.target.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-target-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.target.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.target.ephemeral_id': { + dashed_name: 'service-target-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.target.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.target.id': { + dashed_name: 'service-target-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.target.name': { + dashed_name: 'service-target-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.target.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.target.node.name': { + dashed_name: 'service-target-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.target.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.target.node.role': { + dashed_name: 'service-target-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.target.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.target.node.roles': { + dashed_name: 'service-target-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.target.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.target.state': { + dashed_name: 'service-target-state', + description: 'Current state of the service.', + flat_name: 'service.target.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.type': { + dashed_name: 'service-target-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.target.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.target.version': { + dashed_name: 'service-target-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.target.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.type': { + dashed_name: 'service-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the service.', + type: 'keyword', + }, + 'service.version': { + dashed_name: 'service-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the service.', + type: 'keyword', + }, + 'source.address': { + dashed_name: 'source-address', + description: + 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'source.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Source network address.', + type: 'keyword', + }, + 'source.as.number': { + dashed_name: 'source-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'source.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'source.as.organization.name': { + dashed_name: 'source-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'source.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'source.bytes': { + dashed_name: 'source-bytes', + description: 'Bytes sent from the source to the destination.', + example: 184, + flat_name: 'source.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the source to the destination.', + type: 'long', + }, + 'source.domain': { + dashed_name: 'source-domain', + description: + 'The domain name of the source system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'source.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the source.', + type: 'keyword', + }, + 'source.geo.city_name': { + dashed_name: 'source-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'source.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'source.geo.continent_code': { + dashed_name: 'source-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'source.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'source.geo.continent_name': { + dashed_name: 'source-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'source.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'source.geo.country_iso_code': { + dashed_name: 'source-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'source.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'source.geo.country_name': { + dashed_name: 'source-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'source.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'source.geo.location': { + dashed_name: 'source-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'source.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'source.geo.name': { + dashed_name: 'source-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'source.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'source.geo.postal_code': { + dashed_name: 'source-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'source.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'source.geo.region_iso_code': { + dashed_name: 'source-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'source.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'source.geo.region_name': { + dashed_name: 'source-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'source.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'source.geo.timezone': { + dashed_name: 'source-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'source.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'source.ip': { + dashed_name: 'source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'source.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the source.', + type: 'ip', + }, + 'source.mac': { + dashed_name: 'source-mac', + description: + 'MAC address of the source.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'source.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the source.', + type: 'keyword', + }, + 'source.nat.ip': { + dashed_name: 'source-nat-ip', + description: + 'Translated ip of source based NAT sessions (e.g. internal client to internet)\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'source.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Source NAT ip', + type: 'ip', + }, + 'source.nat.port': { + dashed_name: 'source-nat-port', + description: + 'Translated port of source based NAT sessions. (e.g. internal client to internet)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'source.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Source NAT port', + type: 'long', + }, + 'source.packets': { + dashed_name: 'source-packets', + description: 'Packets sent from the source to the destination.', + example: 12, + flat_name: 'source.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the source to the destination.', + type: 'long', + }, + 'source.port': { + dashed_name: 'source-port', + description: 'Port of the source.', + flat_name: 'source.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the source.', + type: 'long', + }, + 'source.registered_domain': { + dashed_name: 'source-registered-domain', + description: + 'The highest registered source domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'source.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered source domain, stripped of the subdomain.', + type: 'keyword', + }, + 'source.subdomain': { + dashed_name: 'source-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'source.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'source.top_level_domain': { + dashed_name: 'source-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'source.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'source.user.domain': { + dashed_name: 'source-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'source.user.email': { + dashed_name: 'source-user-email', + description: 'User email address.', + flat_name: 'source.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'source.user.full_name': { + dashed_name: 'source-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'source.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'source.user.group.domain': { + dashed_name: 'source-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'source.user.group.id': { + dashed_name: 'source-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'source.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'source.user.group.name': { + dashed_name: 'source-user-group-name', + description: 'Name of the group.', + flat_name: 'source.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'source.user.hash': { + dashed_name: 'source-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'source.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'source.user.id': { + dashed_name: 'source-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'source.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'source.user.name': { + dashed_name: 'source-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'source.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'source.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'source.user.roles': { + dashed_name: 'source-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'source.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'span.id': { + dashed_name: 'span-id', + description: + 'Unique identifier of the span within the scope of its trace.\nA span represents an operation within a transaction, such as a request to another service, or a database query.', + example: '3ff9a8981b7ccd5a', + flat_name: 'span.id', + ignore_above: 1024, + level: 'extended', + name: 'span.id', + normalize: [], + short: 'Unique identifier of the span within the scope of its trace.', + type: 'keyword', + }, + tags: { + dashed_name: 'tags', + description: 'List of keywords used to tag each event.', + example: '["production", "env2"]', + flat_name: 'tags', + ignore_above: 1024, + level: 'core', + name: 'tags', + normalize: ['array'], + short: 'List of keywords used to tag each event.', + type: 'keyword', + }, + 'threat.enrichments': { + dashed_name: 'threat-enrichments', + description: + 'A list of associated indicators objects enriching the event, and the context of that association/enrichment.', + flat_name: 'threat.enrichments', + level: 'extended', + name: 'enrichments', + normalize: ['array'], + short: 'List of objects containing indicators enriching the event.', + type: 'nested', + }, + 'threat.enrichments.indicator': { + dashed_name: 'threat-enrichments-indicator', + description: 'Object containing associated indicators enriching the event.', + flat_name: 'threat.enrichments.indicator', + level: 'extended', + name: 'enrichments.indicator', + normalize: [], + short: 'Object containing indicators enriching the event.', + type: 'object', + }, + 'threat.enrichments.indicator.as.number': { + dashed_name: 'threat-enrichments-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.enrichments.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.enrichments.indicator.as.organization.name': { + dashed_name: 'threat-enrichments-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.enrichments.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.confidence': { + dashed_name: 'threat-enrichments-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.enrichments.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.enrichments.indicator.description': { + dashed_name: 'threat-enrichments-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.enrichments.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.enrichments.indicator.email.address': { + dashed_name: 'threat-enrichments-indicator-email-address', + description: 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.enrichments.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.accessed': { + dashed_name: 'threat-enrichments-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.enrichments.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.attributes': { + dashed_name: 'threat-enrichments-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.enrichments.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.enrichments.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.enrichments.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.status': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.enrichments.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.enrichments.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.enrichments.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.created': { + dashed_name: 'threat-enrichments-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.enrichments.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.enrichments.indicator.file.ctime': { + dashed_name: 'threat-enrichments-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.enrichments.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.device': { + dashed_name: 'threat-enrichments-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.enrichments.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.directory': { + dashed_name: 'threat-enrichments-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.enrichments.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.drive_letter': { + dashed_name: 'threat-enrichments-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.enrichments.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.architecture': { + dashed_name: 'threat-enrichments-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.enrichments.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + dashed_name: 'threat-enrichments-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.enrichments.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + dashed_name: 'threat-enrichments-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.enrichments.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + dashed_name: 'threat-enrichments-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.enrichments.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.enrichments.indicator.file.elf.exports': { + dashed_name: 'threat-enrichments-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.enrichments.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.class': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.data': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.enrichments.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.enrichments.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.imports': { + dashed_name: 'threat-enrichments-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.segments': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-enrichments-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.enrichments.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + dashed_name: 'threat-enrichments-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.extension': { + dashed_name: 'threat-enrichments-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.fork_name': { + dashed_name: 'threat-enrichments-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.enrichments.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.gid': { + dashed_name: 'threat-enrichments-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.group': { + dashed_name: 'threat-enrichments-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.md5': { + dashed_name: 'threat-enrichments-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha1': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha256': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha384': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha512': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + dashed_name: 'threat-enrichments-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.enrichments.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.tlsh': { + dashed_name: 'threat-enrichments-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.enrichments.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.inode': { + dashed_name: 'threat-enrichments-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.enrichments.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mime_type': { + dashed_name: 'threat-enrichments-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.enrichments.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mode': { + dashed_name: 'threat-enrichments-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.enrichments.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mtime': { + dashed_name: 'threat-enrichments-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.enrichments.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.enrichments.indicator.file.name': { + dashed_name: 'threat-enrichments-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.enrichments.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.owner': { + dashed_name: 'threat-enrichments-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.enrichments.indicator.file.path': { + dashed_name: 'threat-enrichments-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.enrichments.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.architecture': { + dashed_name: 'threat-enrichments-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.enrichments.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.company': { + dashed_name: 'threat-enrichments-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.description': { + dashed_name: 'threat-enrichments-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.enrichments.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.file_version': { + dashed_name: 'threat-enrichments-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.enrichments.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.imphash': { + dashed_name: 'threat-enrichments-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.enrichments.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + dashed_name: 'threat-enrichments-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.enrichments.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.pehash': { + dashed_name: 'threat-enrichments-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.enrichments.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.product': { + dashed_name: 'threat-enrichments-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.enrichments.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.size': { + dashed_name: 'threat-enrichments-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.enrichments.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.enrichments.indicator.file.target_path': { + dashed_name: 'threat-enrichments-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.enrichments.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.type': { + dashed_name: 'threat-enrichments-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.enrichments.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.uid': { + dashed_name: 'threat-enrichments-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.indicator.first_seen': { + dashed_name: 'threat-enrichments-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.first_seen', + level: 'extended', + name: 'enrichments.indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.enrichments.indicator.geo.city_name': { + dashed_name: 'threat-enrichments-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.enrichments.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_code': { + dashed_name: 'threat-enrichments-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.enrichments.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_name': { + dashed_name: 'threat-enrichments-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.enrichments.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.enrichments.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_name': { + dashed_name: 'threat-enrichments-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.enrichments.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.location': { + dashed_name: 'threat-enrichments-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.enrichments.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.enrichments.indicator.geo.name': { + dashed_name: 'threat-enrichments-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.enrichments.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.postal_code': { + dashed_name: 'threat-enrichments-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.enrichments.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.enrichments.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_name': { + dashed_name: 'threat-enrichments-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.enrichments.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.timezone': { + dashed_name: 'threat-enrichments-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.enrichments.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.enrichments.indicator.ip': { + dashed_name: 'threat-enrichments-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.enrichments.indicator.ip', + level: 'extended', + name: 'enrichments.indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.enrichments.indicator.last_seen': { + dashed_name: 'threat-enrichments-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.last_seen', + level: 'extended', + name: 'enrichments.indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.enrichments.indicator.marking.tlp.version': { + dashed_name: 'threat-enrichments-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.enrichments.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + 'threat.enrichments.indicator.modified_at': { + dashed_name: 'threat-enrichments-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.modified_at', + level: 'extended', + name: 'enrichments.indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.enrichments.indicator.port': { + dashed_name: 'threat-enrichments-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.enrichments.indicator.port', + level: 'extended', + name: 'enrichments.indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.enrichments.indicator.provider': { + dashed_name: 'threat-enrichments-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.enrichments.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.enrichments.indicator.reference': { + dashed_name: 'threat-enrichments-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.enrichments.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.bytes': { + dashed_name: 'threat-enrichments-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.enrichments.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.strings': { + dashed_name: 'threat-enrichments-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.enrichments.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.registry.data.type': { + dashed_name: 'threat-enrichments-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.enrichments.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.hive': { + dashed_name: 'threat-enrichments-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.enrichments.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.key': { + dashed_name: 'threat-enrichments-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.enrichments.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.path': { + dashed_name: 'threat-enrichments-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.enrichments.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.value': { + dashed_name: 'threat-enrichments-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.enrichments.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.enrichments.indicator.scanner_stats': { + dashed_name: 'threat-enrichments-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.enrichments.indicator.scanner_stats', + level: 'extended', + name: 'enrichments.indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.enrichments.indicator.sightings': { + dashed_name: 'threat-enrichments-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.enrichments.indicator.sightings', + level: 'extended', + name: 'enrichments.indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.enrichments.indicator.type': { + dashed_name: 'threat-enrichments-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.enrichments.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.domain': { + dashed_name: 'threat-enrichments-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.enrichments.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.extension': { + dashed_name: 'threat-enrichments-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.fragment': { + dashed_name: 'threat-enrichments-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.enrichments.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.full': { + dashed_name: 'threat-enrichments-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.enrichments.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.original': { + dashed_name: 'threat-enrichments-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.enrichments.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.password': { + dashed_name: 'threat-enrichments-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.enrichments.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.path': { + dashed_name: 'threat-enrichments-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.enrichments.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.port': { + dashed_name: 'threat-enrichments-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.enrichments.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.enrichments.indicator.url.query': { + dashed_name: 'threat-enrichments-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.enrichments.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.registered_domain': { + dashed_name: 'threat-enrichments-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.enrichments.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.scheme': { + dashed_name: 'threat-enrichments-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.enrichments.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.subdomain': { + dashed_name: 'threat-enrichments-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.enrichments.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.top_level_domain': { + dashed_name: 'threat-enrichments-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.enrichments.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.username': { + dashed_name: 'threat-enrichments-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.enrichments.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.matched.atomic': { + dashed_name: 'threat-enrichments-matched-atomic', + description: + 'Identifies the atomic indicator value that matched a local environment endpoint or network event.', + example: 'bad-domain.com', + flat_name: 'threat.enrichments.matched.atomic', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.atomic', + normalize: [], + short: 'Matched indicator value', + type: 'keyword', + }, + 'threat.enrichments.matched.field': { + dashed_name: 'threat-enrichments-matched-field', + description: + 'Identifies the field of the atomic indicator that matched a local environment endpoint or network event.', + example: 'file.hash.sha256', + flat_name: 'threat.enrichments.matched.field', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.field', + normalize: [], + short: 'Matched indicator field', + type: 'keyword', + }, + 'threat.enrichments.matched.id': { + dashed_name: 'threat-enrichments-matched-id', + description: 'Identifies the _id of the indicator document enriching the event.', + example: 'ff93aee5-86a1-4a61-b0e6-0cdc313d01b5', + flat_name: 'threat.enrichments.matched.id', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.id', + normalize: [], + short: 'Matched indicator identifier', + type: 'keyword', + }, + 'threat.enrichments.matched.index': { + dashed_name: 'threat-enrichments-matched-index', + description: 'Identifies the _index of the indicator document enriching the event.', + example: 'filebeat-8.0.0-2021.05.23-000011', + flat_name: 'threat.enrichments.matched.index', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.index', + normalize: [], + short: 'Matched indicator index', + type: 'keyword', + }, + 'threat.enrichments.matched.occurred': { + dashed_name: 'threat-enrichments-matched-occurred', + description: 'Indicates when the indicator match was generated', + example: '2021-10-05T17:00:58.326Z', + flat_name: 'threat.enrichments.matched.occurred', + level: 'extended', + name: 'enrichments.matched.occurred', + normalize: [], + short: 'Date of match', + type: 'date', + }, + 'threat.enrichments.matched.type': { + dashed_name: 'threat-enrichments-matched-type', + description: + 'Identifies the type of match that caused the event to be enriched with the given indicator', + example: 'indicator_match_rule', + flat_name: 'threat.enrichments.matched.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.type', + normalize: [], + short: 'Type of indicator match', + type: 'keyword', + }, + 'threat.feed.dashboard_id': { + dashed_name: 'threat-feed-dashboard-id', + description: + 'The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.', + example: '5ba16340-72e6-11eb-a3e3-b3cc7c78a70f', + flat_name: 'threat.feed.dashboard_id', + ignore_above: 1024, + level: 'extended', + name: 'feed.dashboard_id', + normalize: [], + short: 'Feed dashboard ID.', + type: 'keyword', + }, + 'threat.feed.description': { + dashed_name: 'threat-feed-description', + description: 'Description of the threat feed in a UI friendly format.', + example: 'Threat feed from the AlienVault Open Threat eXchange network.', + flat_name: 'threat.feed.description', + ignore_above: 1024, + level: 'extended', + name: 'feed.description', + normalize: [], + short: 'Description of the threat feed.', + type: 'keyword', + }, + 'threat.feed.name': { + dashed_name: 'threat-feed-name', + description: 'The name of the threat feed in UI friendly format.', + example: 'AlienVault OTX', + flat_name: 'threat.feed.name', + ignore_above: 1024, + level: 'extended', + name: 'feed.name', + normalize: [], + short: 'Name of the threat feed.', + type: 'keyword', + }, + 'threat.feed.reference': { + dashed_name: 'threat-feed-reference', + description: 'Reference information for the threat feed in a UI friendly format.', + example: 'https://otx.alienvault.com', + flat_name: 'threat.feed.reference', + ignore_above: 1024, + level: 'extended', + name: 'feed.reference', + normalize: [], + short: 'Reference for the threat feed.', + type: 'keyword', + }, + 'threat.framework': { + dashed_name: 'threat-framework', + description: + 'Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.', + example: 'MITRE ATT&CK', + flat_name: 'threat.framework', + ignore_above: 1024, + level: 'extended', + name: 'framework', + normalize: [], + short: 'Threat classification framework.', + type: 'keyword', + }, + 'threat.group.alias': { + dashed_name: 'threat-group-alias', + description: + 'The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group alias(es).', + example: '[ "Magecart Group 6" ]', + flat_name: 'threat.group.alias', + ignore_above: 1024, + level: 'extended', + name: 'group.alias', + normalize: ['array'], + short: 'Alias of the group.', + type: 'keyword', + }, + 'threat.group.id': { + dashed_name: 'threat-group-id', + description: + 'The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group id.', + example: 'G0037', + flat_name: 'threat.group.id', + ignore_above: 1024, + level: 'extended', + name: 'group.id', + normalize: [], + short: 'ID of the group.', + type: 'keyword', + }, + 'threat.group.name': { + dashed_name: 'threat-group-name', + description: + 'The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group name.', + example: 'FIN6', + flat_name: 'threat.group.name', + ignore_above: 1024, + level: 'extended', + name: 'group.name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + 'threat.group.reference': { + dashed_name: 'threat-group-reference', + description: + 'The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group reference URL.', + example: 'https://attack.mitre.org/groups/G0037/', + flat_name: 'threat.group.reference', + ignore_above: 1024, + level: 'extended', + name: 'group.reference', + normalize: [], + short: 'Reference URL of the group.', + type: 'keyword', + }, + 'threat.indicator.as.number': { + dashed_name: 'threat-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.indicator.as.organization.name': { + dashed_name: 'threat-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.indicator.confidence': { + dashed_name: 'threat-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.indicator.description': { + dashed_name: 'threat-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.indicator.email.address': { + dashed_name: 'threat-indicator-email-address', + description: 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.indicator.file.accessed': { + dashed_name: 'threat-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.indicator.file.attributes': { + dashed_name: 'threat-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.exists': { + dashed_name: 'threat-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.status': { + dashed_name: 'threat-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.team_id': { + dashed_name: 'threat-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.indicator.file.code_signature.trusted': { + dashed_name: 'threat-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.valid': { + dashed_name: 'threat-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.indicator.file.created': { + dashed_name: 'threat-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.indicator.file.ctime': { + dashed_name: 'threat-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.indicator.file.device': { + dashed_name: 'threat-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.indicator.file.directory': { + dashed_name: 'threat-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.drive_letter': { + dashed_name: 'threat-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.elf.architecture': { + dashed_name: 'threat-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.byte_order': { + dashed_name: 'threat-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.cpu_type': { + dashed_name: 'threat-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.creation_date': { + dashed_name: 'threat-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.indicator.file.elf.exports': { + dashed_name: 'threat-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.class': { + dashed_name: 'threat-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.data': { + dashed_name: 'threat-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.indicator.file.elf.header.object_version': { + dashed_name: 'threat-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.type': { + dashed_name: 'threat-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.version': { + dashed_name: 'threat-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.imports': { + dashed_name: 'threat-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.sections': { + dashed_name: 'threat-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.flags': { + dashed_name: 'threat-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.name': { + dashed_name: 'threat-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.type': { + dashed_name: 'threat-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.indicator.file.elf.segments': { + dashed_name: 'threat-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.indicator.file.elf.segments.sections': { + dashed_name: 'threat-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.indicator.file.elf.segments.type': { + dashed_name: 'threat-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.indicator.file.elf.telfhash': { + dashed_name: 'threat-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.extension': { + dashed_name: 'threat-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.file.fork_name': { + dashed_name: 'threat-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.indicator.file.gid': { + dashed_name: 'threat-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.indicator.file.group': { + dashed_name: 'threat-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.indicator.file.hash.md5': { + dashed_name: 'threat-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha1': { + dashed_name: 'threat-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha256': { + dashed_name: 'threat-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha384': { + dashed_name: 'threat-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha512': { + dashed_name: 'threat-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.ssdeep': { + dashed_name: 'threat-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.tlsh': { + dashed_name: 'threat-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.indicator.file.inode': { + dashed_name: 'threat-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.indicator.file.mime_type': { + dashed_name: 'threat-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.indicator.file.mode': { + dashed_name: 'threat-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.indicator.file.mtime': { + dashed_name: 'threat-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.indicator.file.name': { + dashed_name: 'threat-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.indicator.file.owner': { + dashed_name: 'threat-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.indicator.file.path': { + dashed_name: 'threat-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.architecture': { + dashed_name: 'threat-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.company': { + dashed_name: 'threat-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.description': { + dashed_name: 'threat-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.file_version': { + dashed_name: 'threat-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.imphash': { + dashed_name: 'threat-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.original_file_name': { + dashed_name: 'threat-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.pehash': { + dashed_name: 'threat-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.indicator.file.pe.product': { + dashed_name: 'threat-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.size': { + dashed_name: 'threat-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.indicator.file.target_path': { + dashed_name: 'threat-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.indicator.file.type': { + dashed_name: 'threat-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.indicator.file.uid': { + dashed_name: 'threat-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.indicator.file.x509.alternative_names': { + dashed_name: 'threat-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.country': { + dashed_name: 'threat-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.not_after': { + dashed_name: 'threat-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.not_before': { + dashed_name: 'threat-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.file.x509.public_key_size': { + dashed_name: 'threat-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.file.x509.serial_number': { + dashed_name: 'threat-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.country': { + dashed_name: 'threat-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.locality': { + dashed_name: 'threat-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organization': { + dashed_name: 'threat-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.version_number': { + dashed_name: 'threat-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.indicator.first_seen': { + dashed_name: 'threat-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.first_seen', + level: 'extended', + name: 'indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.indicator.geo.city_name': { + dashed_name: 'threat-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_code': { + dashed_name: 'threat-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_name': { + dashed_name: 'threat-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.indicator.geo.country_iso_code': { + dashed_name: 'threat-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.country_name': { + dashed_name: 'threat-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.indicator.geo.location': { + dashed_name: 'threat-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.indicator.geo.name': { + dashed_name: 'threat-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.indicator.geo.postal_code': { + dashed_name: 'threat-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_iso_code': { + dashed_name: 'threat-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_name': { + dashed_name: 'threat-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.indicator.geo.timezone': { + dashed_name: 'threat-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.indicator.ip': { + dashed_name: 'threat-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.indicator.ip', + level: 'extended', + name: 'indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.indicator.last_seen': { + dashed_name: 'threat-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.last_seen', + level: 'extended', + name: 'indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.indicator.marking.tlp': { + dashed_name: 'threat-indicator-marking-tlp', + description: 'Traffic Light Protocol sharing markings.', + example: 'CLEAR', + expected_values: ['WHITE', 'CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED'], + flat_name: 'threat.indicator.marking.tlp', + ignore_above: 1024, + level: 'extended', + name: 'indicator.marking.tlp', + normalize: [], + short: 'Indicator TLP marking', + type: 'keyword', + }, + 'threat.indicator.modified_at': { + dashed_name: 'threat-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.modified_at', + level: 'extended', + name: 'indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.indicator.port': { + dashed_name: 'threat-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.indicator.port', + level: 'extended', + name: 'indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.indicator.provider': { + dashed_name: 'threat-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.indicator.reference': { + dashed_name: 'threat-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.indicator.registry.data.bytes': { + dashed_name: 'threat-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.indicator.registry.data.strings': { + dashed_name: 'threat-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.indicator.registry.data.type': { + dashed_name: 'threat-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.indicator.registry.hive': { + dashed_name: 'threat-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.indicator.registry.key': { + dashed_name: 'threat-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.indicator.registry.path': { + dashed_name: 'threat-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.indicator.registry.value': { + dashed_name: 'threat-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.indicator.scanner_stats': { + dashed_name: 'threat-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.indicator.scanner_stats', + level: 'extended', + name: 'indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.indicator.sightings': { + dashed_name: 'threat-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.indicator.sightings', + level: 'extended', + name: 'indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.indicator.type': { + dashed_name: 'threat-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.indicator.url.domain': { + dashed_name: 'threat-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.indicator.url.extension': { + dashed_name: 'threat-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.url.fragment': { + dashed_name: 'threat-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.indicator.url.full': { + dashed_name: 'threat-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.indicator.url.original': { + dashed_name: 'threat-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.indicator.url.password': { + dashed_name: 'threat-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.indicator.url.path': { + dashed_name: 'threat-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.indicator.url.port': { + dashed_name: 'threat-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.indicator.url.query': { + dashed_name: 'threat-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.indicator.url.registered_domain': { + dashed_name: 'threat-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.indicator.url.scheme': { + dashed_name: 'threat-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.indicator.url.subdomain': { + dashed_name: 'threat-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.indicator.url.top_level_domain': { + dashed_name: 'threat-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.indicator.url.username': { + dashed_name: 'threat-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.indicator.x509.alternative_names': { + dashed_name: 'threat-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.common_name': { + dashed_name: 'threat-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.country': { + dashed_name: 'threat-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.locality': { + dashed_name: 'threat-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organization': { + dashed_name: 'threat-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.not_after': { + dashed_name: 'threat-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.x509.not_before': { + dashed_name: 'threat-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_curve': { + dashed_name: 'threat-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_exponent': { + dashed_name: 'threat-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.x509.public_key_size': { + dashed_name: 'threat-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.x509.serial_number': { + dashed_name: 'threat-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.signature_algorithm': { + dashed_name: 'threat-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.common_name': { + dashed_name: 'threat-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.country': { + dashed_name: 'threat-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.locality': { + dashed_name: 'threat-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organization': { + dashed_name: 'threat-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.version_number': { + dashed_name: 'threat-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.software.alias': { + dashed_name: 'threat-software-alias', + description: + 'The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® associated software description.', + example: '[ "X-Agent" ]', + flat_name: 'threat.software.alias', + ignore_above: 1024, + level: 'extended', + name: 'software.alias', + normalize: ['array'], + short: 'Alias of the software', + type: 'keyword', + }, + 'threat.software.id': { + dashed_name: 'threat-software-id', + description: + 'The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software id.', + example: 'S0552', + flat_name: 'threat.software.id', + ignore_above: 1024, + level: 'extended', + name: 'software.id', + normalize: [], + short: 'ID of the software', + type: 'keyword', + }, + 'threat.software.name': { + dashed_name: 'threat-software-name', + description: + 'The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software name.', + example: 'AdFind', + flat_name: 'threat.software.name', + ignore_above: 1024, + level: 'extended', + name: 'software.name', + normalize: [], + short: 'Name of the software.', + type: 'keyword', + }, + 'threat.software.platforms': { + dashed_name: 'threat-software-platforms', + description: + 'The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values.', + example: '[ "Windows" ]', + expected_values: [ + 'AWS', + 'Azure', + 'Azure AD', + 'GCP', + 'Linux', + 'macOS', + 'Network', + 'Office 365', + 'SaaS', + 'Windows', + ], + flat_name: 'threat.software.platforms', + ignore_above: 1024, + level: 'extended', + name: 'software.platforms', + normalize: ['array'], + short: 'Platforms of the software.', + type: 'keyword', + }, + 'threat.software.reference': { + dashed_name: 'threat-software-reference', + description: + 'The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software reference URL.', + example: 'https://attack.mitre.org/software/S0552/', + flat_name: 'threat.software.reference', + ignore_above: 1024, + level: 'extended', + name: 'software.reference', + normalize: [], + short: 'Software reference URL.', + type: 'keyword', + }, + 'threat.software.type': { + dashed_name: 'threat-software-type', + description: + 'The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type.', + example: 'Tool', + expected_values: ['Malware', 'Tool'], + flat_name: 'threat.software.type', + ignore_above: 1024, + level: 'extended', + name: 'software.type', + normalize: [], + short: 'Software type.', + type: 'keyword', + }, + 'threat.tactic.id': { + dashed_name: 'threat-tactic-id', + description: + 'The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'TA0002', + flat_name: 'threat.tactic.id', + ignore_above: 1024, + level: 'extended', + name: 'tactic.id', + normalize: ['array'], + short: 'Threat tactic id.', + type: 'keyword', + }, + 'threat.tactic.name': { + dashed_name: 'threat-tactic-name', + description: + 'Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)', + example: 'Execution', + flat_name: 'threat.tactic.name', + ignore_above: 1024, + level: 'extended', + name: 'tactic.name', + normalize: ['array'], + short: 'Threat tactic.', + type: 'keyword', + }, + 'threat.tactic.reference': { + dashed_name: 'threat-tactic-reference', + description: + 'The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'https://attack.mitre.org/tactics/TA0002/', + flat_name: 'threat.tactic.reference', + ignore_above: 1024, + level: 'extended', + name: 'tactic.reference', + normalize: ['array'], + short: 'Threat tactic URL reference.', + type: 'keyword', + }, + 'threat.technique.id': { + dashed_name: 'threat-technique-id', + description: + 'The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'T1059', + flat_name: 'threat.technique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.id', + normalize: ['array'], + short: 'Threat technique id.', + type: 'keyword', + }, + 'threat.technique.name': { + dashed_name: 'threat-technique-name', + description: + 'The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'Command and Scripting Interpreter', + flat_name: 'threat.technique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.name', + normalize: ['array'], + short: 'Threat technique name.', + type: 'keyword', + }, + 'threat.technique.reference': { + dashed_name: 'threat-technique-reference', + description: + 'The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'https://attack.mitre.org/techniques/T1059/', + flat_name: 'threat.technique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.reference', + normalize: ['array'], + short: 'Threat technique URL reference.', + type: 'keyword', + }, + 'threat.technique.subtechnique.id': { + dashed_name: 'threat-technique-subtechnique-id', + description: + 'The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'T1059.001', + flat_name: 'threat.technique.subtechnique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.id', + normalize: ['array'], + short: 'Threat subtechnique id.', + type: 'keyword', + }, + 'threat.technique.subtechnique.name': { + dashed_name: 'threat-technique-subtechnique-name', + description: + 'The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'PowerShell', + flat_name: 'threat.technique.subtechnique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.subtechnique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.subtechnique.name', + normalize: ['array'], + short: 'Threat subtechnique name.', + type: 'keyword', + }, + 'threat.technique.subtechnique.reference': { + dashed_name: 'threat-technique-subtechnique-reference', + description: + 'The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'https://attack.mitre.org/techniques/T1059/001/', + flat_name: 'threat.technique.subtechnique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.reference', + normalize: ['array'], + short: 'Threat subtechnique URL reference.', + type: 'keyword', + }, + 'threat.threat.indicator.marking.tlp.version': { + dashed_name: 'threat-threat-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.threat.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'threat.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + 'tls.cipher': { + dashed_name: 'tls-cipher', + description: 'String indicating the cipher used during the current connection.', + example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + flat_name: 'tls.cipher', + ignore_above: 1024, + level: 'extended', + name: 'cipher', + normalize: [], + short: 'String indicating the cipher used during the current connection.', + type: 'keyword', + }, + 'tls.client.certificate': { + dashed_name: 'tls-client-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.client.certificate', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.certificate_chain': { + dashed_name: 'tls-client-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.client.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.md5': { + dashed_name: 'tls-client-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.client.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha1': { + dashed_name: 'tls-client-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.client.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha256': { + dashed_name: 'tls-client-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.client.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.issuer': { + dashed_name: 'tls-client-issuer', + description: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.client.issuer', + ignore_above: 1024, + level: 'extended', + name: 'client.issuer', + normalize: [], + short: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.ja3': { + dashed_name: 'tls-client-ja3', + description: 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + example: 'd4e5b18d6b55c71272893221c96ba240', + flat_name: 'tls.client.ja3', + ignore_above: 1024, + level: 'extended', + name: 'client.ja3', + normalize: [], + short: 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.client.not_after': { + dashed_name: 'tls-client-not-after', + description: 'Date/Time indicating when client certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_after', + level: 'extended', + name: 'client.not_after', + normalize: [], + short: 'Date/Time indicating when client certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.not_before': { + dashed_name: 'tls-client-not-before', + description: 'Date/Time indicating when client certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_before', + level: 'extended', + name: 'client.not_before', + normalize: [], + short: 'Date/Time indicating when client certificate is first considered valid.', + type: 'date', + }, + 'tls.client.server_name': { + dashed_name: 'tls-client-server-name', + description: + 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.', + example: 'www.elastic.co', + flat_name: 'tls.client.server_name', + ignore_above: 1024, + level: 'extended', + name: 'client.server_name', + normalize: [], + short: 'Hostname the client is trying to connect to. Also called the SNI.', + type: 'keyword', + }, + 'tls.client.subject': { + dashed_name: 'tls-client-subject', + description: 'Distinguished name of subject of the x.509 certificate presented by the client.', + example: 'CN=myclient, OU=Documentation Team, DC=example, DC=com', + flat_name: 'tls.client.subject', + ignore_above: 1024, + level: 'extended', + name: 'client.subject', + normalize: [], + short: 'Distinguished name of subject of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.supported_ciphers': { + dashed_name: 'tls-client-supported-ciphers', + description: 'Array of ciphers offered by the client during the client hello.', + example: + '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]', + flat_name: 'tls.client.supported_ciphers', + ignore_above: 1024, + level: 'extended', + name: 'client.supported_ciphers', + normalize: ['array'], + short: 'Array of ciphers offered by the client during the client hello.', + type: 'keyword', + }, + 'tls.client.x509.alternative_names': { + dashed_name: 'tls-client-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.client.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.client.x509.issuer.common_name': { + dashed_name: 'tls-client-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.country': { + dashed_name: 'tls-client-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.client.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.client.x509.issuer.distinguished_name': { + dashed_name: 'tls-client-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.locality': { + dashed_name: 'tls-client-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.client.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.issuer.organization': { + dashed_name: 'tls-client-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.client.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.organizational_unit': { + dashed_name: 'tls-client-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.client.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.state_or_province': { + dashed_name: 'tls-client-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.not_after': { + dashed_name: 'tls-client-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.client.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.x509.not_before': { + dashed_name: 'tls-client-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.client.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.client.x509.public_key_algorithm': { + dashed_name: 'tls-client-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.client.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.client.x509.public_key_curve': { + dashed_name: 'tls-client-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.client.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.client.x509.public_key_exponent': { + dashed_name: 'tls-client-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.client.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.client.x509.public_key_size': { + dashed_name: 'tls-client-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.client.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.client.x509.serial_number': { + dashed_name: 'tls-client-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.client.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.signature_algorithm': { + dashed_name: 'tls-client-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.client.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.client.x509.subject.common_name': { + dashed_name: 'tls-client-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.client.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.country': { + dashed_name: 'tls-client-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.client.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.client.x509.subject.distinguished_name': { + dashed_name: 'tls-client-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.client.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.client.x509.subject.locality': { + dashed_name: 'tls-client-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.client.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.subject.organization': { + dashed_name: 'tls-client-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.client.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.organizational_unit': { + dashed_name: 'tls-client-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.client.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.state_or_province': { + dashed_name: 'tls-client-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.version_number': { + dashed_name: 'tls-client-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.client.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.curve': { + dashed_name: 'tls-curve', + description: 'String indicating the curve used for the given cipher, when applicable.', + example: 'secp256r1', + flat_name: 'tls.curve', + ignore_above: 1024, + level: 'extended', + name: 'curve', + normalize: [], + short: 'String indicating the curve used for the given cipher, when applicable.', + type: 'keyword', + }, + 'tls.established': { + dashed_name: 'tls-established', + description: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + flat_name: 'tls.established', + level: 'extended', + name: 'established', + normalize: [], + short: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + type: 'boolean', + }, + 'tls.next_protocol': { + dashed_name: 'tls-next-protocol', + description: + 'String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.', + example: 'http/1.1', + flat_name: 'tls.next_protocol', + ignore_above: 1024, + level: 'extended', + name: 'next_protocol', + normalize: [], + short: 'String indicating the protocol being tunneled.', + type: 'keyword', + }, + 'tls.resumed': { + dashed_name: 'tls-resumed', + description: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + flat_name: 'tls.resumed', + level: 'extended', + name: 'resumed', + normalize: [], + short: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + type: 'boolean', + }, + 'tls.server.certificate': { + dashed_name: 'tls-server-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.server.certificate', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.certificate_chain': { + dashed_name: 'tls-server-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.server.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.md5': { + dashed_name: 'tls-server-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.server.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha1': { + dashed_name: 'tls-server-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.server.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha256': { + dashed_name: 'tls-server-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.server.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.issuer': { + dashed_name: 'tls-server-issuer', + description: 'Subject of the issuer of the x.509 certificate presented by the server.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.issuer', + ignore_above: 1024, + level: 'extended', + name: 'server.issuer', + normalize: [], + short: 'Subject of the issuer of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.ja3s': { + dashed_name: 'tls-server-ja3s', + description: 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + example: '394441ab65754e2207b1e1b457b3641d', + flat_name: 'tls.server.ja3s', + ignore_above: 1024, + level: 'extended', + name: 'server.ja3s', + normalize: [], + short: 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.server.not_after': { + dashed_name: 'tls-server-not-after', + description: 'Timestamp indicating when server certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_after', + level: 'extended', + name: 'server.not_after', + normalize: [], + short: 'Timestamp indicating when server certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.not_before': { + dashed_name: 'tls-server-not-before', + description: 'Timestamp indicating when server certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_before', + level: 'extended', + name: 'server.not_before', + normalize: [], + short: 'Timestamp indicating when server certificate is first considered valid.', + type: 'date', + }, + 'tls.server.subject': { + dashed_name: 'tls-server-subject', + description: 'Subject of the x.509 certificate presented by the server.', + example: 'CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.subject', + ignore_above: 1024, + level: 'extended', + name: 'server.subject', + normalize: [], + short: 'Subject of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.x509.alternative_names': { + dashed_name: 'tls-server-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.server.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.server.x509.issuer.common_name': { + dashed_name: 'tls-server-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.country': { + dashed_name: 'tls-server-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.server.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.server.x509.issuer.distinguished_name': { + dashed_name: 'tls-server-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.locality': { + dashed_name: 'tls-server-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.server.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.issuer.organization': { + dashed_name: 'tls-server-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.server.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.organizational_unit': { + dashed_name: 'tls-server-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.server.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.state_or_province': { + dashed_name: 'tls-server-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.not_after': { + dashed_name: 'tls-server-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.server.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.x509.not_before': { + dashed_name: 'tls-server-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.server.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.server.x509.public_key_algorithm': { + dashed_name: 'tls-server-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.server.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.server.x509.public_key_curve': { + dashed_name: 'tls-server-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.server.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.server.x509.public_key_exponent': { + dashed_name: 'tls-server-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.server.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.server.x509.public_key_size': { + dashed_name: 'tls-server-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.server.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.server.x509.serial_number': { + dashed_name: 'tls-server-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.server.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.signature_algorithm': { + dashed_name: 'tls-server-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.server.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.server.x509.subject.common_name': { + dashed_name: 'tls-server-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.server.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.country': { + dashed_name: 'tls-server-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.server.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.server.x509.subject.distinguished_name': { + dashed_name: 'tls-server-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.server.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.server.x509.subject.locality': { + dashed_name: 'tls-server-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.server.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.subject.organization': { + dashed_name: 'tls-server-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.server.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.organizational_unit': { + dashed_name: 'tls-server-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.server.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.state_or_province': { + dashed_name: 'tls-server-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.version_number': { + dashed_name: 'tls-server-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.server.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.version': { + dashed_name: 'tls-version', + description: 'Numeric part of the version parsed from the original string.', + example: '1.2', + flat_name: 'tls.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Numeric part of the version parsed from the original string.', + type: 'keyword', + }, + 'tls.version_protocol': { + dashed_name: 'tls-version-protocol', + description: 'Normalized lowercase protocol name parsed from original string.', + example: 'tls', + flat_name: 'tls.version_protocol', + ignore_above: 1024, + level: 'extended', + name: 'version_protocol', + normalize: [], + short: 'Normalized lowercase protocol name parsed from original string.', + type: 'keyword', + }, + 'trace.id': { + dashed_name: 'trace-id', + description: + 'Unique identifier of the trace.\nA trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.', + example: '4bf92f3577b34da6a3ce929d0e0e4736', + flat_name: 'trace.id', + ignore_above: 1024, + level: 'extended', + name: 'trace.id', + normalize: [], + short: 'Unique identifier of the trace.', + type: 'keyword', + }, + 'transaction.id': { + dashed_name: 'transaction-id', + description: + 'Unique identifier of the transaction within the scope of its trace.\nA transaction is the highest level of work measured within a service, such as a request to a server.', + example: '00f067aa0ba902b7', + flat_name: 'transaction.id', + ignore_above: 1024, + level: 'extended', + name: 'transaction.id', + normalize: [], + short: 'Unique identifier of the transaction within the scope of its trace.', + type: 'keyword', + }, + 'url.domain': { + dashed_name: 'url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Domain of the url.', + type: 'keyword', + }, + 'url.extension': { + dashed_name: 'url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'url.fragment': { + dashed_name: 'url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'url.full': { + dashed_name: 'url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'url.full', + level: 'extended', + multi_fields: [{ flat_name: 'url.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'url.original': { + dashed_name: 'url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'url.original', + level: 'extended', + multi_fields: [{ flat_name: 'url.original.text', name: 'text', type: 'match_only_text' }], + name: 'original', + normalize: [], + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'url.password': { + dashed_name: 'url-password', + description: 'Password of the request.', + flat_name: 'url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + short: 'Password of the request.', + type: 'keyword', + }, + 'url.path': { + dashed_name: 'url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'url.path', + level: 'extended', + name: 'path', + normalize: [], + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'url.port': { + dashed_name: 'url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'url.query': { + dashed_name: 'url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + short: 'Query string of the request.', + type: 'keyword', + }, + 'url.registered_domain': { + dashed_name: 'url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'url.scheme': { + dashed_name: 'url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + short: 'Scheme of the url.', + type: 'keyword', + }, + 'url.subdomain': { + dashed_name: 'url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'url.top_level_domain': { + dashed_name: 'url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'url.username': { + dashed_name: 'url-username', + description: 'Username of the request.', + flat_name: 'url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + short: 'Username of the request.', + type: 'keyword', + }, + 'user.changes.domain': { + dashed_name: 'user-changes-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.changes.email': { + dashed_name: 'user-changes-email', + description: 'User email address.', + flat_name: 'user.changes.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.changes.full_name': { + dashed_name: 'user-changes-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.changes.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.changes.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.changes.group.domain': { + dashed_name: 'user-changes-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.changes.group.id': { + dashed_name: 'user-changes-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.changes.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.changes.group.name': { + dashed_name: 'user-changes-group-name', + description: 'Name of the group.', + flat_name: 'user.changes.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.changes.hash': { + dashed_name: 'user-changes-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.changes.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.changes.id': { + dashed_name: 'user-changes-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.changes.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.changes.name': { + dashed_name: 'user-changes-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.changes.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.changes.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.changes.roles': { + dashed_name: 'user-changes-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.changes.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.domain': { + dashed_name: 'user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.domain': { + dashed_name: 'user-effective-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.email': { + dashed_name: 'user-effective-email', + description: 'User email address.', + flat_name: 'user.effective.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.effective.full_name': { + dashed_name: 'user-effective-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.effective.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.effective.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.effective.group.domain': { + dashed_name: 'user-effective-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.effective.group.id': { + dashed_name: 'user-effective-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.effective.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.effective.group.name': { + dashed_name: 'user-effective-group-name', + description: 'Name of the group.', + flat_name: 'user.effective.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.effective.hash': { + dashed_name: 'user-effective-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.effective.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.effective.id': { + dashed_name: 'user-effective-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.effective.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.effective.name': { + dashed_name: 'user-effective-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.effective.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.effective.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.effective.roles': { + dashed_name: 'user-effective-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.effective.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.email': { + dashed_name: 'user-email', + description: 'User email address.', + flat_name: 'user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + short: 'User email address.', + type: 'keyword', + }, + 'user.full_name': { + dashed_name: 'user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.group.domain': { + dashed_name: 'user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.group.id': { + dashed_name: 'user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.group.name': { + dashed_name: 'user-group-name', + description: 'Name of the group.', + flat_name: 'user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.hash': { + dashed_name: 'user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.id': { + dashed_name: 'user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.name': { + dashed_name: 'user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [{ flat_name: 'user.name.text', name: 'text', type: 'match_only_text' }], + name: 'name', + normalize: [], + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.risk.calculated_level': { + dashed_name: 'user-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'user.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'user.risk.calculated_score': { + dashed_name: 'user-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'user.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'user.risk.calculated_score_norm': { + dashed_name: 'user-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'user.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'user.risk.static_level': { + dashed_name: 'user-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'user.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'user.risk.static_score': { + dashed_name: 'user-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'user.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'user.risk.static_score_norm': { + dashed_name: 'user-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'user.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'user.roles': { + dashed_name: 'user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.target.domain': { + dashed_name: 'user-target-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.target.email': { + dashed_name: 'user-target-email', + description: 'User email address.', + flat_name: 'user.target.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.target.full_name': { + dashed_name: 'user-target-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.target.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.target.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.target.group.domain': { + dashed_name: 'user-target-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.target.group.id': { + dashed_name: 'user-target-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.target.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.target.group.name': { + dashed_name: 'user-target-group-name', + description: 'Name of the group.', + flat_name: 'user.target.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.target.hash': { + dashed_name: 'user-target-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.target.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.target.id': { + dashed_name: 'user-target-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.target.name': { + dashed_name: 'user-target-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.target.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.target.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.target.roles': { + dashed_name: 'user-target-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.target.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user_agent.device.name': { + dashed_name: 'user-agent-device-name', + description: 'Name of the device.', + example: 'iPhone', + flat_name: 'user_agent.device.name', + ignore_above: 1024, + level: 'extended', + name: 'device.name', + normalize: [], + short: 'Name of the device.', + type: 'keyword', + }, + 'user_agent.name': { + dashed_name: 'user-agent-name', + description: 'Name of the user agent.', + example: 'Safari', + flat_name: 'user_agent.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the user agent.', + type: 'keyword', + }, + 'user_agent.original': { + dashed_name: 'user-agent-original', + description: 'Unparsed user_agent string.', + example: + 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', + flat_name: 'user_agent.original', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + short: 'Unparsed user_agent string.', + type: 'keyword', + }, + 'user_agent.os.family': { + dashed_name: 'user-agent-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'user_agent.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'user_agent.os.full': { + dashed_name: 'user-agent-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'user_agent.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'user_agent.os.kernel': { + dashed_name: 'user-agent-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'user_agent.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'user_agent.os.name': { + dashed_name: 'user-agent-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'user_agent.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'user_agent.os.platform': { + dashed_name: 'user-agent-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'user_agent.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'user_agent.os.type': { + dashed_name: 'user-agent-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'user_agent.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'user_agent.os.version': { + dashed_name: 'user-agent-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'user_agent.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'user_agent.version': { + dashed_name: 'user-agent-version', + description: 'Version of the user agent.', + example: 12, + flat_name: 'user_agent.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Version of the user agent.', + type: 'keyword', + }, + 'vulnerability.category': { + dashed_name: 'vulnerability-category', + description: + 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])\nThis field must be an array.', + example: '["Firewall"]', + flat_name: 'vulnerability.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: ['array'], + short: 'Category of a vulnerability.', + type: 'keyword', + }, + 'vulnerability.classification': { + dashed_name: 'vulnerability-classification', + description: + 'The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)', + example: 'CVSS', + flat_name: 'vulnerability.classification', + ignore_above: 1024, + level: 'extended', + name: 'classification', + normalize: [], + short: 'Classification of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.description': { + dashed_name: 'vulnerability-description', + description: + 'The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])', + example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...', + flat_name: 'vulnerability.description', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'vulnerability.description.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'description', + normalize: [], + short: 'Description of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.enumeration': { + dashed_name: 'vulnerability-enumeration', + description: + 'The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)', + example: 'CVE', + flat_name: 'vulnerability.enumeration', + ignore_above: 1024, + level: 'extended', + name: 'enumeration', + normalize: [], + short: 'Identifier of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.id': { + dashed_name: 'vulnerability-id', + description: + 'The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]', + example: 'CVE-2019-00001', + flat_name: 'vulnerability.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'ID of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.reference': { + dashed_name: 'vulnerability-reference', + description: + 'A resource that provides additional information, context, and mitigations for the identified vulnerability.', + example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', + flat_name: 'vulnerability.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Reference of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.report_id': { + dashed_name: 'vulnerability-report-id', + description: 'The report or scan identification number.', + example: 20191018.0001, + flat_name: 'vulnerability.report_id', + ignore_above: 1024, + level: 'extended', + name: 'report_id', + normalize: [], + short: 'Scan identification number.', + type: 'keyword', + }, + 'vulnerability.scanner.vendor': { + dashed_name: 'vulnerability-scanner-vendor', + description: 'The name of the vulnerability scanner vendor.', + example: 'Tenable', + flat_name: 'vulnerability.scanner.vendor', + ignore_above: 1024, + level: 'extended', + name: 'scanner.vendor', + normalize: [], + short: 'Name of the scanner vendor.', + type: 'keyword', + }, + 'vulnerability.score.base': { + dashed_name: 'vulnerability-score-base', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.base', + level: 'extended', + name: 'score.base', + normalize: [], + short: 'Vulnerability Base score.', + type: 'float', + }, + 'vulnerability.score.environmental': { + dashed_name: 'vulnerability-score-environmental', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.environmental', + level: 'extended', + name: 'score.environmental', + normalize: [], + short: 'Vulnerability Environmental score.', + type: 'float', + }, + 'vulnerability.score.temporal': { + dashed_name: 'vulnerability-score-temporal', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)', + flat_name: 'vulnerability.score.temporal', + level: 'extended', + name: 'score.temporal', + normalize: [], + short: 'Vulnerability Temporal score.', + type: 'float', + }, + 'vulnerability.score.version': { + dashed_name: 'vulnerability-score-version', + description: + 'The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 2, + flat_name: 'vulnerability.score.version', + ignore_above: 1024, + level: 'extended', + name: 'score.version', + normalize: [], + short: 'CVSS version.', + type: 'keyword', + }, + 'vulnerability.severity': { + dashed_name: 'vulnerability-severity', + description: + 'The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 'Critical', + flat_name: 'vulnerability.severity', + ignore_above: 1024, + level: 'extended', + name: 'severity', + normalize: [], + short: 'Severity of the vulnerability.', + type: 'keyword', + }, +}; diff --git a/packages/kbn-ecs/generated/ecs_nested.ts b/packages/kbn-ecs/generated/ecs_nested.ts new file mode 100644 index 0000000000000..761b4b4643049 --- /dev/null +++ b/packages/kbn-ecs/generated/ecs_nested.ts @@ -0,0 +1,22185 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export const EcsNested = { + agent: { + description: + 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.', + fields: { + 'agent.build.original': { + dashed_name: 'agent-build-original', + description: + 'Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required.', + example: + 'metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]', + flat_name: 'agent.build.original', + ignore_above: 1024, + level: 'core', + name: 'build.original', + normalize: [], + short: 'Extended build information for the agent.', + type: 'keyword', + }, + 'agent.ephemeral_id': { + dashed_name: 'agent-ephemeral-id', + description: + 'Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not.', + example: '8a4f500f', + flat_name: 'agent.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this agent.', + type: 'keyword', + }, + 'agent.id': { + dashed_name: 'agent-id', + description: + 'Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id.', + example: '8a4f500d', + flat_name: 'agent.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of this agent.', + type: 'keyword', + }, + 'agent.name': { + dashed_name: 'agent-name', + description: + 'Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.', + example: 'foo', + flat_name: 'agent.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Custom name of the agent.', + type: 'keyword', + }, + 'agent.type': { + dashed_name: 'agent-type', + description: + 'Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + example: 'filebeat', + flat_name: 'agent.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of the agent.', + type: 'keyword', + }, + 'agent.version': { + dashed_name: 'agent-version', + description: 'Version of the agent.', + example: '6.0.0-rc2', + flat_name: 'agent.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the agent.', + type: 'keyword', + }, + }, + footnote: + 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.', + group: 2, + name: 'agent', + prefix: 'agent.', + short: 'Fields about the monitoring agent.', + title: 'Agent', + type: 'group', + }, + as: { + description: + 'An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.', + fields: { + 'as.number': { + dashed_name: 'as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'as.number', + level: 'extended', + name: 'number', + normalize: [], + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'as.organization.name': { + dashed_name: 'as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + short: 'Organization name.', + type: 'keyword', + }, + }, + group: 2, + name: 'as', + prefix: 'as.', + reusable: { + expected: [ + { as: 'as', at: 'client', full: 'client.as' }, + { as: 'as', at: 'destination', full: 'destination.as' }, + { as: 'as', at: 'server', full: 'server.as' }, + { as: 'as', at: 'source', full: 'source.as' }, + { as: 'as', at: 'threat.indicator', full: 'threat.indicator.as' }, + { + as: 'as', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.as', + }, + ], + top_level: false, + }, + short: 'Fields describing an Autonomous System (Internet routing prefix).', + title: 'Autonomous System', + type: 'group', + }, + base: { + description: + 'The `base` field set contains all fields which are at the root of the events. These fields are common across all types of events.', + fields: { + '@timestamp': { + dashed_name: 'timestamp', + description: + 'Date/time when the event originated.\nThis is the date/time extracted from the event, typically representing when the event was generated by the source.\nIf the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.\nRequired field for all events.', + example: '2016-05-23T08:05:34.853Z', + flat_name: '@timestamp', + level: 'core', + name: '@timestamp', + normalize: [], + required: true, + short: 'Date/time when the event originated.', + type: 'date', + }, + labels: { + dashed_name: 'labels', + description: + 'Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels.', + example: '{"application": "foo-bar", "env": "production"}', + flat_name: 'labels', + level: 'core', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Custom key/value pairs.', + type: 'object', + }, + message: { + dashed_name: 'message', + description: + 'For log events the message field contains the log message, optimized for viewing in a log viewer.\nFor structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.\nIf multiple messages exist, they can be combined into one message.', + example: 'Hello World', + flat_name: 'message', + level: 'core', + name: 'message', + normalize: [], + short: 'Log message optimized for viewing in a log viewer.', + type: 'match_only_text', + }, + tags: { + dashed_name: 'tags', + description: 'List of keywords used to tag each event.', + example: '["production", "env2"]', + flat_name: 'tags', + ignore_above: 1024, + level: 'core', + name: 'tags', + normalize: ['array'], + short: 'List of keywords used to tag each event.', + type: 'keyword', + }, + }, + group: 1, + name: 'base', + prefix: '', + root: true, + short: 'All fields defined directly at the root of the events.', + title: 'Base', + type: 'group', + }, + client: { + description: + 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.', + fields: { + 'client.address': { + dashed_name: 'client-address', + description: + 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'client.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Client network address.', + type: 'keyword', + }, + 'client.as.number': { + dashed_name: 'client-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'client.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'client.as.organization.name': { + dashed_name: 'client-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'client.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'client.bytes': { + dashed_name: 'client-bytes', + description: 'Bytes sent from the client to the server.', + example: 184, + flat_name: 'client.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the client to the server.', + type: 'long', + }, + 'client.domain': { + dashed_name: 'client-domain', + description: + 'The domain name of the client system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'client.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the client.', + type: 'keyword', + }, + 'client.geo.city_name': { + dashed_name: 'client-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'client.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'client.geo.continent_code': { + dashed_name: 'client-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'client.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'client.geo.continent_name': { + dashed_name: 'client-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'client.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'client.geo.country_iso_code': { + dashed_name: 'client-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'client.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'client.geo.country_name': { + dashed_name: 'client-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'client.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'client.geo.location': { + dashed_name: 'client-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'client.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'client.geo.name': { + dashed_name: 'client-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'client.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'client.geo.postal_code': { + dashed_name: 'client-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'client.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'client.geo.region_iso_code': { + dashed_name: 'client-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'client.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'client.geo.region_name': { + dashed_name: 'client-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'client.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'client.geo.timezone': { + dashed_name: 'client-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'client.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'client.ip': { + dashed_name: 'client-ip', + description: 'IP address of the client (IPv4 or IPv6).', + flat_name: 'client.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the client.', + type: 'ip', + }, + 'client.mac': { + dashed_name: 'client-mac', + description: + 'MAC address of the client.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'client.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the client.', + type: 'keyword', + }, + 'client.nat.ip': { + dashed_name: 'client-nat-ip', + description: + 'Translated IP of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Client NAT ip address', + type: 'ip', + }, + 'client.nat.port': { + dashed_name: 'client-nat-port', + description: + 'Translated port of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Client NAT port', + type: 'long', + }, + 'client.packets': { + dashed_name: 'client-packets', + description: 'Packets sent from the client to the server.', + example: 12, + flat_name: 'client.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the client to the server.', + type: 'long', + }, + 'client.port': { + dashed_name: 'client-port', + description: 'Port of the client.', + flat_name: 'client.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the client.', + type: 'long', + }, + 'client.registered_domain': { + dashed_name: 'client-registered-domain', + description: + 'The highest registered client domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'client.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered client domain, stripped of the subdomain.', + type: 'keyword', + }, + 'client.subdomain': { + dashed_name: 'client-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'client.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'client.top_level_domain': { + dashed_name: 'client-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'client.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'client.user.domain': { + dashed_name: 'client-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'client.user.email': { + dashed_name: 'client-user-email', + description: 'User email address.', + flat_name: 'client.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'client.user.full_name': { + dashed_name: 'client-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'client.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'client.user.group.domain': { + dashed_name: 'client-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'client.user.group.id': { + dashed_name: 'client-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'client.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'client.user.group.name': { + dashed_name: 'client-user-group-name', + description: 'Name of the group.', + flat_name: 'client.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'client.user.hash': { + dashed_name: 'client-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'client.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'client.user.id': { + dashed_name: 'client-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'client.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'client.user.name': { + dashed_name: 'client-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'client.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'client.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'client.user.roles': { + dashed_name: 'client-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'client.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'client', + nestings: ['client.as', 'client.geo', 'client.user'], + prefix: 'client.', + reused_here: [ + { + full: 'client.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'client.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'client.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the client side of a network connection, used with server.', + title: 'Client', + type: 'group', + }, + cloud: { + description: 'Fields related to the cloud or infrastructure the events are coming from.', + fields: { + 'cloud.account.id': { + dashed_name: 'cloud-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.account.name': { + dashed_name: 'cloud-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.availability_zone': { + dashed_name: 'cloud-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.instance.id': { + dashed_name: 'cloud-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.instance.name': { + dashed_name: 'cloud-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.machine.type': { + dashed_name: 'cloud-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.account.id': { + dashed_name: 'cloud-origin-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.origin.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.origin.account.name': { + dashed_name: 'cloud-origin-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.origin.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.origin.availability_zone': { + dashed_name: 'cloud-origin-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.origin.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.instance.id': { + dashed_name: 'cloud-origin-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.origin.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.origin.instance.name': { + dashed_name: 'cloud-origin-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.origin.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.origin.machine.type': { + dashed_name: 'cloud-origin-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.origin.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.project.id': { + dashed_name: 'cloud-origin-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.origin.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.origin.project.name': { + dashed_name: 'cloud-origin-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.origin.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.origin.provider': { + dashed_name: 'cloud-origin-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.origin.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.origin.region': { + dashed_name: 'cloud-origin-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.origin.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.service.name': { + dashed_name: 'cloud-origin-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.origin.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.project.id': { + dashed_name: 'cloud-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.project.name': { + dashed_name: 'cloud-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.provider': { + dashed_name: 'cloud-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.region': { + dashed_name: 'cloud-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.service.name': { + dashed_name: 'cloud-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.target.account.id': { + dashed_name: 'cloud-target-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.target.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.target.account.name': { + dashed_name: 'cloud-target-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.target.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.target.availability_zone': { + dashed_name: 'cloud-target-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.target.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.instance.id': { + dashed_name: 'cloud-target-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.target.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.target.instance.name': { + dashed_name: 'cloud-target-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.target.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.target.machine.type': { + dashed_name: 'cloud-target-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.target.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.target.project.id': { + dashed_name: 'cloud-target-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.target.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.target.project.name': { + dashed_name: 'cloud-target-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.target.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.target.provider': { + dashed_name: 'cloud-target-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.target.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.target.region': { + dashed_name: 'cloud-target-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.target.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.service.name': { + dashed_name: 'cloud-target-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.target.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + }, + footnote: + "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.\nThe cloud fields may be self-nested under cloud.origin.* and cloud.target.* to describe origin or target service's cloud information in the context of incoming or outgoing requests, respectively. However, the fieldsets cloud.origin.* and cloud.target.* must not be confused with the root cloud fieldset that is used to describe the cloud context of the actual service under observation. The fieldset cloud.origin.* may only be used in the context of incoming requests or events to provide the originating service's cloud information. The fieldset cloud.target.* may only be used in the context of outgoing requests or events to describe the target service's cloud information.", + group: 2, + name: 'cloud', + nestings: ['cloud.origin', 'cloud.target'], + prefix: 'cloud.', + reusable: { + expected: [ + { + as: 'origin', + at: 'cloud', + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.origin', + short_override: + 'Provides the cloud information of the origin entity in case of an incoming request or event.', + }, + { + as: 'target', + at: 'cloud', + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.target', + short_override: + 'Provides the cloud information of the target entity in case of an outgoing request or event.', + }, + ], + top_level: true, + }, + reused_here: [ + { + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.origin', + schema_name: 'cloud', + short: + 'Provides the cloud information of the origin entity in case of an incoming request or event.', + }, + { + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.target', + schema_name: 'cloud', + short: + 'Provides the cloud information of the target entity in case of an outgoing request or event.', + }, + ], + short: 'Fields about the cloud resource.', + title: 'Cloud', + type: 'group', + }, + code_signature: { + description: 'These fields contain information about binary code signatures.', + fields: { + 'code_signature.digest_algorithm': { + dashed_name: 'code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'code_signature.exists': { + dashed_name: 'code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'code_signature.signing_id': { + dashed_name: 'code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'code_signature.status': { + dashed_name: 'code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'code_signature.subject_name': { + dashed_name: 'code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'code_signature.team_id': { + dashed_name: 'code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'code_signature.timestamp': { + dashed_name: 'code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'code_signature.trusted': { + dashed_name: 'code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'code_signature.valid': { + dashed_name: 'code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + }, + group: 2, + name: 'code_signature', + prefix: 'code_signature.', + reusable: { + expected: [ + { as: 'code_signature', at: 'file', full: 'file.code_signature' }, + { as: 'code_signature', at: 'process', full: 'process.code_signature' }, + { as: 'code_signature', at: 'dll', full: 'dll.code_signature' }, + ], + top_level: false, + }, + short: 'These fields contain information about binary code signatures.', + title: 'Code Signature', + type: 'group', + }, + container: { + description: + 'Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime.', + fields: { + 'container.cpu.usage': { + dashed_name: 'container-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.disk.read.bytes': { + dashed_name: 'container-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'container.disk.write.bytes': { + dashed_name: 'container-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'container.id': { + dashed_name: 'container-id', + description: 'Unique container id.', + flat_name: 'container.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique container id.', + type: 'keyword', + }, + 'container.image.hash.all': { + dashed_name: 'container-image-hash-all', + description: + 'An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.', + example: '[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]', + flat_name: 'container.image.hash.all', + ignore_above: 1024, + level: 'extended', + name: 'image.hash.all', + normalize: ['array'], + short: 'An array of digests of the image the container was built on.', + type: 'keyword', + }, + 'container.image.name': { + dashed_name: 'container-image-name', + description: 'Name of the image the container was built on.', + flat_name: 'container.image.name', + ignore_above: 1024, + level: 'extended', + name: 'image.name', + normalize: [], + short: 'Name of the image the container was built on.', + type: 'keyword', + }, + 'container.image.tag': { + dashed_name: 'container-image-tag', + description: 'Container image tags.', + flat_name: 'container.image.tag', + ignore_above: 1024, + level: 'extended', + name: 'image.tag', + normalize: ['array'], + short: 'Container image tags.', + type: 'keyword', + }, + 'container.labels': { + dashed_name: 'container-labels', + description: 'Image labels.', + flat_name: 'container.labels', + level: 'extended', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Image labels.', + type: 'object', + }, + 'container.memory.usage': { + dashed_name: 'container-memory-usage', + description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.memory.usage', + level: 'extended', + name: 'memory.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent memory used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.name': { + dashed_name: 'container-name', + description: 'Container name.', + flat_name: 'container.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Container name.', + type: 'keyword', + }, + 'container.network.egress.bytes': { + dashed_name: 'container-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'container.network.ingress.bytes': { + dashed_name: 'container-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'container.runtime': { + dashed_name: 'container-runtime', + description: 'Runtime managing this container.', + example: 'docker', + flat_name: 'container.runtime', + ignore_above: 1024, + level: 'extended', + name: 'runtime', + normalize: [], + short: 'Runtime managing this container.', + type: 'keyword', + }, + }, + group: 2, + name: 'container', + prefix: 'container.', + short: 'Fields describing the container that generated this event.', + title: 'Container', + type: 'group', + }, + data_stream: { + beta: 'These fields are in beta and are subject to change.', + description: + 'The data_stream fields take part in defining the new data stream naming scheme.\nIn the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].\nAn Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].', + fields: { + 'data_stream.dataset': { + dashed_name: 'data-stream-dataset', + description: + 'The field can contain anything that makes sense to signify the source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'nginx.access', + flat_name: 'data_stream.dataset', + level: 'extended', + name: 'dataset', + normalize: [], + short: 'The field can contain anything that makes sense to signify the source of the data.', + type: 'constant_keyword', + }, + 'data_stream.namespace': { + dashed_name: 'data-stream-namespace', + description: + 'A user defined namespace. Namespaces are useful to allow grouping of data.\nMany users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.\nBeyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'production', + flat_name: 'data_stream.namespace', + level: 'extended', + name: 'namespace', + normalize: [], + short: 'A user defined namespace. Namespaces are useful to allow grouping of data.', + type: 'constant_keyword', + }, + 'data_stream.type': { + dashed_name: 'data-stream-type', + description: + 'An overarching type for the data stream.\nCurrently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.', + example: 'logs', + flat_name: 'data_stream.type', + level: 'extended', + name: 'type', + normalize: [], + short: 'An overarching type for the data stream.', + type: 'constant_keyword', + }, + }, + group: 2, + name: 'data_stream', + prefix: 'data_stream.', + short: 'The data_stream fields take part in defining the new data stream naming scheme.', + title: 'Data Stream', + type: 'group', + }, + destination: { + description: + 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.\nDestination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.', + fields: { + 'destination.address': { + dashed_name: 'destination-address', + description: + 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'destination.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Destination network address.', + type: 'keyword', + }, + 'destination.as.number': { + dashed_name: 'destination-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'destination.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'destination.as.organization.name': { + dashed_name: 'destination-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'destination.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'destination.bytes': { + dashed_name: 'destination-bytes', + description: 'Bytes sent from the destination to the source.', + example: 184, + flat_name: 'destination.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the destination to the source.', + type: 'long', + }, + 'destination.domain': { + dashed_name: 'destination-domain', + description: + 'The domain name of the destination system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'destination.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the destination.', + type: 'keyword', + }, + 'destination.geo.city_name': { + dashed_name: 'destination-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'destination.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'destination.geo.continent_code': { + dashed_name: 'destination-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'destination.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'destination.geo.continent_name': { + dashed_name: 'destination-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'destination.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'destination.geo.country_iso_code': { + dashed_name: 'destination-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'destination.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'destination.geo.country_name': { + dashed_name: 'destination-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'destination.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'destination.geo.location': { + dashed_name: 'destination-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'destination.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'destination.geo.name': { + dashed_name: 'destination-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'destination.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'destination.geo.postal_code': { + dashed_name: 'destination-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'destination.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'destination.geo.region_iso_code': { + dashed_name: 'destination-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'destination.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'destination.geo.region_name': { + dashed_name: 'destination-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'destination.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'destination.geo.timezone': { + dashed_name: 'destination-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'destination.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'destination.ip': { + dashed_name: 'destination-ip', + description: 'IP address of the destination (IPv4 or IPv6).', + flat_name: 'destination.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the destination.', + type: 'ip', + }, + 'destination.mac': { + dashed_name: 'destination-mac', + description: + 'MAC address of the destination.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'destination.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the destination.', + type: 'keyword', + }, + 'destination.nat.ip': { + dashed_name: 'destination-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Destination NAT ip', + type: 'ip', + }, + 'destination.nat.port': { + dashed_name: 'destination-nat-port', + description: + 'Port the source session is translated to by NAT Device.\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Destination NAT Port', + type: 'long', + }, + 'destination.packets': { + dashed_name: 'destination-packets', + description: 'Packets sent from the destination to the source.', + example: 12, + flat_name: 'destination.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the destination to the source.', + type: 'long', + }, + 'destination.port': { + dashed_name: 'destination-port', + description: 'Port of the destination.', + flat_name: 'destination.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the destination.', + type: 'long', + }, + 'destination.registered_domain': { + dashed_name: 'destination-registered-domain', + description: + 'The highest registered destination domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'destination.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered destination domain, stripped of the subdomain.', + type: 'keyword', + }, + 'destination.subdomain': { + dashed_name: 'destination-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'destination.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'destination.top_level_domain': { + dashed_name: 'destination-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'destination.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'destination.user.domain': { + dashed_name: 'destination-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'destination.user.email': { + dashed_name: 'destination-user-email', + description: 'User email address.', + flat_name: 'destination.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'destination.user.full_name': { + dashed_name: 'destination-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'destination.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'destination.user.group.domain': { + dashed_name: 'destination-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'destination.user.group.id': { + dashed_name: 'destination-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'destination.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'destination.user.group.name': { + dashed_name: 'destination-user-group-name', + description: 'Name of the group.', + flat_name: 'destination.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'destination.user.hash': { + dashed_name: 'destination-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'destination.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'destination.user.id': { + dashed_name: 'destination-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'destination.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'destination.user.name': { + dashed_name: 'destination-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'destination.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'destination.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'destination.user.roles': { + dashed_name: 'destination-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'destination.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'destination', + nestings: ['destination.as', 'destination.geo', 'destination.user'], + prefix: 'destination.', + reused_here: [ + { + full: 'destination.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'destination.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'destination.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the destination side of a network connection, used with source.', + title: 'Destination', + type: 'group', + }, + device: { + beta: 'These fields are in beta and are subject to change.', + description: + 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.\nThis field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).', + fields: { + 'device.id': { + dashed_name: 'device-id', + description: + 'The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.\nFor GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.', + example: '00000000-54b3-e7c7-0000-000046bffd97', + flat_name: 'device.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a device.', + type: 'keyword', + }, + 'device.manufacturer': { + dashed_name: 'device-manufacturer', + description: 'The vendor name of the device manufacturer.', + example: 'Samsung', + flat_name: 'device.manufacturer', + ignore_above: 1024, + level: 'extended', + name: 'manufacturer', + normalize: [], + short: 'The vendor name of the device manufacturer.', + type: 'keyword', + }, + 'device.model.identifier': { + dashed_name: 'device-model-identifier', + description: 'The machine readable identifier of the device model.', + example: 'SM-G920F', + flat_name: 'device.model.identifier', + ignore_above: 1024, + level: 'extended', + name: 'model.identifier', + normalize: [], + short: 'The machine readable identifier of the device model.', + type: 'keyword', + }, + 'device.model.name': { + dashed_name: 'device-model-name', + description: 'The human readable marketing name of the device model.', + example: 'Samsung Galaxy S6', + flat_name: 'device.model.name', + ignore_above: 1024, + level: 'extended', + name: 'model.name', + normalize: [], + short: 'The human readable marketing name of the device model.', + type: 'keyword', + }, + }, + group: 2, + name: 'device', + prefix: 'device.', + short: 'Fields characterizing a (mobile) device a process or application is running on.', + title: 'Device', + type: 'group', + }, + dll: { + description: + 'These fields contain information about code libraries dynamically loaded into processes.\n\nMany operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:\n* Dynamic-link library (`.dll`) commonly used on Windows\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n* Dynamic library (`.dylib`) commonly used on macOS', + fields: { + 'dll.code_signature.digest_algorithm': { + dashed_name: 'dll-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'dll.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.exists': { + dashed_name: 'dll-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'dll.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'dll.code_signature.signing_id': { + dashed_name: 'dll-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'dll.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.status': { + dashed_name: 'dll-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'dll.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'dll.code_signature.subject_name': { + dashed_name: 'dll-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'dll.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'dll.code_signature.team_id': { + dashed_name: 'dll-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'dll.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.timestamp': { + dashed_name: 'dll-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'dll.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'dll.code_signature.trusted': { + dashed_name: 'dll-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'dll.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'dll.code_signature.valid': { + dashed_name: 'dll-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'dll.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'dll.hash.md5': { + dashed_name: 'dll-hash-md5', + description: 'MD5 hash.', + flat_name: 'dll.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'dll.hash.sha1': { + dashed_name: 'dll-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'dll.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'dll.hash.sha256': { + dashed_name: 'dll-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'dll.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'dll.hash.sha384': { + dashed_name: 'dll-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'dll.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'dll.hash.sha512': { + dashed_name: 'dll-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'dll.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'dll.hash.ssdeep': { + dashed_name: 'dll-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'dll.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'dll.hash.tlsh': { + dashed_name: 'dll-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'dll.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'dll.name': { + dashed_name: 'dll-name', + description: 'Name of the library.\nThis generally maps to the name of the file on disk.', + example: 'kernel32.dll', + flat_name: 'dll.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the library.', + type: 'keyword', + }, + 'dll.path': { + dashed_name: 'dll-path', + description: 'Full file path of the library.', + example: 'C:\\Windows\\System32\\kernel32.dll', + flat_name: 'dll.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Full file path of the library.', + type: 'keyword', + }, + 'dll.pe.architecture': { + dashed_name: 'dll-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'dll.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'dll.pe.company': { + dashed_name: 'dll-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'dll.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.description': { + dashed_name: 'dll-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'dll.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.file_version': { + dashed_name: 'dll-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'dll.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'dll.pe.imphash': { + dashed_name: 'dll-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'dll.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'dll.pe.original_file_name': { + dashed_name: 'dll-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'dll.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.pehash': { + dashed_name: 'dll-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'dll.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'dll.pe.product': { + dashed_name: 'dll-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'dll.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + }, + group: 2, + name: 'dll', + nestings: ['dll.code_signature', 'dll.hash', 'dll.pe'], + prefix: 'dll.', + reused_here: [ + { + full: 'dll.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'dll.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'dll.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + ], + short: + 'These fields contain information about code libraries dynamically loaded into processes.', + title: 'DLL', + type: 'group', + }, + dns: { + description: + 'Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).', + fields: { + 'dns.answers': { + dashed_name: 'dns-answers', + description: + 'An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.', + flat_name: 'dns.answers', + level: 'extended', + name: 'answers', + normalize: ['array'], + short: 'Array of DNS answers.', + type: 'object', + }, + 'dns.answers.class': { + dashed_name: 'dns-answers-class', + description: 'The class of DNS data contained in this resource record.', + example: 'IN', + flat_name: 'dns.answers.class', + ignore_above: 1024, + level: 'extended', + name: 'answers.class', + normalize: [], + short: 'The class of DNS data contained in this resource record.', + type: 'keyword', + }, + 'dns.answers.data': { + dashed_name: 'dns-answers-data', + description: + 'The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record.', + example: '10.10.10.10', + flat_name: 'dns.answers.data', + ignore_above: 1024, + level: 'extended', + name: 'answers.data', + normalize: [], + short: 'The data describing the resource.', + type: 'keyword', + }, + 'dns.answers.name': { + dashed_name: 'dns-answers-name', + description: + "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.", + example: 'www.example.com', + flat_name: 'dns.answers.name', + ignore_above: 1024, + level: 'extended', + name: 'answers.name', + normalize: [], + short: 'The domain name to which this resource record pertains.', + type: 'keyword', + }, + 'dns.answers.ttl': { + dashed_name: 'dns-answers-ttl', + description: + 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.', + example: 180, + flat_name: 'dns.answers.ttl', + level: 'extended', + name: 'answers.ttl', + normalize: [], + short: + 'The time interval in seconds that this resource record may be cached before it should be discarded.', + type: 'long', + }, + 'dns.answers.type': { + dashed_name: 'dns-answers-type', + description: 'The type of data contained in this resource record.', + example: 'CNAME', + flat_name: 'dns.answers.type', + ignore_above: 1024, + level: 'extended', + name: 'answers.type', + normalize: [], + short: 'The type of data contained in this resource record.', + type: 'keyword', + }, + 'dns.header_flags': { + dashed_name: 'dns-header-flags', + description: 'Array of 2 letter DNS header flags.', + example: '["RD", "RA"]', + expected_values: ['AA', 'TC', 'RD', 'RA', 'AD', 'CD', 'DO'], + flat_name: 'dns.header_flags', + ignore_above: 1024, + level: 'extended', + name: 'header_flags', + normalize: ['array'], + short: 'Array of DNS header flags.', + type: 'keyword', + }, + 'dns.id': { + dashed_name: 'dns-id', + description: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + example: 62111, + flat_name: 'dns.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + type: 'keyword', + }, + 'dns.op_code': { + dashed_name: 'dns-op-code', + description: + 'The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.', + example: 'QUERY', + flat_name: 'dns.op_code', + ignore_above: 1024, + level: 'extended', + name: 'op_code', + normalize: [], + short: 'The DNS operation code that specifies the kind of query in the message.', + type: 'keyword', + }, + 'dns.question.class': { + dashed_name: 'dns-question-class', + description: 'The class of records being queried.', + example: 'IN', + flat_name: 'dns.question.class', + ignore_above: 1024, + level: 'extended', + name: 'question.class', + normalize: [], + short: 'The class of records being queried.', + type: 'keyword', + }, + 'dns.question.name': { + dashed_name: 'dns-question-name', + description: + 'The name being queried.\nIf the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \\t, \\r, and \\n respectively.', + example: 'www.example.com', + flat_name: 'dns.question.name', + ignore_above: 1024, + level: 'extended', + name: 'question.name', + normalize: [], + short: 'The name being queried.', + type: 'keyword', + }, + 'dns.question.registered_domain': { + dashed_name: 'dns-question-registered-domain', + description: + 'The highest registered domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'dns.question.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.registered_domain', + normalize: [], + short: 'The highest registered domain, stripped of the subdomain.', + type: 'keyword', + }, + 'dns.question.subdomain': { + dashed_name: 'dns-question-subdomain', + description: + 'The subdomain is all of the labels under the registered_domain.\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'www', + flat_name: 'dns.question.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'question.subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'dns.question.top_level_domain': { + dashed_name: 'dns-question-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'dns.question.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'dns.question.type': { + dashed_name: 'dns-question-type', + description: 'The type of record being queried.', + example: 'AAAA', + flat_name: 'dns.question.type', + ignore_above: 1024, + level: 'extended', + name: 'question.type', + normalize: [], + short: 'The type of record being queried.', + type: 'keyword', + }, + 'dns.resolved_ip': { + dashed_name: 'dns-resolved-ip', + description: + 'Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.', + example: '["10.10.10.10", "10.10.10.11"]', + flat_name: 'dns.resolved_ip', + level: 'extended', + name: 'resolved_ip', + normalize: ['array'], + short: 'Array containing all IPs seen in answers.data', + type: 'ip', + }, + 'dns.response_code': { + dashed_name: 'dns-response-code', + description: 'The DNS response code.', + example: 'NOERROR', + flat_name: 'dns.response_code', + ignore_above: 1024, + level: 'extended', + name: 'response_code', + normalize: [], + short: 'The DNS response code.', + type: 'keyword', + }, + 'dns.type': { + dashed_name: 'dns-type', + description: + 'The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.', + example: 'answer', + flat_name: 'dns.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of DNS event captured, query or answer.', + type: 'keyword', + }, + }, + group: 2, + name: 'dns', + prefix: 'dns.', + short: 'Fields describing DNS queries and answers.', + title: 'DNS', + type: 'group', + }, + ecs: { + description: 'Meta-information specific to ECS.', + fields: { + 'ecs.version': { + dashed_name: 'ecs-version', + description: + 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.', + example: '1.0.0', + flat_name: 'ecs.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + required: true, + short: 'ECS version this event conforms to.', + type: 'keyword', + }, + }, + group: 2, + name: 'ecs', + prefix: 'ecs.', + short: 'Meta-information specific to ECS.', + title: 'ECS', + type: 'group', + }, + elf: { + beta: 'These fields are in beta and are subject to change.', + description: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + fields: { + 'elf.architecture': { + dashed_name: 'elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'elf.byte_order': { + dashed_name: 'elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'elf.cpu_type': { + dashed_name: 'elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'elf.creation_date': { + dashed_name: 'elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + short: 'Build or compile date.', + type: 'date', + }, + 'elf.exports': { + dashed_name: 'elf-exports', + description: 'List of exported element names and types.', + flat_name: 'elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'elf.header.abi_version': { + dashed_name: 'elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'elf.header.class': { + dashed_name: 'elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'elf.header.data': { + dashed_name: 'elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'elf.header.entrypoint': { + dashed_name: 'elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'elf.header.object_version': { + dashed_name: 'elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'elf.header.os_abi': { + dashed_name: 'elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'elf.header.type': { + dashed_name: 'elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'elf.header.version': { + dashed_name: 'elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'elf.imports': { + dashed_name: 'elf-imports', + description: 'List of imported element names and types.', + flat_name: 'elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'elf.sections': { + dashed_name: 'elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'elf.sections.chi2': { + dashed_name: 'elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'elf.sections.entropy': { + dashed_name: 'elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'elf.sections.flags': { + dashed_name: 'elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'elf.sections.name': { + dashed_name: 'elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + short: 'ELF Section List name.', + type: 'keyword', + }, + 'elf.sections.physical_offset': { + dashed_name: 'elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'elf.sections.physical_size': { + dashed_name: 'elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + short: 'ELF Section List physical size.', + type: 'long', + }, + 'elf.sections.type': { + dashed_name: 'elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + short: 'ELF Section List type.', + type: 'keyword', + }, + 'elf.sections.virtual_address': { + dashed_name: 'elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'elf.sections.virtual_size': { + dashed_name: 'elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'elf.segments': { + dashed_name: 'elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + short: 'ELF object segment list.', + type: 'nested', + }, + 'elf.segments.sections': { + dashed_name: 'elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'elf.segments.type': { + dashed_name: 'elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + short: 'ELF object segment type.', + type: 'keyword', + }, + 'elf.shared_libraries': { + dashed_name: 'elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'elf.telfhash': { + dashed_name: 'elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + }, + group: 2, + name: 'elf', + prefix: 'elf.', + reusable: { + expected: [ + { + as: 'elf', + at: 'file', + beta: 'This field reuse is beta and subject to change.', + full: 'file.elf', + }, + { + as: 'elf', + at: 'process', + beta: 'This field reuse is beta and subject to change.', + full: 'process.elf', + }, + ], + top_level: false, + }, + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + title: 'ELF Header', + type: 'group', + }, + email: { + description: + 'Event details relating to an email transaction.\nThis field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the `email.*` fields.', + fields: { + 'email.attachments': { + dashed_name: 'email-attachments', + description: + 'A list of objects describing the attachment files sent along with an email message.', + flat_name: 'email.attachments', + level: 'extended', + name: 'attachments', + normalize: ['array'], + short: 'List of objects describing the attachments.', + type: 'nested', + }, + 'email.attachments.file.extension': { + dashed_name: 'email-attachments-file-extension', + description: 'Attachment file extension, excluding the leading dot.', + example: 'txt', + flat_name: 'email.attachments.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.extension', + normalize: [], + short: 'Attachment file extension.', + type: 'keyword', + }, + 'email.attachments.file.hash.md5': { + dashed_name: 'email-attachments-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'email.attachments.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha1': { + dashed_name: 'email-attachments-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'email.attachments.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha256': { + dashed_name: 'email-attachments-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'email.attachments.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha384': { + dashed_name: 'email-attachments-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'email.attachments.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha512': { + dashed_name: 'email-attachments-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'email.attachments.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.ssdeep': { + dashed_name: 'email-attachments-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'email.attachments.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.tlsh': { + dashed_name: 'email-attachments-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'email.attachments.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'email.attachments.file.mime_type': { + dashed_name: 'email-attachments-file-mime-type', + description: + 'The MIME media type of the attachment.\nThis value will typically be extracted from the `Content-Type` MIME header field.', + example: 'text/plain', + flat_name: 'email.attachments.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.mime_type', + normalize: [], + short: 'MIME type of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.name': { + dashed_name: 'email-attachments-file-name', + description: 'Name of the attachment file including the file extension.', + example: 'attachment.txt', + flat_name: 'email.attachments.file.name', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.name', + normalize: [], + short: 'Name of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.size': { + dashed_name: 'email-attachments-file-size', + description: 'Attachment file size in bytes.', + example: 64329, + flat_name: 'email.attachments.file.size', + level: 'extended', + name: 'attachments.file.size', + normalize: [], + short: 'Attachment file size.', + type: 'long', + }, + 'email.bcc.address': { + dashed_name: 'email-bcc-address', + description: 'The email address of BCC recipient', + example: 'bcc.user1@example.com', + flat_name: 'email.bcc.address', + ignore_above: 1024, + level: 'extended', + name: 'bcc.address', + normalize: ['array'], + short: 'Email address of BCC recipient', + type: 'keyword', + }, + 'email.cc.address': { + dashed_name: 'email-cc-address', + description: 'The email address of CC recipient', + example: 'cc.user1@example.com', + flat_name: 'email.cc.address', + ignore_above: 1024, + level: 'extended', + name: 'cc.address', + normalize: ['array'], + short: 'Email address of CC recipient', + type: 'keyword', + }, + 'email.content_type': { + dashed_name: 'email-content-type', + description: + 'Information about how the message is to be displayed.\nTypically a MIME type.', + example: 'text/plain', + flat_name: 'email.content_type', + ignore_above: 1024, + level: 'extended', + name: 'content_type', + normalize: [], + short: 'MIME type of the email message.', + type: 'keyword', + }, + 'email.delivery_timestamp': { + dashed_name: 'email-delivery-timestamp', + description: + 'The date and time when the email message was received by the service or client.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.delivery_timestamp', + level: 'extended', + name: 'delivery_timestamp', + normalize: [], + short: 'Date and time when message was delivered.', + type: 'date', + }, + 'email.direction': { + dashed_name: 'email-direction', + description: 'The direction of the message based on the sending and receiving domains.', + example: 'inbound', + flat_name: 'email.direction', + ignore_above: 1024, + level: 'extended', + name: 'direction', + normalize: [], + short: 'Direction of the message.', + type: 'keyword', + }, + 'email.from.address': { + dashed_name: 'email-from-address', + description: + 'The email address of the sender, typically from the RFC 5322 `From:` header field.', + example: 'sender@example.com', + flat_name: 'email.from.address', + ignore_above: 1024, + level: 'extended', + name: 'from.address', + normalize: ['array'], + short: "The sender's email address.", + type: 'keyword', + }, + 'email.local_id': { + dashed_name: 'email-local-id', + description: + 'Unique identifier given to the email by the source that created the event.\nIdentifier is not persistent across hops.', + example: 'c26dbea0-80d5-463b-b93c-4e8b708219ce', + flat_name: 'email.local_id', + ignore_above: 1024, + level: 'extended', + name: 'local_id', + normalize: [], + short: 'Unique identifier given by the source.', + type: 'keyword', + }, + 'email.message_id': { + dashed_name: 'email-message-id', + description: + 'Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message.', + example: '81ce15$8r2j59@mail01.example.com', + flat_name: 'email.message_id', + level: 'extended', + name: 'message_id', + normalize: [], + short: 'Value from the Message-ID header.', + type: 'wildcard', + }, + 'email.origination_timestamp': { + dashed_name: 'email-origination-timestamp', + description: + 'The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.origination_timestamp', + level: 'extended', + name: 'origination_timestamp', + normalize: [], + short: 'Date and time the email was composed.', + type: 'date', + }, + 'email.reply_to.address': { + dashed_name: 'email-reply-to-address', + description: + 'The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.', + example: 'reply.here@example.com', + flat_name: 'email.reply_to.address', + ignore_above: 1024, + level: 'extended', + name: 'reply_to.address', + normalize: ['array'], + short: 'Address replies should be delivered to.', + type: 'keyword', + }, + 'email.sender.address': { + dashed_name: 'email-sender-address', + description: + 'Per RFC 5322, specifies the address responsible for the actual transmission of the message.', + flat_name: 'email.sender.address', + ignore_above: 1024, + level: 'extended', + name: 'sender.address', + normalize: [], + short: 'Address of the message sender.', + type: 'keyword', + }, + 'email.subject': { + dashed_name: 'email-subject', + description: 'A brief summary of the topic of the message.', + example: 'Please see this important message.', + flat_name: 'email.subject', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'email.subject.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'subject', + normalize: [], + short: 'The subject of the email message.', + type: 'keyword', + }, + 'email.to.address': { + dashed_name: 'email-to-address', + description: 'The email address of recipient', + example: 'user1@example.com', + flat_name: 'email.to.address', + ignore_above: 1024, + level: 'extended', + name: 'to.address', + normalize: ['array'], + short: 'Email address of recipient', + type: 'keyword', + }, + 'email.x_mailer': { + dashed_name: 'email-x-mailer', + description: + 'The name of the application that was used to draft and send the original email message.', + example: 'Spambot v2.5', + flat_name: 'email.x_mailer', + ignore_above: 1024, + level: 'extended', + name: 'x_mailer', + normalize: [], + short: 'Application that drafted email.', + type: 'keyword', + }, + }, + group: 2, + name: 'email', + nestings: ['email.attachments.file.hash'], + prefix: 'email.', + reused_here: [ + { + full: 'email.attachments.file.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + ], + short: 'Describes an email transaction.', + title: 'Email', + type: 'group', + }, + error: { + description: + 'These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error.', + fields: { + 'error.code': { + dashed_name: 'error-code', + description: 'Error code describing the error.', + flat_name: 'error.code', + ignore_above: 1024, + level: 'core', + name: 'code', + normalize: [], + short: 'Error code describing the error.', + type: 'keyword', + }, + 'error.id': { + dashed_name: 'error-id', + description: 'Unique identifier for the error.', + flat_name: 'error.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier for the error.', + type: 'keyword', + }, + 'error.message': { + dashed_name: 'error-message', + description: 'Error message.', + flat_name: 'error.message', + level: 'core', + name: 'message', + normalize: [], + short: 'Error message.', + type: 'match_only_text', + }, + 'error.stack_trace': { + dashed_name: 'error-stack-trace', + description: 'The stack trace of this error in plain text.', + flat_name: 'error.stack_trace', + level: 'extended', + multi_fields: [ + { + flat_name: 'error.stack_trace.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'stack_trace', + normalize: [], + short: 'The stack trace of this error in plain text.', + type: 'wildcard', + }, + 'error.type': { + dashed_name: 'error-type', + description: 'The type of the error, for example the class name of the exception.', + example: 'java.lang.NullPointerException', + flat_name: 'error.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of the error, for example the class name of the exception.', + type: 'keyword', + }, + }, + group: 2, + name: 'error', + prefix: 'error.', + short: 'Fields about errors of any kind.', + title: 'Error', + type: 'group', + }, + event: { + description: + 'The event fields are used for context information about the log or metric event itself.\nA log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.', + fields: { + 'event.action': { + dashed_name: 'event-action', + description: + 'The action captured by the event.\nThis describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.', + example: 'user-password-change', + flat_name: 'event.action', + ignore_above: 1024, + level: 'core', + name: 'action', + normalize: [], + short: 'The action captured by the event.', + type: 'keyword', + }, + 'event.agent_id_status': { + dashed_name: 'event-agent-id-status', + description: + "Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.\nFor example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.\nIf no validation is performed then the field should be omitted.\nThe allowed values are:\n`verified` - The `agent.id` field value matches expected value obtained from auth metadata.\n`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.\n`missing` - There was no `agent.id` field in the event to validate.\n`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.", + example: 'verified', + flat_name: 'event.agent_id_status', + ignore_above: 1024, + level: 'extended', + name: 'agent_id_status', + normalize: [], + short: "Validation status of the event's agent.id field.", + type: 'keyword', + }, + 'event.category': { + allowed_values: [ + { + description: + 'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.', + expected_event_types: ['start', 'end', 'info'], + name: 'authentication', + }, + { + description: + 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.', + expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'], + name: 'configuration', + }, + { + description: + 'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.', + expected_event_types: ['access', 'change', 'info', 'error'], + name: 'database', + }, + { + description: + 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.', + expected_event_types: ['change', 'end', 'info', 'start'], + name: 'driver', + }, + { + description: + 'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.', + expected_event_types: ['info'], + name: 'email', + }, + { + description: + 'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.', + expected_event_types: ['change', 'creation', 'deletion', 'info'], + name: 'file', + }, + { + description: + 'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'host', + }, + { + description: + 'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.', + expected_event_types: [ + 'admin', + 'change', + 'creation', + 'deletion', + 'group', + 'info', + 'user', + ], + name: 'iam', + }, + { + description: + 'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.', + expected_event_types: ['allowed', 'denied', 'info'], + name: 'intrusion_detection', + }, + { + description: + 'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.', + expected_event_types: ['info'], + name: 'malware', + }, + { + description: + 'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.', + expected_event_types: [ + 'access', + 'allowed', + 'connection', + 'denied', + 'end', + 'info', + 'protocol', + 'start', + ], + name: 'network', + }, + { + description: + 'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.', + expected_event_types: ['access', 'change', 'deletion', 'info', 'installation', 'start'], + name: 'package', + }, + { + description: + 'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'process', + }, + { + description: + 'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.', + expected_event_types: ['access', 'change', 'creation', 'deletion'], + name: 'registry', + }, + { + description: + 'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.', + expected_event_types: ['start', 'end', 'info'], + name: 'session', + }, + { + description: + "Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.", + expected_event_types: ['indicator'], + name: 'threat', + }, + { + description: + 'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.', + expected_event_types: ['info'], + name: 'vulnerability', + }, + { + description: + 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.', + expected_event_types: ['access', 'error', 'info'], + name: 'web', + }, + ], + dashed_name: 'event-category', + description: + 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.', + example: 'authentication', + flat_name: 'event.category', + ignore_above: 1024, + level: 'core', + name: 'category', + normalize: ['array'], + short: 'Event category. The second categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.code': { + dashed_name: 'event-code', + description: + 'Identification code for this event, if one exists.\nSome event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.', + example: 4648, + flat_name: 'event.code', + ignore_above: 1024, + level: 'extended', + name: 'code', + normalize: [], + short: 'Identification code for this event.', + type: 'keyword', + }, + 'event.created': { + dashed_name: 'event-created', + description: + "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used.", + example: '2016-05-23T08:05:34.857Z', + flat_name: 'event.created', + level: 'core', + name: 'created', + normalize: [], + short: 'Time when the event was first read by an agent or by your pipeline.', + type: 'date', + }, + 'event.dataset': { + dashed_name: 'event-dataset', + description: + "Name of the dataset.\nIf an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.\nIt's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.", + example: 'apache.access', + flat_name: 'event.dataset', + ignore_above: 1024, + level: 'core', + name: 'dataset', + normalize: [], + short: 'Name of the dataset.', + type: 'keyword', + }, + 'event.duration': { + dashed_name: 'event-duration', + description: + 'Duration of the event in nanoseconds.\nIf event.start and event.end are known this value should be the difference between the end and start time.', + flat_name: 'event.duration', + format: 'duration', + input_format: 'nanoseconds', + level: 'core', + name: 'duration', + normalize: [], + output_format: 'asMilliseconds', + output_precision: 1, + short: 'Duration of the event in nanoseconds.', + type: 'long', + }, + 'event.end': { + dashed_name: 'event-end', + description: + 'event.end contains the date when the event ended or when the activity was last observed.', + flat_name: 'event.end', + level: 'extended', + name: 'end', + normalize: [], + short: + 'event.end contains the date when the event ended or when the activity was last observed.', + type: 'date', + }, + 'event.hash': { + dashed_name: 'event-hash', + description: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + example: '123456789012345678901234567890ABCD', + flat_name: 'event.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + type: 'keyword', + }, + 'event.id': { + dashed_name: 'event-id', + description: 'Unique ID to describe the event.', + example: '8a4f500d', + flat_name: 'event.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique ID to describe the event.', + type: 'keyword', + }, + 'event.ingested': { + dashed_name: 'event-ingested', + description: + "Timestamp when an event arrived in the central data store.\nThis is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.\nIn normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.", + example: '2016-05-23T08:05:35.101Z', + flat_name: 'event.ingested', + level: 'core', + name: 'ingested', + normalize: [], + short: 'Timestamp when an event arrived in the central data store.', + type: 'date', + }, + 'event.kind': { + allowed_values: [ + { + description: + 'This value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack.\n`event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on.\nThis value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.', + name: 'alert', + }, + { + description: + 'The `enrichment` value indicates an event collected to provide additional context, often to other events.\nAn example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.', + name: 'enrichment', + }, + { + description: + 'This value is the most general and most common value for this field. It is used to represent events that indicate that something happened.', + name: 'event', + }, + { + description: + 'This value is used to indicate that this event describes a numeric measurement taken at given point in time.\nExamples include CPU utilization, memory usage, or device temperature.\nMetric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries.', + name: 'metric', + }, + { + description: + "The state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states.\nExamples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant).\nNote that an event that describes a change of state would not use `event.kind:state`, but instead would use 'event.kind:event' since a state change fits the more general event definition of something that happened.\nState events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries.", + name: 'state', + }, + { + description: + 'This value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors.', + name: 'pipeline_error', + }, + { + description: + 'This value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework.\nUsage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal".', + name: 'signal', + }, + ], + dashed_name: 'event-kind', + description: + 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.\n`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.\nThe value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.', + example: 'alert', + flat_name: 'event.kind', + ignore_above: 1024, + level: 'core', + name: 'kind', + normalize: [], + short: 'The kind of the event. The highest categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.module': { + dashed_name: 'event-module', + description: + 'Name of the module this data is coming from.\nIf your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.', + example: 'apache', + flat_name: 'event.module', + ignore_above: 1024, + level: 'core', + name: 'module', + normalize: [], + short: 'Name of the module this data is coming from.', + type: 'keyword', + }, + 'event.original': { + dashed_name: 'event-original', + description: + 'Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.', + doc_values: false, + example: + 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232', + flat_name: 'event.original', + index: false, + level: 'core', + name: 'original', + normalize: [], + short: 'Raw text message of entire event.', + type: 'keyword', + }, + 'event.outcome': { + allowed_values: [ + { + description: + 'Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful.', + name: 'failure', + }, + { + description: + 'Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created.', + name: 'success', + }, + { + description: + "Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated.", + name: 'unknown', + }, + ], + dashed_name: 'event-outcome', + description: + 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.\n`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.\nNote that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.\nAlso note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.\nFurther note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.', + example: 'success', + flat_name: 'event.outcome', + ignore_above: 1024, + level: 'core', + name: 'outcome', + normalize: [], + short: 'The outcome of the event. The lowest level categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.provider': { + dashed_name: 'event-provider', + description: + 'Source of the event.\nEvent transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).', + example: 'kernel', + flat_name: 'event.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Source of the event.', + type: 'keyword', + }, + 'event.reason': { + dashed_name: 'event-reason', + description: + 'Reason why this event happened, according to the source.\nThis describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).', + example: 'Terminated an unexpected process', + flat_name: 'event.reason', + ignore_above: 1024, + level: 'extended', + name: 'reason', + normalize: [], + short: 'Reason why this event happened, according to the source', + type: 'keyword', + }, + 'event.reference': { + dashed_name: 'event-reference', + description: + 'Reference URL linking to additional information about this event.\nThis URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://system.example.com/event/#0001234', + flat_name: 'event.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Event reference URL', + type: 'keyword', + }, + 'event.risk_score': { + dashed_name: 'event-risk-score', + description: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + flat_name: 'event.risk_score', + level: 'core', + name: 'risk_score', + normalize: [], + short: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + type: 'float', + }, + 'event.risk_score_norm': { + dashed_name: 'event-risk-score-norm', + description: + 'Normalized risk score or priority of the event, on a scale of 0 to 100.\nThis is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.', + flat_name: 'event.risk_score_norm', + level: 'extended', + name: 'risk_score_norm', + normalize: [], + short: 'Normalized risk score or priority of the event (0-100).', + type: 'float', + }, + 'event.sequence': { + dashed_name: 'event-sequence', + description: + 'Sequence number of the event.\nThe sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.', + flat_name: 'event.sequence', + format: 'string', + level: 'extended', + name: 'sequence', + normalize: [], + short: 'Sequence number of the event.', + type: 'long', + }, + 'event.severity': { + dashed_name: 'event-severity', + description: + "The numeric severity of the event according to your event source.\nWhat the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.", + example: 7, + flat_name: 'event.severity', + format: 'string', + level: 'core', + name: 'severity', + normalize: [], + short: 'Numeric severity of the event.', + type: 'long', + }, + 'event.start': { + dashed_name: 'event-start', + description: + 'event.start contains the date when the event started or when the activity was first observed.', + flat_name: 'event.start', + level: 'extended', + name: 'start', + normalize: [], + short: + 'event.start contains the date when the event started or when the activity was first observed.', + type: 'date', + }, + 'event.timezone': { + dashed_name: 'event-timezone', + description: + 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise.\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").', + flat_name: 'event.timezone', + ignore_above: 1024, + level: 'extended', + name: 'timezone', + normalize: [], + short: 'Event time zone.', + type: 'keyword', + }, + 'event.type': { + allowed_values: [ + { + description: + 'The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field.', + name: 'access', + }, + { + description: + 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.', + name: 'admin', + }, + { + description: + 'The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass".', + name: 'allowed', + }, + { + description: + 'The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field.', + name: 'change', + }, + { + description: + 'Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset".', + name: 'connection', + }, + { + description: + 'The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`.', + name: 'creation', + }, + { + description: + 'The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted.', + name: 'deletion', + }, + { + description: + 'The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined".', + name: 'denied', + }, + { + description: + 'The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`.', + name: 'end', + }, + { + description: + 'The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`.', + name: 'error', + }, + { + description: + 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.', + name: 'group', + }, + { + description: + 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs).\nA common example is `event.category:threat AND event.type:indicator`.', + name: 'indicator', + }, + { + description: + 'The info event type is used for the subset of events within a category that indicate that they are purely informational, and don\'t report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`.', + name: 'info', + }, + { + description: + 'The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`.', + name: 'installation', + }, + { + description: + 'The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field.', + name: 'protocol', + }, + { + description: + 'The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`.', + name: 'start', + }, + { + description: + 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.', + name: 'user', + }, + ], + dashed_name: 'event-type', + description: + 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.\n`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.\nThis field is an array. This will allow proper categorization of some events that fall in multiple event types.', + flat_name: 'event.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: ['array'], + short: 'Event type. The third categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.url': { + dashed_name: 'event-url', + description: + 'URL linking to an external system to continue investigation of this event.\nThis URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe', + flat_name: 'event.url', + ignore_above: 1024, + level: 'extended', + name: 'url', + normalize: [], + short: 'Event investigation URL', + type: 'keyword', + }, + }, + group: 2, + name: 'event', + prefix: 'event.', + short: 'Fields breaking down the event details.', + title: 'Event', + type: 'group', + }, + faas: { + beta: 'These fields are in beta and are subject to change.', + description: + 'The user fields describe information about the function as a service (FaaS) that is relevant to the event.', + fields: { + 'faas.coldstart': { + dashed_name: 'faas-coldstart', + description: 'Boolean value indicating a cold start of a function.', + flat_name: 'faas.coldstart', + level: 'extended', + name: 'coldstart', + normalize: [], + short: 'Boolean value indicating a cold start of a function.', + type: 'boolean', + }, + 'faas.execution': { + dashed_name: 'faas-execution', + description: 'The execution ID of the current function execution.', + example: 'af9d5aa4-a685-4c5f-a22b-444f80b3cc28', + flat_name: 'faas.execution', + ignore_above: 1024, + level: 'extended', + name: 'execution', + normalize: [], + short: 'The execution ID of the current function execution.', + type: 'keyword', + }, + 'faas.id': { + dashed_name: 'faas-id', + description: + "The unique identifier of a serverless function.\nFor AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix.", + example: 'arn:aws:lambda:us-west-2:123456789012:function:my-function', + flat_name: 'faas.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a serverless function.', + type: 'keyword', + }, + 'faas.name': { + dashed_name: 'faas-name', + description: 'The name of a serverless function.', + example: 'my-function', + flat_name: 'faas.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'The name of a serverless function.', + type: 'keyword', + }, + 'faas.trigger': { + dashed_name: 'faas-trigger', + description: 'Details about the function trigger.', + flat_name: 'faas.trigger', + level: 'extended', + name: 'trigger', + normalize: [], + short: 'Details about the function trigger.', + type: 'nested', + }, + 'faas.trigger.request_id': { + dashed_name: 'faas-trigger-request-id', + description: 'The ID of the trigger request , message, event, etc.', + example: 123456789, + flat_name: 'faas.trigger.request_id', + ignore_above: 1024, + level: 'extended', + name: 'trigger.request_id', + normalize: [], + short: 'The ID of the trigger request , message, event, etc.', + type: 'keyword', + }, + 'faas.trigger.type': { + dashed_name: 'faas-trigger-type', + description: 'The trigger for the function execution.', + example: 'http', + expected_values: ['http', 'pubsub', 'datasource', 'timer', 'other'], + flat_name: 'faas.trigger.type', + ignore_above: 1024, + level: 'extended', + name: 'trigger.type', + normalize: [], + short: 'The trigger for the function execution.', + type: 'keyword', + }, + 'faas.version': { + dashed_name: 'faas-version', + description: 'The version of a serverless function.', + example: '123', + flat_name: 'faas.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'The version of a serverless function.', + type: 'keyword', + }, + }, + group: 2, + name: 'faas', + prefix: 'faas.', + short: 'Fields describing functions as a service.', + title: 'FaaS', + type: 'group', + }, + file: { + description: + 'A file is defined as a set of information that has been created on, or has existed on a filesystem.\nFile objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.', + fields: { + 'file.accessed': { + dashed_name: 'file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + short: 'Last time the file was accessed.', + type: 'date', + }, + 'file.attributes': { + dashed_name: 'file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + short: 'Array of file attributes.', + type: 'keyword', + }, + 'file.code_signature.digest_algorithm': { + dashed_name: 'file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.exists': { + dashed_name: 'file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'file.code_signature.signing_id': { + dashed_name: 'file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.status': { + dashed_name: 'file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'file.code_signature.subject_name': { + dashed_name: 'file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'file.code_signature.team_id': { + dashed_name: 'file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.timestamp': { + dashed_name: 'file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'file.code_signature.trusted': { + dashed_name: 'file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'file.code_signature.valid': { + dashed_name: 'file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'file.created': { + dashed_name: 'file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'file.created', + level: 'extended', + name: 'created', + normalize: [], + short: 'File creation time.', + type: 'date', + }, + 'file.ctime': { + dashed_name: 'file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'file.device': { + dashed_name: 'file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'file.directory': { + dashed_name: 'file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'file.drive_letter': { + dashed_name: 'file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'file.elf.architecture': { + dashed_name: 'file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'file.elf.byte_order': { + dashed_name: 'file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'file.elf.cpu_type': { + dashed_name: 'file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'file.elf.creation_date': { + dashed_name: 'file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'file.elf.exports': { + dashed_name: 'file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'file.elf.header.abi_version': { + dashed_name: 'file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'file.elf.header.class': { + dashed_name: 'file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.data': { + dashed_name: 'file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'file.elf.header.entrypoint': { + dashed_name: 'file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'file.elf.header.object_version': { + dashed_name: 'file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'file.elf.header.os_abi': { + dashed_name: 'file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'file.elf.header.type': { + dashed_name: 'file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.version': { + dashed_name: 'file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'file.elf.imports': { + dashed_name: 'file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'file.elf.sections': { + dashed_name: 'file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'file.elf.sections.chi2': { + dashed_name: 'file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'file.elf.sections.entropy': { + dashed_name: 'file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'file.elf.sections.flags': { + dashed_name: 'file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'file.elf.sections.name': { + dashed_name: 'file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'file.elf.sections.physical_offset': { + dashed_name: 'file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'file.elf.sections.physical_size': { + dashed_name: 'file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'file.elf.sections.type': { + dashed_name: 'file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'file.elf.sections.virtual_address': { + dashed_name: 'file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'file.elf.sections.virtual_size': { + dashed_name: 'file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'file.elf.segments': { + dashed_name: 'file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'file.elf.segments.sections': { + dashed_name: 'file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'file.elf.segments.type': { + dashed_name: 'file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'file.elf.shared_libraries': { + dashed_name: 'file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'file.elf.telfhash': { + dashed_name: 'file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'file.extension': { + dashed_name: 'file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'file.fork_name': { + dashed_name: 'file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'file.gid': { + dashed_name: 'file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'file.group': { + dashed_name: 'file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'file.hash.md5': { + dashed_name: 'file-hash-md5', + description: 'MD5 hash.', + flat_name: 'file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'file.hash.sha1': { + dashed_name: 'file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'file.hash.sha256': { + dashed_name: 'file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'file.hash.sha384': { + dashed_name: 'file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'file.hash.sha512': { + dashed_name: 'file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'file.hash.ssdeep': { + dashed_name: 'file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'file.hash.tlsh': { + dashed_name: 'file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'file.inode': { + dashed_name: 'file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'file.mime_type': { + dashed_name: 'file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'file.mode': { + dashed_name: 'file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'file.mtime': { + dashed_name: 'file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + short: 'Last time the file content was modified.', + type: 'date', + }, + 'file.name': { + dashed_name: 'file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'file.owner': { + dashed_name: 'file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + short: "File owner's username.", + type: 'keyword', + }, + 'file.path': { + dashed_name: 'file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'file.pe.architecture': { + dashed_name: 'file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'file.pe.company': { + dashed_name: 'file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.description': { + dashed_name: 'file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.file_version': { + dashed_name: 'file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'file.pe.imphash': { + dashed_name: 'file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'file.pe.original_file_name': { + dashed_name: 'file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.pehash': { + dashed_name: 'file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'file.pe.product': { + dashed_name: 'file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.size': { + dashed_name: 'file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'file.size', + level: 'extended', + name: 'size', + normalize: [], + short: 'File size in bytes.', + type: 'long', + }, + 'file.target_path': { + dashed_name: 'file-target-path', + description: 'Target path for symlinks.', + flat_name: 'file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'file.type': { + dashed_name: 'file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'file.uid': { + dashed_name: 'file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'file.x509.alternative_names': { + dashed_name: 'file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'file.x509.issuer.common_name': { + dashed_name: 'file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.country': { + dashed_name: 'file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'file.x509.issuer.distinguished_name': { + dashed_name: 'file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.locality': { + dashed_name: 'file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.issuer.organization': { + dashed_name: 'file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.organizational_unit': { + dashed_name: 'file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.state_or_province': { + dashed_name: 'file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.not_after': { + dashed_name: 'file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'file.x509.not_before': { + dashed_name: 'file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'file.x509.public_key_algorithm': { + dashed_name: 'file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'file.x509.public_key_curve': { + dashed_name: 'file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'file.x509.public_key_exponent': { + dashed_name: 'file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'file.x509.public_key_size': { + dashed_name: 'file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'file.x509.serial_number': { + dashed_name: 'file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'file.x509.signature_algorithm': { + dashed_name: 'file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'file.x509.subject.common_name': { + dashed_name: 'file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'file.x509.subject.country': { + dashed_name: 'file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'file.x509.subject.distinguished_name': { + dashed_name: 'file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'file.x509.subject.locality': { + dashed_name: 'file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.subject.organization': { + dashed_name: 'file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'file.x509.subject.organizational_unit': { + dashed_name: 'file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'file.x509.subject.state_or_province': { + dashed_name: 'file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.version_number': { + dashed_name: 'file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + }, + group: 2, + name: 'file', + nestings: ['file.code_signature', 'file.elf', 'file.hash', 'file.pe', 'file.x509'], + prefix: 'file.', + reusable: { + expected: [ + { as: 'file', at: 'threat.indicator', full: 'threat.indicator.file' }, + { + as: 'file', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.file', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'file.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'file.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'file.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'file.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + { + beta: 'This field reuse is beta and subject to change.', + full: 'file.elf', + schema_name: 'elf', + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + }, + ], + short: 'Fields describing files.', + title: 'File', + type: 'group', + }, + geo: { + description: + 'Geo fields can carry data about a specific location related to an event.\nThis geolocation information can be derived from techniques such as Geo IP, or be user-supplied.', + fields: { + 'geo.city_name': { + dashed_name: 'geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + short: 'City name.', + type: 'keyword', + }, + 'geo.continent_code': { + dashed_name: 'geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + short: 'Continent code.', + type: 'keyword', + }, + 'geo.continent_name': { + dashed_name: 'geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + short: 'Name of the continent.', + type: 'keyword', + }, + 'geo.country_iso_code': { + dashed_name: 'geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + short: 'Country ISO code.', + type: 'keyword', + }, + 'geo.country_name': { + dashed_name: 'geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + short: 'Country name.', + type: 'keyword', + }, + 'geo.location': { + dashed_name: 'geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'geo.location', + level: 'core', + name: 'location', + normalize: [], + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'geo.name': { + dashed_name: 'geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'geo.postal_code': { + dashed_name: 'geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + short: 'Postal code.', + type: 'keyword', + }, + 'geo.region_iso_code': { + dashed_name: 'geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + short: 'Region ISO code.', + type: 'keyword', + }, + 'geo.region_name': { + dashed_name: 'geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + short: 'Region name.', + type: 'keyword', + }, + 'geo.timezone': { + dashed_name: 'geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + short: 'Time zone.', + type: 'keyword', + }, + }, + group: 2, + name: 'geo', + prefix: 'geo.', + reusable: { + expected: [ + { as: 'geo', at: 'client', full: 'client.geo' }, + { as: 'geo', at: 'destination', full: 'destination.geo' }, + { as: 'geo', at: 'observer', full: 'observer.geo' }, + { as: 'geo', at: 'host', full: 'host.geo' }, + { as: 'geo', at: 'server', full: 'server.geo' }, + { as: 'geo', at: 'source', full: 'source.geo' }, + { as: 'geo', at: 'threat.indicator', full: 'threat.indicator.geo' }, + { + as: 'geo', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.geo', + }, + ], + top_level: false, + }, + short: 'Fields describing a location.', + title: 'Geo', + type: 'group', + }, + group: { + description: 'The group fields are meant to represent groups that are relevant to the event.', + fields: { + 'group.domain': { + dashed_name: 'group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'group.id': { + dashed_name: 'group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'group.name': { + dashed_name: 'group-name', + description: 'Name of the group.', + flat_name: 'group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + }, + group: 2, + name: 'group', + prefix: 'group.', + reusable: { + expected: [ + { as: 'group', at: 'user', full: 'user.group' }, + { + as: 'group', + at: 'process', + full: 'process.group', + short_override: 'The effective group (egid).', + }, + { + as: 'real_group', + at: 'process', + full: 'process.real_group', + short_override: 'The real group (rgid).', + }, + { + as: 'saved_group', + at: 'process', + full: 'process.saved_group', + short_override: 'The saved group (sgid).', + }, + { + as: 'supplemental_groups', + at: 'process', + full: 'process.supplemental_groups', + normalize: ['array'], + short_override: 'An array of supplemental groups.', + }, + { + as: 'attested_groups', + at: 'process', + beta: 'Reusing the `group` fields in this location is currently considered beta.', + full: 'process.attested_groups', + normalize: ['array'], + short_override: + 'The externally attested groups based on an external source such as the Kube API.', + }, + ], + top_level: true, + }, + short: "User's group relevant to the event.", + title: 'Group', + type: 'group', + }, + hash: { + description: + 'The hash fields represent different bitwise hash algorithms and their values.\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).\nNote that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).', + fields: { + 'hash.md5': { + dashed_name: 'hash-md5', + description: 'MD5 hash.', + flat_name: 'hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + short: 'MD5 hash.', + type: 'keyword', + }, + 'hash.sha1': { + dashed_name: 'hash-sha1', + description: 'SHA1 hash.', + flat_name: 'hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + short: 'SHA1 hash.', + type: 'keyword', + }, + 'hash.sha256': { + dashed_name: 'hash-sha256', + description: 'SHA256 hash.', + flat_name: 'hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + short: 'SHA256 hash.', + type: 'keyword', + }, + 'hash.sha384': { + dashed_name: 'hash-sha384', + description: 'SHA384 hash.', + flat_name: 'hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + short: 'SHA384 hash.', + type: 'keyword', + }, + 'hash.sha512': { + dashed_name: 'hash-sha512', + description: 'SHA512 hash.', + flat_name: 'hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + short: 'SHA512 hash.', + type: 'keyword', + }, + 'hash.ssdeep': { + dashed_name: 'hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'hash.tlsh': { + dashed_name: 'hash-tlsh', + description: 'TLSH hash.', + flat_name: 'hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + short: 'TLSH hash.', + type: 'keyword', + }, + }, + group: 2, + name: 'hash', + prefix: 'hash.', + reusable: { + expected: [ + { as: 'hash', at: 'file', full: 'file.hash' }, + { as: 'hash', at: 'process', full: 'process.hash' }, + { as: 'hash', at: 'dll', full: 'dll.hash' }, + { + as: 'hash', + at: 'email.attachments.file', + full: 'email.attachments.file.hash', + }, + ], + top_level: false, + }, + short: 'Hashes, usually file hashes.', + title: 'Hash', + type: 'group', + }, + host: { + description: + 'A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.', + fields: { + 'host.architecture': { + dashed_name: 'host-architecture', + description: 'Operating system architecture.', + example: 'x86_64', + flat_name: 'host.architecture', + ignore_above: 1024, + level: 'core', + name: 'architecture', + normalize: [], + short: 'Operating system architecture.', + type: 'keyword', + }, + 'host.boot.id': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-boot-id', + description: + 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.', + example: '88a1f0ed-5ae5-41ee-af6b-41921c311872', + flat_name: 'host.boot.id', + ignore_above: 1024, + level: 'extended', + name: 'boot.id', + normalize: [], + short: 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id', + type: 'keyword', + }, + 'host.cpu.usage': { + dashed_name: 'host-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.\nScaling factor: 1000.\nFor example: For a two core host, this value should be the average of the two cores, between 0 and 1.', + flat_name: 'host.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'host.disk.read.bytes': { + dashed_name: 'host-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'host.disk.write.bytes': { + dashed_name: 'host-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'host.domain': { + dashed_name: 'host-domain', + description: + "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.", + example: 'CONTOSO', + flat_name: 'host.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'host.geo.city_name': { + dashed_name: 'host-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'host.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'host.geo.continent_code': { + dashed_name: 'host-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'host.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'host.geo.continent_name': { + dashed_name: 'host-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'host.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'host.geo.country_iso_code': { + dashed_name: 'host-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'host.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'host.geo.country_name': { + dashed_name: 'host-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'host.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'host.geo.location': { + dashed_name: 'host-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'host.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'host.geo.name': { + dashed_name: 'host-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'host.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'host.geo.postal_code': { + dashed_name: 'host-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'host.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'host.geo.region_iso_code': { + dashed_name: 'host-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'host.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'host.geo.region_name': { + dashed_name: 'host-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'host.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'host.geo.timezone': { + dashed_name: 'host-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'host.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'host.hostname': { + dashed_name: 'host-hostname', + description: + 'Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine.', + flat_name: 'host.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the host.', + type: 'keyword', + }, + 'host.id': { + dashed_name: 'host-id', + description: + 'Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`.', + flat_name: 'host.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique host id.', + type: 'keyword', + }, + 'host.ip': { + dashed_name: 'host-ip', + description: 'Host ip addresses.', + flat_name: 'host.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'Host ip addresses.', + type: 'ip', + }, + 'host.mac': { + dashed_name: 'host-mac', + description: + 'Host MAC addresses.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'host.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'Host MAC addresses.', + type: 'keyword', + }, + 'host.name': { + dashed_name: 'host-name', + description: + 'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.', + flat_name: 'host.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the host.', + type: 'keyword', + }, + 'host.network.egress.bytes': { + dashed_name: 'host-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'host.network.egress.packets': { + dashed_name: 'host-network-egress-packets', + description: + 'The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.packets', + level: 'extended', + name: 'network.egress.packets', + normalize: [], + short: 'The number of packets sent on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.bytes': { + dashed_name: 'host-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.packets': { + dashed_name: 'host-network-ingress-packets', + description: + 'The number of packets (gauge) received on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.packets', + level: 'extended', + name: 'network.ingress.packets', + normalize: [], + short: 'The number of packets received on all network interfaces.', + type: 'long', + }, + 'host.os.family': { + dashed_name: 'host-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'host.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'host.os.full': { + dashed_name: 'host-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'host.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'host.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'host.os.kernel': { + dashed_name: 'host-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'host.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'host.os.name': { + dashed_name: 'host-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'host.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'host.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'host.os.platform': { + dashed_name: 'host-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'host.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'host.os.type': { + dashed_name: 'host-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'host.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'host.os.version': { + dashed_name: 'host-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'host.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'host.pid_ns_ino': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-pid-ns-ino', + description: + 'This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.', + example: 256383, + flat_name: 'host.pid_ns_ino', + ignore_above: 1024, + level: 'extended', + name: 'pid_ns_ino', + normalize: [], + short: 'Pid namespace inode', + type: 'keyword', + }, + 'host.risk.calculated_level': { + dashed_name: 'host-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'host.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'host.risk.calculated_score': { + dashed_name: 'host-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'host.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'host.risk.calculated_score_norm': { + dashed_name: 'host-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'host.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'host.risk.static_level': { + dashed_name: 'host-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'host.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'host.risk.static_score': { + dashed_name: 'host-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'host.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'host.risk.static_score_norm': { + dashed_name: 'host-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'host.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'host.type': { + dashed_name: 'host-type', + description: + 'Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.', + flat_name: 'host.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of host.', + type: 'keyword', + }, + 'host.uptime': { + dashed_name: 'host-uptime', + description: 'Seconds the host has been up.', + example: 1325, + flat_name: 'host.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the host has been up.', + type: 'long', + }, + }, + group: 2, + name: 'host', + nestings: ['host.geo', 'host.os', 'host.risk'], + prefix: 'host.', + reused_here: [ + { + full: 'host.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'host.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + { + full: 'host.risk', + schema_name: 'risk', + short: 'Fields for describing risk score and level.', + }, + ], + short: 'Fields describing the relevant computing instance.', + title: 'Host', + type: 'group', + }, + http: { + description: + 'Fields related to HTTP activity. Use the `url` field set to store the url of the request.', + fields: { + 'http.request.body.bytes': { + dashed_name: 'http-request-body-bytes', + description: 'Size in bytes of the request body.', + example: 887, + flat_name: 'http.request.body.bytes', + format: 'bytes', + level: 'extended', + name: 'request.body.bytes', + normalize: [], + short: 'Size in bytes of the request body.', + type: 'long', + }, + 'http.request.body.content': { + dashed_name: 'http-request-body-content', + description: 'The full HTTP request body.', + example: 'Hello world', + flat_name: 'http.request.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.request.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'request.body.content', + normalize: [], + short: 'The full HTTP request body.', + type: 'wildcard', + }, + 'http.request.bytes': { + dashed_name: 'http-request-bytes', + description: 'Total size in bytes of the request (body and headers).', + example: 1437, + flat_name: 'http.request.bytes', + format: 'bytes', + level: 'extended', + name: 'request.bytes', + normalize: [], + short: 'Total size in bytes of the request (body and headers).', + type: 'long', + }, + 'http.request.id': { + dashed_name: 'http-request-id', + description: + 'A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.\nThe id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.', + example: '123e4567-e89b-12d3-a456-426614174000', + flat_name: 'http.request.id', + ignore_above: 1024, + level: 'extended', + name: 'request.id', + normalize: [], + short: 'HTTP request ID.', + type: 'keyword', + }, + 'http.request.method': { + dashed_name: 'http-request-method', + description: + 'HTTP request method.\nThe value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.', + example: 'POST', + flat_name: 'http.request.method', + ignore_above: 1024, + level: 'extended', + name: 'request.method', + normalize: [], + short: 'HTTP request method.', + type: 'keyword', + }, + 'http.request.mime_type': { + dashed_name: 'http-request-mime-type', + description: + "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.", + example: 'image/gif', + flat_name: 'http.request.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'request.mime_type', + normalize: [], + short: 'Mime type of the body of the request.', + type: 'keyword', + }, + 'http.request.referrer': { + dashed_name: 'http-request-referrer', + description: 'Referrer for this HTTP request.', + example: 'https://blog.example.com/', + flat_name: 'http.request.referrer', + ignore_above: 1024, + level: 'extended', + name: 'request.referrer', + normalize: [], + short: 'Referrer for this HTTP request.', + type: 'keyword', + }, + 'http.response.body.bytes': { + dashed_name: 'http-response-body-bytes', + description: 'Size in bytes of the response body.', + example: 887, + flat_name: 'http.response.body.bytes', + format: 'bytes', + level: 'extended', + name: 'response.body.bytes', + normalize: [], + short: 'Size in bytes of the response body.', + type: 'long', + }, + 'http.response.body.content': { + dashed_name: 'http-response-body-content', + description: 'The full HTTP response body.', + example: 'Hello world', + flat_name: 'http.response.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.response.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'response.body.content', + normalize: [], + short: 'The full HTTP response body.', + type: 'wildcard', + }, + 'http.response.bytes': { + dashed_name: 'http-response-bytes', + description: 'Total size in bytes of the response (body and headers).', + example: 1437, + flat_name: 'http.response.bytes', + format: 'bytes', + level: 'extended', + name: 'response.bytes', + normalize: [], + short: 'Total size in bytes of the response (body and headers).', + type: 'long', + }, + 'http.response.mime_type': { + dashed_name: 'http-response-mime-type', + description: + "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.", + example: 'image/gif', + flat_name: 'http.response.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'response.mime_type', + normalize: [], + short: 'Mime type of the body of the response.', + type: 'keyword', + }, + 'http.response.status_code': { + dashed_name: 'http-response-status-code', + description: 'HTTP response status code.', + example: 404, + flat_name: 'http.response.status_code', + format: 'string', + level: 'extended', + name: 'response.status_code', + normalize: [], + short: 'HTTP response status code.', + type: 'long', + }, + 'http.version': { + dashed_name: 'http-version', + description: 'HTTP version.', + example: 1.1, + flat_name: 'http.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'HTTP version.', + type: 'keyword', + }, + }, + group: 2, + name: 'http', + prefix: 'http.', + short: 'Fields describing an HTTP request.', + title: 'HTTP', + type: 'group', + }, + interface: { + description: + 'The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.', + fields: { + 'interface.alias': { + dashed_name: 'interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + short: 'Interface alias', + type: 'keyword', + }, + 'interface.id': { + dashed_name: 'interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Interface ID', + type: 'keyword', + }, + 'interface.name': { + dashed_name: 'interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Interface name', + type: 'keyword', + }, + }, + group: 2, + name: 'interface', + prefix: 'interface.', + reusable: { + expected: [ + { + as: 'interface', + at: 'observer.ingress', + full: 'observer.ingress.interface', + }, + { + as: 'interface', + at: 'observer.egress', + full: 'observer.egress.interface', + }, + ], + top_level: false, + }, + short: 'Fields to describe observer interface information.', + title: 'Interface', + type: 'group', + }, + log: { + description: + "Details about the event's logging mechanism or logging transport.\nThe log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`.\nThe details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.", + fields: { + 'log.file.path': { + dashed_name: 'log-file-path', + description: + "Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.\nIf the event wasn't read from a log file, do not populate this field.", + example: '/var/log/fun-times.log', + flat_name: 'log.file.path', + ignore_above: 1024, + level: 'extended', + name: 'file.path', + normalize: [], + short: 'Full path to the log file this event came from.', + type: 'keyword', + }, + 'log.level': { + dashed_name: 'log-level', + description: + "Original log level of the log event.\nIf the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).\nSome examples are `warn`, `err`, `i`, `informational`.", + example: 'error', + flat_name: 'log.level', + ignore_above: 1024, + level: 'core', + name: 'level', + normalize: [], + short: 'Log level of the log event.', + type: 'keyword', + }, + 'log.logger': { + dashed_name: 'log-logger', + description: + 'The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.', + example: 'org.elasticsearch.bootstrap.Bootstrap', + flat_name: 'log.logger', + ignore_above: 1024, + level: 'core', + name: 'logger', + normalize: [], + short: 'Name of the logger.', + type: 'keyword', + }, + 'log.origin.file.line': { + dashed_name: 'log-origin-file-line', + description: + 'The line number of the file containing the source code which originated the log event.', + example: 42, + flat_name: 'log.origin.file.line', + level: 'extended', + name: 'origin.file.line', + normalize: [], + short: 'The line number of the file which originated the log event.', + type: 'long', + }, + 'log.origin.file.name': { + dashed_name: 'log-origin-file-name', + description: + 'The name of the file containing the source code which originated the log event.\nNote that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.', + example: 'Bootstrap.java', + flat_name: 'log.origin.file.name', + ignore_above: 1024, + level: 'extended', + name: 'origin.file.name', + normalize: [], + short: 'The code file which originated the log event.', + type: 'keyword', + }, + 'log.origin.function': { + dashed_name: 'log-origin-function', + description: 'The name of the function or method which originated the log event.', + example: 'init', + flat_name: 'log.origin.function', + ignore_above: 1024, + level: 'extended', + name: 'origin.function', + normalize: [], + short: 'The function which originated the log event.', + type: 'keyword', + }, + 'log.syslog': { + dashed_name: 'log-syslog', + description: + 'The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.', + flat_name: 'log.syslog', + level: 'extended', + name: 'syslog', + normalize: [], + short: 'Syslog metadata', + type: 'object', + }, + 'log.syslog.appname': { + dashed_name: 'log-syslog-appname', + description: 'The device or application that originated the Syslog message, if available.', + example: 'sshd', + flat_name: 'log.syslog.appname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.appname', + normalize: [], + short: 'The device or application that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.facility.code': { + dashed_name: 'log-syslog-facility-code', + description: + 'The Syslog numeric facility of the log event, if available.\nAccording to RFCs 5424 and 3164, this value should be an integer between 0 and 23.', + example: 23, + flat_name: 'log.syslog.facility.code', + format: 'string', + level: 'extended', + name: 'syslog.facility.code', + normalize: [], + short: 'Syslog numeric facility of the event.', + type: 'long', + }, + 'log.syslog.facility.name': { + dashed_name: 'log-syslog-facility-name', + description: 'The Syslog text-based facility of the log event, if available.', + example: 'local7', + flat_name: 'log.syslog.facility.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.facility.name', + normalize: [], + short: 'Syslog text-based facility of the event.', + type: 'keyword', + }, + 'log.syslog.hostname': { + dashed_name: 'log-syslog-hostname', + description: + 'The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.', + example: 'example-host', + flat_name: 'log.syslog.hostname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.hostname', + normalize: [], + short: 'The host that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.msgid': { + dashed_name: 'log-syslog-msgid', + description: + 'An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages.', + example: 'ID47', + flat_name: 'log.syslog.msgid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.msgid', + normalize: [], + short: 'An identifier for the type of Syslog message.', + type: 'keyword', + }, + 'log.syslog.priority': { + dashed_name: 'log-syslog-priority', + description: + 'Syslog numeric priority of the event, if available.\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.', + example: 135, + flat_name: 'log.syslog.priority', + format: 'string', + level: 'extended', + name: 'syslog.priority', + normalize: [], + short: 'Syslog priority of the event.', + type: 'long', + }, + 'log.syslog.procid': { + dashed_name: 'log-syslog-procid', + description: 'The process name or ID that originated the Syslog message, if available.', + example: 12345, + flat_name: 'log.syslog.procid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.procid', + normalize: [], + short: 'The process name or ID that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.severity.code': { + dashed_name: 'log-syslog-severity-code', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.", + example: 3, + flat_name: 'log.syslog.severity.code', + level: 'extended', + name: 'syslog.severity.code', + normalize: [], + short: 'Syslog numeric severity of the event.', + type: 'long', + }, + 'log.syslog.severity.name': { + dashed_name: 'log-syslog-severity-name', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.", + example: 'Error', + flat_name: 'log.syslog.severity.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.severity.name', + normalize: [], + short: 'Syslog text-based severity of the event.', + type: 'keyword', + }, + 'log.syslog.structured_data': { + dashed_name: 'log-syslog-structured-data', + description: + 'Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3.', + flat_name: 'log.syslog.structured_data', + level: 'extended', + name: 'syslog.structured_data', + normalize: [], + short: 'Structured data expressed in RFC 5424 messages.', + type: 'flattened', + }, + 'log.syslog.version': { + dashed_name: 'log-syslog-version', + description: + 'The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.', + example: 1, + flat_name: 'log.syslog.version', + ignore_above: 1024, + level: 'extended', + name: 'syslog.version', + normalize: [], + short: 'Syslog protocol version.', + type: 'keyword', + }, + }, + group: 2, + name: 'log', + prefix: 'log.', + short: "Details about the event's logging mechanism.", + title: 'Log', + type: 'group', + }, + network: { + description: + 'The network is defined as the communication path over which a host or network event happens.\nThe network.* fields should be populated with details about the network activity associated with an event.', + fields: { + 'network.application': { + dashed_name: 'network-application', + description: + "When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.\nFor example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.\nThe field value must be normalized to lowercase for querying.", + example: 'aim', + flat_name: 'network.application', + ignore_above: 1024, + level: 'extended', + name: 'application', + normalize: [], + short: 'Application level protocol name.', + type: 'keyword', + }, + 'network.bytes': { + dashed_name: 'network-bytes', + description: + 'Total bytes transferred in both directions.\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.', + example: 368, + flat_name: 'network.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Total bytes transferred in both directions.', + type: 'long', + }, + 'network.community_id': { + dashed_name: 'network-community-id', + description: + 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.\nLearn more at https://github.com/corelight/community-id-spec.', + example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=', + flat_name: 'network.community_id', + ignore_above: 1024, + level: 'extended', + name: 'community_id', + normalize: [], + short: 'A hash of source and destination IPs and ports.', + type: 'keyword', + }, + 'network.direction': { + dashed_name: 'network-direction', + description: + 'Direction of the network traffic.\nWhen mapping events from a host-based monitoring context, populate this field from the host\'s point of view, using the values "ingress" or "egress".\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".\nNote that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.', + example: 'inbound', + expected_values: [ + 'ingress', + 'egress', + 'inbound', + 'outbound', + 'internal', + 'external', + 'unknown', + ], + flat_name: 'network.direction', + ignore_above: 1024, + level: 'core', + name: 'direction', + normalize: [], + short: 'Direction of the network traffic.', + type: 'keyword', + }, + 'network.forwarded_ip': { + dashed_name: 'network-forwarded-ip', + description: 'Host IP address when the source IP address is the proxy.', + example: '192.1.1.2', + flat_name: 'network.forwarded_ip', + level: 'core', + name: 'forwarded_ip', + normalize: [], + short: 'Host IP address when the source IP address is the proxy.', + type: 'ip', + }, + 'network.iana_number': { + dashed_name: 'network-iana-number', + description: + 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.', + example: 6, + flat_name: 'network.iana_number', + ignore_above: 1024, + level: 'extended', + name: 'iana_number', + normalize: [], + short: 'IANA Protocol Number.', + type: 'keyword', + }, + 'network.inner': { + dashed_name: 'network-inner', + description: + 'Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)', + flat_name: 'network.inner', + level: 'extended', + name: 'inner', + normalize: [], + short: 'Inner VLAN tag information', + type: 'object', + }, + 'network.inner.vlan.id': { + dashed_name: 'network-inner-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.inner.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.inner.vlan.name': { + dashed_name: 'network-inner-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.inner.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'network.name': { + dashed_name: 'network-name', + description: 'Name given by operators to sections of their network.', + example: 'Guest Wifi', + flat_name: 'network.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name given by operators to sections of their network.', + type: 'keyword', + }, + 'network.packets': { + dashed_name: 'network-packets', + description: + 'Total packets transferred in both directions.\nIf `source.packets` and `destination.packets` are known, `network.packets` is their sum.', + example: 24, + flat_name: 'network.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Total packets transferred in both directions.', + type: 'long', + }, + 'network.protocol': { + dashed_name: 'network-protocol', + description: + 'In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.\nThe field value must be normalized to lowercase for querying.', + example: 'http', + flat_name: 'network.protocol', + ignore_above: 1024, + level: 'core', + name: 'protocol', + normalize: [], + short: 'Application protocol name.', + type: 'keyword', + }, + 'network.transport': { + dashed_name: 'network-transport', + description: + 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)\nThe field value must be normalized to lowercase for querying.', + example: 'tcp', + flat_name: 'network.transport', + ignore_above: 1024, + level: 'core', + name: 'transport', + normalize: [], + short: 'Protocol Name corresponding to the field `iana_number`.', + type: 'keyword', + }, + 'network.type': { + dashed_name: 'network-type', + description: + 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc\nThe field value must be normalized to lowercase for querying.', + example: 'ipv4', + flat_name: 'network.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc', + type: 'keyword', + }, + 'network.vlan.id': { + dashed_name: 'network-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.vlan.name': { + dashed_name: 'network-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + }, + group: 2, + name: 'network', + nestings: ['network.inner.vlan', 'network.vlan'], + prefix: 'network.', + reused_here: [ + { + full: 'network.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + { + full: 'network.inner.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + ], + short: 'Fields describing the communication path over which the event happened.', + title: 'Network', + type: 'group', + }, + observer: { + description: + 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.', + fields: { + 'observer.egress': { + dashed_name: 'observer-egress', + description: + 'Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.egress', + level: 'extended', + name: 'egress', + normalize: [], + short: 'Object field for egress information', + type: 'object', + }, + 'observer.egress.interface.alias': { + dashed_name: 'observer-egress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.egress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.egress.interface.id': { + dashed_name: 'observer-egress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.egress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.egress.interface.name': { + dashed_name: 'observer-egress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.egress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.egress.vlan.id': { + dashed_name: 'observer-egress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.egress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.vlan.name': { + dashed_name: 'observer-egress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.egress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.zone': { + dashed_name: 'observer-egress-zone', + description: + 'Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.', + example: 'Public_Internet', + flat_name: 'observer.egress.zone', + ignore_above: 1024, + level: 'extended', + name: 'egress.zone', + normalize: [], + short: 'Observer Egress zone', + type: 'keyword', + }, + 'observer.geo.city_name': { + dashed_name: 'observer-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'observer.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'observer.geo.continent_code': { + dashed_name: 'observer-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'observer.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'observer.geo.continent_name': { + dashed_name: 'observer-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'observer.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'observer.geo.country_iso_code': { + dashed_name: 'observer-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'observer.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'observer.geo.country_name': { + dashed_name: 'observer-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'observer.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'observer.geo.location': { + dashed_name: 'observer-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'observer.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'observer.geo.name': { + dashed_name: 'observer-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'observer.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'observer.geo.postal_code': { + dashed_name: 'observer-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'observer.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'observer.geo.region_iso_code': { + dashed_name: 'observer-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'observer.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'observer.geo.region_name': { + dashed_name: 'observer-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'observer.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'observer.geo.timezone': { + dashed_name: 'observer-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'observer.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'observer.hostname': { + dashed_name: 'observer-hostname', + description: 'Hostname of the observer.', + flat_name: 'observer.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the observer.', + type: 'keyword', + }, + 'observer.ingress': { + dashed_name: 'observer-ingress', + description: + 'Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.ingress', + level: 'extended', + name: 'ingress', + normalize: [], + short: 'Object field for ingress information', + type: 'object', + }, + 'observer.ingress.interface.alias': { + dashed_name: 'observer-ingress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.ingress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.ingress.interface.id': { + dashed_name: 'observer-ingress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.ingress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.ingress.interface.name': { + dashed_name: 'observer-ingress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.ingress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.ingress.vlan.id': { + dashed_name: 'observer-ingress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.ingress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.vlan.name': { + dashed_name: 'observer-ingress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.ingress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.zone': { + dashed_name: 'observer-ingress-zone', + description: + 'Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.', + example: 'DMZ', + flat_name: 'observer.ingress.zone', + ignore_above: 1024, + level: 'extended', + name: 'ingress.zone', + normalize: [], + short: 'Observer ingress zone', + type: 'keyword', + }, + 'observer.ip': { + dashed_name: 'observer-ip', + description: 'IP addresses of the observer.', + flat_name: 'observer.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'IP addresses of the observer.', + type: 'ip', + }, + 'observer.mac': { + dashed_name: 'observer-mac', + description: + 'MAC addresses of the observer.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'observer.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC addresses of the observer.', + type: 'keyword', + }, + 'observer.name': { + dashed_name: 'observer-name', + description: + 'Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty.', + example: '1_proxySG', + flat_name: 'observer.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Custom name of the observer.', + type: 'keyword', + }, + 'observer.os.family': { + dashed_name: 'observer-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'observer.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'observer.os.full': { + dashed_name: 'observer-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'observer.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'observer.os.kernel': { + dashed_name: 'observer-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'observer.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'observer.os.name': { + dashed_name: 'observer-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'observer.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'observer.os.platform': { + dashed_name: 'observer-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'observer.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'observer.os.type': { + dashed_name: 'observer-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'observer.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'observer.os.version': { + dashed_name: 'observer-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'observer.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'observer.product': { + dashed_name: 'observer-product', + description: 'The product name of the observer.', + example: 's200', + flat_name: 'observer.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + short: 'The product name of the observer.', + type: 'keyword', + }, + 'observer.serial_number': { + dashed_name: 'observer-serial-number', + description: 'Observer serial number.', + flat_name: 'observer.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + short: 'Observer serial number.', + type: 'keyword', + }, + 'observer.type': { + dashed_name: 'observer-type', + description: + 'The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.', + example: 'firewall', + flat_name: 'observer.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the observer the data is coming from.', + type: 'keyword', + }, + 'observer.vendor': { + dashed_name: 'observer-vendor', + description: 'Vendor name of the observer.', + example: 'Symantec', + flat_name: 'observer.vendor', + ignore_above: 1024, + level: 'core', + name: 'vendor', + normalize: [], + short: 'Vendor name of the observer.', + type: 'keyword', + }, + 'observer.version': { + dashed_name: 'observer-version', + description: 'Observer version.', + flat_name: 'observer.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Observer version.', + type: 'keyword', + }, + }, + group: 2, + name: 'observer', + nestings: [ + 'observer.egress.interface', + 'observer.egress.vlan', + 'observer.geo', + 'observer.ingress.interface', + 'observer.ingress.vlan', + 'observer.os', + ], + prefix: 'observer.', + reused_here: [ + { + full: 'observer.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'observer.ingress.interface', + schema_name: 'interface', + short: 'Fields to describe observer interface information.', + }, + { + full: 'observer.egress.interface', + schema_name: 'interface', + short: 'Fields to describe observer interface information.', + }, + { + full: 'observer.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + { + full: 'observer.ingress.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + { + full: 'observer.egress.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + ], + short: 'Fields describing an entity observing the event from outside the host.', + title: 'Observer', + type: 'group', + }, + orchestrator: { + description: + 'Fields that describe the resources which container orchestrators manage or act upon.', + fields: { + 'orchestrator.api_version': { + dashed_name: 'orchestrator-api-version', + description: 'API version being used to carry out the action', + example: 'v1beta1', + flat_name: 'orchestrator.api_version', + ignore_above: 1024, + level: 'extended', + name: 'api_version', + normalize: [], + short: 'API version being used to carry out the action', + type: 'keyword', + }, + 'orchestrator.cluster.id': { + dashed_name: 'orchestrator-cluster-id', + description: 'Unique ID of the cluster.', + flat_name: 'orchestrator.cluster.id', + ignore_above: 1024, + level: 'extended', + name: 'cluster.id', + normalize: [], + short: 'Unique ID of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.name': { + dashed_name: 'orchestrator-cluster-name', + description: 'Name of the cluster.', + flat_name: 'orchestrator.cluster.name', + ignore_above: 1024, + level: 'extended', + name: 'cluster.name', + normalize: [], + short: 'Name of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.url': { + dashed_name: 'orchestrator-cluster-url', + description: 'URL of the API used to manage the cluster.', + flat_name: 'orchestrator.cluster.url', + ignore_above: 1024, + level: 'extended', + name: 'cluster.url', + normalize: [], + short: 'URL of the API used to manage the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.version': { + dashed_name: 'orchestrator-cluster-version', + description: 'The version of the cluster.', + flat_name: 'orchestrator.cluster.version', + ignore_above: 1024, + level: 'extended', + name: 'cluster.version', + normalize: [], + short: 'The version of the cluster.', + type: 'keyword', + }, + 'orchestrator.namespace': { + dashed_name: 'orchestrator-namespace', + description: 'Namespace in which the action is taking place.', + example: 'kube-system', + flat_name: 'orchestrator.namespace', + ignore_above: 1024, + level: 'extended', + name: 'namespace', + normalize: [], + short: 'Namespace in which the action is taking place.', + type: 'keyword', + }, + 'orchestrator.organization': { + dashed_name: 'orchestrator-organization', + description: 'Organization affected by the event (for multi-tenant orchestrator setups).', + example: 'elastic', + flat_name: 'orchestrator.organization', + ignore_above: 1024, + level: 'extended', + name: 'organization', + normalize: [], + short: 'Organization affected by the event (for multi-tenant orchestrator setups).', + type: 'keyword', + }, + 'orchestrator.resource.id': { + dashed_name: 'orchestrator-resource-id', + description: 'Unique ID of the resource being acted upon.', + flat_name: 'orchestrator.resource.id', + ignore_above: 1024, + level: 'extended', + name: 'resource.id', + normalize: [], + short: 'Unique ID of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.ip': { + dashed_name: 'orchestrator-resource-ip', + description: + 'IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).', + flat_name: 'orchestrator.resource.ip', + level: 'extended', + name: 'resource.ip', + normalize: ['array'], + short: 'IP address assigned to the resource associated with the event being observed.', + type: 'ip', + }, + 'orchestrator.resource.name': { + dashed_name: 'orchestrator-resource-name', + description: 'Name of the resource being acted upon.', + example: 'test-pod-cdcws', + flat_name: 'orchestrator.resource.name', + ignore_above: 1024, + level: 'extended', + name: 'resource.name', + normalize: [], + short: 'Name of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.parent.type': { + dashed_name: 'orchestrator-resource-parent-type', + description: + 'Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet).', + example: 'DaemonSet', + flat_name: 'orchestrator.resource.parent.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.parent.type', + normalize: [], + short: 'Type or kind of the parent resource associated with the event being observed.', + type: 'keyword', + }, + 'orchestrator.resource.type': { + dashed_name: 'orchestrator-resource-type', + description: 'Type of resource being acted upon.', + example: 'service', + flat_name: 'orchestrator.resource.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.type', + normalize: [], + short: 'Type of resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.type': { + dashed_name: 'orchestrator-type', + description: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + example: 'kubernetes', + flat_name: 'orchestrator.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + type: 'keyword', + }, + }, + group: 2, + name: 'orchestrator', + prefix: 'orchestrator.', + short: 'Fields relevant to container orchestrators.', + title: 'Orchestrator', + type: 'group', + }, + organization: { + description: + 'The organization fields enrich data with information about the company or entity the data is associated with.\nThese fields help you arrange or filter data stored in an index by one or multiple organizations.', + fields: { + 'organization.id': { + dashed_name: 'organization-id', + description: 'Unique identifier for the organization.', + flat_name: 'organization.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the organization.', + type: 'keyword', + }, + 'organization.name': { + dashed_name: 'organization-name', + description: 'Organization name.', + flat_name: 'organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Organization name.', + type: 'keyword', + }, + }, + group: 2, + name: 'organization', + prefix: 'organization.', + short: 'Fields describing the organization or company the event is associated with.', + title: 'Organization', + type: 'group', + }, + os: { + description: 'The OS fields contain information about the operating system.', + fields: { + 'os.family': { + dashed_name: 'os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'os.full': { + dashed_name: 'os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'os.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'os.kernel': { + dashed_name: 'os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'os.name': { + dashed_name: 'os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'os.name.text', name: 'text', type: 'match_only_text' }], + name: 'name', + normalize: [], + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'os.platform': { + dashed_name: 'os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'os.type': { + dashed_name: 'os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'os.version': { + dashed_name: 'os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + }, + group: 2, + name: 'os', + prefix: 'os.', + reusable: { + expected: [ + { as: 'os', at: 'observer', full: 'observer.os' }, + { as: 'os', at: 'host', full: 'host.os' }, + { as: 'os', at: 'user_agent', full: 'user_agent.os' }, + ], + top_level: false, + }, + short: 'OS fields contain information about the operating system.', + title: 'Operating System', + type: 'group', + }, + package: { + description: + 'These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.', + fields: { + 'package.architecture': { + dashed_name: 'package-architecture', + description: 'Package architecture.', + example: 'x86_64', + flat_name: 'package.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'Package architecture.', + type: 'keyword', + }, + 'package.build_version': { + dashed_name: 'package-build-version', + description: + 'Additional information about the build version of the installed package.\nFor example use the commit SHA of a non-released package.', + example: '36f4f7e89dd61b0988b12ee000b98966867710cd', + flat_name: 'package.build_version', + ignore_above: 1024, + level: 'extended', + name: 'build_version', + normalize: [], + short: 'Build version information', + type: 'keyword', + }, + 'package.checksum': { + dashed_name: 'package-checksum', + description: 'Checksum of the installed package for verification.', + example: '68b329da9893e34099c7d8ad5cb9c940', + flat_name: 'package.checksum', + ignore_above: 1024, + level: 'extended', + name: 'checksum', + normalize: [], + short: 'Checksum of the installed package for verification.', + type: 'keyword', + }, + 'package.description': { + dashed_name: 'package-description', + description: 'Description of the package.', + example: 'Open source programming language to build simple/reliable/efficient software.', + flat_name: 'package.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Description of the package.', + type: 'keyword', + }, + 'package.install_scope': { + dashed_name: 'package-install-scope', + description: 'Indicating how the package was installed, e.g. user-local, global.', + example: 'global', + flat_name: 'package.install_scope', + ignore_above: 1024, + level: 'extended', + name: 'install_scope', + normalize: [], + short: 'Indicating how the package was installed, e.g. user-local, global.', + type: 'keyword', + }, + 'package.installed': { + dashed_name: 'package-installed', + description: 'Time when package was installed.', + flat_name: 'package.installed', + level: 'extended', + name: 'installed', + normalize: [], + short: 'Time when package was installed.', + type: 'date', + }, + 'package.license': { + dashed_name: 'package-license', + description: + 'License under which the package was released.\nUse a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).', + example: 'Apache License 2.0', + flat_name: 'package.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Package license', + type: 'keyword', + }, + 'package.name': { + dashed_name: 'package-name', + description: 'Package name', + example: 'go', + flat_name: 'package.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Package name', + type: 'keyword', + }, + 'package.path': { + dashed_name: 'package-path', + description: 'Path where the package is installed.', + example: '/usr/local/Cellar/go/1.12.9/', + flat_name: 'package.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Path where the package is installed.', + type: 'keyword', + }, + 'package.reference': { + dashed_name: 'package-reference', + description: 'Home page or reference URL of the software in this package, if available.', + example: 'https://golang.org', + flat_name: 'package.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Package home page or reference URL', + type: 'keyword', + }, + 'package.size': { + dashed_name: 'package-size', + description: 'Package size in bytes.', + example: 62231, + flat_name: 'package.size', + format: 'string', + level: 'extended', + name: 'size', + normalize: [], + short: 'Package size in bytes.', + type: 'long', + }, + 'package.type': { + dashed_name: 'package-type', + description: + 'Type of package.\nThis should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.', + example: 'rpm', + flat_name: 'package.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Package type', + type: 'keyword', + }, + 'package.version': { + dashed_name: 'package-version', + description: 'Package version', + example: '1.12.9', + flat_name: 'package.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Package version', + type: 'keyword', + }, + }, + group: 2, + name: 'package', + prefix: 'package.', + short: 'These fields contain information about an installed software package.', + title: 'Package', + type: 'group', + }, + pe: { + description: 'These fields contain Windows Portable Executable (PE) metadata.', + fields: { + 'pe.architecture': { + dashed_name: 'pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'pe.company': { + dashed_name: 'pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.description': { + dashed_name: 'pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.file_version': { + dashed_name: 'pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + short: 'Process name.', + type: 'keyword', + }, + 'pe.imphash': { + dashed_name: 'pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'pe.original_file_name': { + dashed_name: 'pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.pehash': { + dashed_name: 'pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'pe.product': { + dashed_name: 'pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + }, + group: 2, + name: 'pe', + prefix: 'pe.', + reusable: { + expected: [ + { as: 'pe', at: 'file', full: 'file.pe' }, + { as: 'pe', at: 'dll', full: 'dll.pe' }, + { as: 'pe', at: 'process', full: 'process.pe' }, + ], + top_level: false, + }, + short: 'These fields contain Windows Portable Executable (PE) metadata.', + title: 'PE Header', + type: 'group', + }, + process: { + description: + 'These fields contain information about a process.\nThese fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.', + fields: { + 'process.args': { + dashed_name: 'process-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.args_count': { + dashed_name: 'process-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.code_signature.digest_algorithm': { + dashed_name: 'process-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.exists': { + dashed_name: 'process-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.code_signature.signing_id': { + dashed_name: 'process-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.status': { + dashed_name: 'process-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.code_signature.subject_name': { + dashed_name: 'process-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.code_signature.team_id': { + dashed_name: 'process-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.timestamp': { + dashed_name: 'process-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.code_signature.trusted': { + dashed_name: 'process-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.code_signature.valid': { + dashed_name: 'process-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.command_line': { + dashed_name: 'process-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.elf.architecture': { + dashed_name: 'process-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.elf.byte_order': { + dashed_name: 'process-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.elf.cpu_type': { + dashed_name: 'process-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.elf.creation_date': { + dashed_name: 'process-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.elf.exports': { + dashed_name: 'process-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.elf.header.abi_version': { + dashed_name: 'process-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.elf.header.class': { + dashed_name: 'process-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.data': { + dashed_name: 'process-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.elf.header.entrypoint': { + dashed_name: 'process-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.elf.header.object_version': { + dashed_name: 'process-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.elf.header.os_abi': { + dashed_name: 'process-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.elf.header.type': { + dashed_name: 'process-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.version': { + dashed_name: 'process-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.elf.imports': { + dashed_name: 'process-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.elf.sections': { + dashed_name: 'process-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.elf.sections.chi2': { + dashed_name: 'process-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.elf.sections.entropy': { + dashed_name: 'process-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.elf.sections.flags': { + dashed_name: 'process-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.elf.sections.name': { + dashed_name: 'process-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.elf.sections.physical_offset': { + dashed_name: 'process-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.elf.sections.physical_size': { + dashed_name: 'process-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.elf.sections.type': { + dashed_name: 'process-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.elf.sections.virtual_address': { + dashed_name: 'process-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.elf.sections.virtual_size': { + dashed_name: 'process-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.elf.segments': { + dashed_name: 'process-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.elf.segments.sections': { + dashed_name: 'process-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.elf.segments.type': { + dashed_name: 'process-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.elf.shared_libraries': { + dashed_name: 'process-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.elf.telfhash': { + dashed_name: 'process-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.end': { + dashed_name: 'process-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.end', + level: 'extended', + name: 'end', + normalize: [], + short: 'The time the process ended.', + type: 'date', + }, + 'process.entity_id': { + dashed_name: 'process-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.args': { + dashed_name: 'process-entry-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.entry_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.entry_leader.args_count': { + dashed_name: 'process-entry-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.entry_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.entry_leader.attested_groups.name': { + dashed_name: 'process-entry-leader-attested-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.attested_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.id': { + dashed_name: 'process-entry-leader-attested-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.attested_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.name': { + dashed_name: 'process-entry-leader-attested-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.attested_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.attested_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.command_line': { + dashed_name: 'process-entry-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.entry_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.entry_leader.entity_id': { + dashed_name: 'process-entry-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.entry_meta.source.ip': { + dashed_name: 'process-entry-leader-entry-meta-source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'process.entry_leader.entry_meta.source.ip', + level: 'core', + name: 'ip', + normalize: [], + original_fieldset: 'source', + short: 'IP address of the source.', + type: 'ip', + }, + 'process.entry_leader.entry_meta.type': { + dashed_name: 'process-entry-leader-entry-meta-type', + description: + 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console\nNote: This field is only set on process.session_leader.', + flat_name: 'process.entry_leader.entry_meta.type', + ignore_above: 1024, + level: 'extended', + name: 'entry_meta.type', + normalize: [], + original_fieldset: 'process', + short: 'The entry type for the entry session leader.', + type: 'keyword', + }, + 'process.entry_leader.executable': { + dashed_name: 'process-entry-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.entry_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.entry_leader.group.id': { + dashed_name: 'process-entry-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.group.name': { + dashed_name: 'process-entry-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.interactive': { + dashed_name: 'process-entry-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.entry_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.entry_leader.name': { + dashed_name: 'process-entry-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.entry_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.entry_leader.parent.entity_id': { + dashed_name: 'process-entry-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.pid': { + dashed_name: 'process-entry-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.entity_id': { + dashed_name: 'process-entry-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.session_leader.pid': { + dashed_name: 'process-entry-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.start': { + dashed_name: 'process-entry-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.parent.start': { + dashed_name: 'process-entry-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.pid': { + dashed_name: 'process-entry-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.real_group.id': { + dashed_name: 'process-entry-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.real_group.name': { + dashed_name: 'process-entry-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.real_user.id': { + dashed_name: 'process-entry-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.real_user.name': { + dashed_name: 'process-entry-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.same_as_process': { + dashed_name: 'process-entry-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.entry_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.entry_leader.saved_group.id': { + dashed_name: 'process-entry-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.saved_group.name': { + dashed_name: 'process-entry-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.id': { + dashed_name: 'process-entry-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.name': { + dashed_name: 'process-entry-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.start': { + dashed_name: 'process-entry-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.supplemental_groups.id': { + dashed_name: 'process-entry-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.supplemental_groups.name': { + dashed_name: 'process-entry-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.tty': { + dashed_name: 'process-entry-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.entry_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.entry_leader.tty.char_device.major': { + dashed_name: 'process-entry-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.entry_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.entry_leader.tty.char_device.minor': { + dashed_name: 'process-entry-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.entry_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.entry_leader.user.id': { + dashed_name: 'process-entry-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.user.name': { + dashed_name: 'process-entry-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.working_directory': { + dashed_name: 'process-entry-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.entry_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.env_vars': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-env-vars', + description: + 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.\nMay be filtered to protect sensitive information.', + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]', + flat_name: 'process.env_vars', + ignore_above: 1024, + level: 'extended', + name: 'env_vars', + normalize: ['array'], + short: 'Array of environment variable bindings.', + type: 'keyword', + }, + 'process.executable': { + dashed_name: 'process-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.exit_code': { + dashed_name: 'process-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + short: 'The exit code of the process.', + type: 'long', + }, + 'process.group_leader.args': { + dashed_name: 'process-group-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.group_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.group_leader.args_count': { + dashed_name: 'process-group-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.group_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.group_leader.command_line': { + dashed_name: 'process-group-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.group_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.group_leader.entity_id': { + dashed_name: 'process-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.group_leader.executable': { + dashed_name: 'process-group-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.group_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.group_leader.group.id': { + dashed_name: 'process-group-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.group.name': { + dashed_name: 'process-group-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.interactive': { + dashed_name: 'process-group-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.group_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.group_leader.name': { + dashed_name: 'process-group-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.group_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.group_leader.pid': { + dashed_name: 'process-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.group_leader.real_group.id': { + dashed_name: 'process-group-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.real_group.name': { + dashed_name: 'process-group-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.real_user.id': { + dashed_name: 'process-group-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.real_user.name': { + dashed_name: 'process-group-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.same_as_process': { + dashed_name: 'process-group-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.group_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.group_leader.saved_group.id': { + dashed_name: 'process-group-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.saved_group.name': { + dashed_name: 'process-group-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.saved_user.id': { + dashed_name: 'process-group-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.saved_user.name': { + dashed_name: 'process-group-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.start': { + dashed_name: 'process-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.group_leader.supplemental_groups.id': { + dashed_name: 'process-group-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.supplemental_groups.name': { + dashed_name: 'process-group-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.tty': { + dashed_name: 'process-group-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.group_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.group_leader.tty.char_device.major': { + dashed_name: 'process-group-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.group_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.group_leader.tty.char_device.minor': { + dashed_name: 'process-group-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.group_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.group_leader.user.id': { + dashed_name: 'process-group-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.user.name': { + dashed_name: 'process-group-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.working_directory': { + dashed_name: 'process-group-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.group_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.hash.md5': { + dashed_name: 'process-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.hash.sha1': { + dashed_name: 'process-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.hash.sha256': { + dashed_name: 'process-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.hash.sha384': { + dashed_name: 'process-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.hash.sha512': { + dashed_name: 'process-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.hash.ssdeep': { + dashed_name: 'process-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.hash.tlsh': { + dashed_name: 'process-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.interactive': { + dashed_name: 'process-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.io': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io', + description: + 'A chunk of input or output (IO) from a single process.\nThis field only appears on the top level process object, which is the process that wrote the output or read the input.', + flat_name: 'process.io', + level: 'extended', + name: 'io', + normalize: [], + short: 'A chunk of input or output (IO) from a single process.', + type: 'object', + }, + 'process.io.bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped', + description: + 'An array of byte offsets and lengths denoting where IO data has been skipped.', + flat_name: 'process.io.bytes_skipped', + level: 'extended', + name: 'io.bytes_skipped', + normalize: ['array'], + short: 'An array of byte offsets and lengths denoting where IO data has been skipped.', + type: 'object', + }, + 'process.io.bytes_skipped.length': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-length', + description: 'The length of bytes skipped.', + flat_name: 'process.io.bytes_skipped.length', + level: 'extended', + name: 'io.bytes_skipped.length', + normalize: [], + short: 'The length of bytes skipped.', + type: 'long', + }, + 'process.io.bytes_skipped.offset': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-offset', + description: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + flat_name: 'process.io.bytes_skipped.offset', + level: 'extended', + name: 'io.bytes_skipped.offset', + normalize: [], + short: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + type: 'long', + }, + 'process.io.max_bytes_per_process_exceeded': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-max-bytes-per-process-exceeded', + description: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + flat_name: 'process.io.max_bytes_per_process_exceeded', + level: 'extended', + name: 'io.max_bytes_per_process_exceeded', + normalize: [], + short: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + type: 'boolean', + }, + 'process.io.text': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-text', + description: + 'A chunk of output or input sanitized to UTF-8.\nBest efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.', + flat_name: 'process.io.text', + level: 'extended', + name: 'io.text', + normalize: [], + short: 'A chunk of output or input sanitized to UTF-8.', + type: 'wildcard', + }, + 'process.io.total_bytes_captured': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-captured', + description: 'The total number of bytes captured in this event.', + flat_name: 'process.io.total_bytes_captured', + level: 'extended', + name: 'io.total_bytes_captured', + normalize: [], + short: 'The total number of bytes captured in this event.', + type: 'long', + }, + 'process.io.total_bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-skipped', + description: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero', + flat_name: 'process.io.total_bytes_skipped', + level: 'extended', + name: 'io.total_bytes_skipped', + normalize: [], + short: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.', + type: 'long', + }, + 'process.io.type': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-type', + description: + "The type of object on which the IO action (read or write) was taken.\nCurrently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.", + flat_name: 'process.io.type', + ignore_above: 1024, + level: 'extended', + name: 'io.type', + normalize: [], + short: 'The type of object on which the IO action (read or write) was taken.', + type: 'keyword', + }, + 'process.name': { + dashed_name: 'process-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.args': { + dashed_name: 'process-parent-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.parent.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.parent.args_count': { + dashed_name: 'process-parent-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.parent.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.parent.code_signature.digest_algorithm': { + dashed_name: 'process-parent-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.parent.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.exists': { + dashed_name: 'process-parent-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.parent.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.parent.code_signature.signing_id': { + dashed_name: 'process-parent-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.parent.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.status': { + dashed_name: 'process-parent-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.parent.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.parent.code_signature.subject_name': { + dashed_name: 'process-parent-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.parent.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.parent.code_signature.team_id': { + dashed_name: 'process-parent-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.parent.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.timestamp': { + dashed_name: 'process-parent-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.parent.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.parent.code_signature.trusted': { + dashed_name: 'process-parent-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.parent.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.parent.code_signature.valid': { + dashed_name: 'process-parent-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.parent.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.parent.command_line': { + dashed_name: 'process-parent-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.parent.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.parent.elf.architecture': { + dashed_name: 'process-parent-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.parent.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.byte_order': { + dashed_name: 'process-parent-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.parent.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.parent.elf.cpu_type': { + dashed_name: 'process-parent-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.parent.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.creation_date': { + dashed_name: 'process-parent-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.parent.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.parent.elf.exports': { + dashed_name: 'process-parent-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.parent.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.header.abi_version': { + dashed_name: 'process-parent-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.parent.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.parent.elf.header.class': { + dashed_name: 'process-parent-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.parent.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.data': { + dashed_name: 'process-parent-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.parent.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.header.entrypoint': { + dashed_name: 'process-parent-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.parent.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.parent.elf.header.object_version': { + dashed_name: 'process-parent-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.parent.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.parent.elf.header.os_abi': { + dashed_name: 'process-parent-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.parent.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.parent.elf.header.type': { + dashed_name: 'process-parent-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.parent.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.version': { + dashed_name: 'process-parent-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.parent.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.imports': { + dashed_name: 'process-parent-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.parent.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.sections': { + dashed_name: 'process-parent-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.parent.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.parent.elf.sections.chi2': { + dashed_name: 'process-parent-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.parent.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.parent.elf.sections.entropy': { + dashed_name: 'process-parent-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.parent.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.parent.elf.sections.flags': { + dashed_name: 'process-parent-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.parent.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.parent.elf.sections.name': { + dashed_name: 'process-parent-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.parent.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_offset': { + dashed_name: 'process-parent-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.parent.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_size': { + dashed_name: 'process-parent-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.parent.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.parent.elf.sections.type': { + dashed_name: 'process-parent-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.parent.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.parent.elf.sections.virtual_address': { + dashed_name: 'process-parent-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.parent.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.parent.elf.sections.virtual_size': { + dashed_name: 'process-parent-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.parent.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.parent.elf.segments': { + dashed_name: 'process-parent-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.parent.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.parent.elf.segments.sections': { + dashed_name: 'process-parent-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.parent.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.parent.elf.segments.type': { + dashed_name: 'process-parent-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.parent.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.parent.elf.shared_libraries': { + dashed_name: 'process-parent-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.parent.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.parent.elf.telfhash': { + dashed_name: 'process-parent-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.parent.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.parent.end': { + dashed_name: 'process-parent-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.end', + level: 'extended', + name: 'end', + normalize: [], + original_fieldset: 'process', + short: 'The time the process ended.', + type: 'date', + }, + 'process.parent.entity_id': { + dashed_name: 'process-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.executable': { + dashed_name: 'process-parent-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.parent.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.parent.exit_code': { + dashed_name: 'process-parent-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.parent.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + original_fieldset: 'process', + short: 'The exit code of the process.', + type: 'long', + }, + 'process.parent.group.id': { + dashed_name: 'process-parent-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.group.name': { + dashed_name: 'process-parent-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.group_leader.entity_id': { + dashed_name: 'process-parent-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.group_leader.pid': { + dashed_name: 'process-parent-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.group_leader.start': { + dashed_name: 'process-parent-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.hash.md5': { + dashed_name: 'process-parent-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.parent.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha1': { + dashed_name: 'process-parent-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.parent.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha256': { + dashed_name: 'process-parent-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.parent.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha384': { + dashed_name: 'process-parent-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.parent.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha512': { + dashed_name: 'process-parent-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.parent.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.parent.hash.ssdeep': { + dashed_name: 'process-parent-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.parent.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.parent.hash.tlsh': { + dashed_name: 'process-parent-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.parent.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.parent.interactive': { + dashed_name: 'process-parent-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.parent.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.parent.name': { + dashed_name: 'process-parent-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.parent.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.architecture': { + dashed_name: 'process-parent-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.parent.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.parent.pe.company': { + dashed_name: 'process-parent-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.parent.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.description': { + dashed_name: 'process-parent-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.parent.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.file_version': { + dashed_name: 'process-parent-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.parent.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.imphash': { + dashed_name: 'process-parent-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.parent.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.parent.pe.original_file_name': { + dashed_name: 'process-parent-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.parent.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.pehash': { + dashed_name: 'process-parent-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.parent.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.parent.pe.product': { + dashed_name: 'process-parent-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.parent.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pgid': { + dashed_name: 'process-parent-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.parent.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + original_fieldset: 'process', + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.parent.pid': { + dashed_name: 'process-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.real_group.id': { + dashed_name: 'process-parent-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.real_group.name': { + dashed_name: 'process-parent-real-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.real_user.id': { + dashed_name: 'process-parent-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.real_user.name': { + dashed_name: 'process-parent-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.saved_group.id': { + dashed_name: 'process-parent-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.saved_group.name': { + dashed_name: 'process-parent-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.saved_user.id': { + dashed_name: 'process-parent-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.saved_user.name': { + dashed_name: 'process-parent-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.start': { + dashed_name: 'process-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.supplemental_groups.id': { + dashed_name: 'process-parent-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.supplemental_groups.name': { + dashed_name: 'process-parent-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.parent.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.thread.id': { + dashed_name: 'process-parent-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.parent.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + original_fieldset: 'process', + short: 'Thread ID.', + type: 'long', + }, + 'process.parent.thread.name': { + dashed_name: 'process-parent-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.parent.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + original_fieldset: 'process', + short: 'Thread name.', + type: 'keyword', + }, + 'process.parent.title': { + dashed_name: 'process-parent-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.parent.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + original_fieldset: 'process', + short: 'Process title.', + type: 'keyword', + }, + 'process.parent.tty': { + dashed_name: 'process-parent-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.parent.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.parent.tty.char_device.major': { + dashed_name: 'process-parent-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.parent.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.parent.tty.char_device.minor': { + dashed_name: 'process-parent-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.parent.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.parent.uptime': { + dashed_name: 'process-parent-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.parent.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + original_fieldset: 'process', + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.parent.user.id': { + dashed_name: 'process-parent-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.user.name': { + dashed_name: 'process-parent-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.working_directory': { + dashed_name: 'process-parent-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.parent.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.pe.architecture': { + dashed_name: 'process-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.pe.company': { + dashed_name: 'process-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.description': { + dashed_name: 'process-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.file_version': { + dashed_name: 'process-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.pe.imphash': { + dashed_name: 'process-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.pe.original_file_name': { + dashed_name: 'process-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.pehash': { + dashed_name: 'process-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.pe.product': { + dashed_name: 'process-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pgid': { + dashed_name: 'process-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.pid': { + dashed_name: 'process-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + short: 'Process id.', + type: 'long', + }, + 'process.previous.args': { + dashed_name: 'process-previous-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.previous.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.previous.args_count': { + dashed_name: 'process-previous-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.previous.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.previous.executable': { + dashed_name: 'process-previous-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.previous.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.previous.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.real_group.id': { + dashed_name: 'process-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.real_group.name': { + dashed_name: 'process-real-group-name', + description: 'Name of the group.', + flat_name: 'process.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.real_user.id': { + dashed_name: 'process-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.real_user.name': { + dashed_name: 'process-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.saved_group.id': { + dashed_name: 'process-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.saved_group.name': { + dashed_name: 'process-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.saved_user.id': { + dashed_name: 'process-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.saved_user.name': { + dashed_name: 'process-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.args': { + dashed_name: 'process-session-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.session_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.session_leader.args_count': { + dashed_name: 'process-session-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.session_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.session_leader.command_line': { + dashed_name: 'process-session-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.session_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.session_leader.entity_id': { + dashed_name: 'process-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.executable': { + dashed_name: 'process-session-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.session_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.session_leader.group.id': { + dashed_name: 'process-session-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.group.name': { + dashed_name: 'process-session-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.interactive': { + dashed_name: 'process-session-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.session_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.session_leader.name': { + dashed_name: 'process-session-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.session_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.session_leader.parent.entity_id': { + dashed_name: 'process-session-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.pid': { + dashed_name: 'process-session-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.entity_id': { + dashed_name: 'process-session-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.session_leader.pid': { + dashed_name: 'process-session-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.start': { + dashed_name: 'process-session-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.parent.start': { + dashed_name: 'process-session-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.pid': { + dashed_name: 'process-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.real_group.id': { + dashed_name: 'process-session-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.real_group.name': { + dashed_name: 'process-session-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.real_user.id': { + dashed_name: 'process-session-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.real_user.name': { + dashed_name: 'process-session-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.same_as_process': { + dashed_name: 'process-session-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.session_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.session_leader.saved_group.id': { + dashed_name: 'process-session-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.saved_group.name': { + dashed_name: 'process-session-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.saved_user.id': { + dashed_name: 'process-session-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.saved_user.name': { + dashed_name: 'process-session-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.start': { + dashed_name: 'process-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.supplemental_groups.id': { + dashed_name: 'process-session-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.supplemental_groups.name': { + dashed_name: 'process-session-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.tty': { + dashed_name: 'process-session-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.session_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.session_leader.tty.char_device.major': { + dashed_name: 'process-session-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.session_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.session_leader.tty.char_device.minor': { + dashed_name: 'process-session-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.session_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.session_leader.user.id': { + dashed_name: 'process-session-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.user.name': { + dashed_name: 'process-session-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.working_directory': { + dashed_name: 'process-session-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.session_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.start': { + dashed_name: 'process-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.start', + level: 'extended', + name: 'start', + normalize: [], + short: 'The time the process started.', + type: 'date', + }, + 'process.supplemental_groups.id': { + dashed_name: 'process-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.supplemental_groups.name': { + dashed_name: 'process-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.thread.id': { + dashed_name: 'process-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + short: 'Thread ID.', + type: 'long', + }, + 'process.thread.name': { + dashed_name: 'process-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + short: 'Thread name.', + type: 'keyword', + }, + 'process.title': { + dashed_name: 'process-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + short: 'Process title.', + type: 'keyword', + }, + 'process.tty': { + dashed_name: 'process-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.tty', + level: 'extended', + name: 'tty', + normalize: [], + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.tty.char_device.major': { + dashed_name: 'process-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.tty.char_device.minor': { + dashed_name: 'process-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.tty.columns': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-columns', + description: + "The number of character columns per line. e.g terminal width\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 80, + flat_name: 'process.tty.columns', + level: 'extended', + name: 'tty.columns', + normalize: [], + short: 'The number of character columns per line. e.g terminal width', + type: 'long', + }, + 'process.tty.rows': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-rows', + description: + "The number of character rows in the terminal. e.g terminal height\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 24, + flat_name: 'process.tty.rows', + level: 'extended', + name: 'tty.rows', + normalize: [], + short: 'The number of character rows in the terminal. e.g terminal height', + type: 'long', + }, + 'process.uptime': { + dashed_name: 'process-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.user.id': { + dashed_name: 'process-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.user.name': { + dashed_name: 'process-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.working_directory': { + dashed_name: 'process-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + short: 'The working directory of the process.', + type: 'keyword', + }, + }, + group: 2, + name: 'process', + nestings: [ + 'process.attested_groups', + 'process.attested_user', + 'process.code_signature', + 'process.elf', + 'process.entry_leader', + 'process.entry_leader.parent', + 'process.entry_leader.parent.session_leader', + 'process.entry_meta.source', + 'process.group', + 'process.group_leader', + 'process.hash', + 'process.parent', + 'process.parent.group_leader', + 'process.pe', + 'process.previous', + 'process.real_group', + 'process.real_user', + 'process.saved_group', + 'process.saved_user', + 'process.session_leader', + 'process.session_leader.parent', + 'process.session_leader.parent.session_leader', + 'process.supplemental_groups', + 'process.user', + ], + prefix: 'process.', + reusable: { + expected: [ + { + as: 'parent', + at: 'process', + full: 'process.parent', + short_override: 'Information about the parent process.', + }, + { + as: 'entry_leader', + at: 'process', + full: 'process.entry_leader', + short_override: + 'First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.', + }, + { + as: 'session_leader', + at: 'process', + full: 'process.session_leader', + short_override: + 'Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux', + }, + { + as: 'group_leader', + at: 'process', + full: 'process.group_leader', + short_override: + 'Information about the process group leader. In some cases this may be the same as the top level process.', + }, + { + as: 'group_leader', + at: 'process.parent', + full: 'process.parent.group_leader', + short_override: + "Information about the parent's process group leader. Only pid, start and entity_id fields are set.", + }, + { + as: 'parent', + at: 'process.entry_leader', + full: 'process.entry_leader.parent', + short_override: + "Information about the entry leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + as: 'parent', + at: 'process.session_leader', + full: 'process.session_leader.parent', + short_override: + "Information about the session leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + as: 'session_leader', + at: 'process.entry_leader.parent', + full: 'process.entry_leader.parent.session_leader', + short_override: + 'Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.', + }, + { + as: 'session_leader', + at: 'process.session_leader.parent', + full: 'process.session_leader.parent.session_leader', + short_override: + 'Information about the parent session of the session leader. Only pid, start and entity_id fields are set.', + }, + { + as: 'previous', + at: 'process', + full: 'process.previous', + normalize: ['array'], + short_override: + 'An array of previous executions for the process, including the initial fork. Only executable and args are set.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'process.group', + schema_name: 'group', + short: 'The effective group (egid).', + }, + { + full: 'process.real_group', + schema_name: 'group', + short: 'The real group (rgid).', + }, + { + full: 'process.saved_group', + schema_name: 'group', + short: 'The saved group (sgid).', + }, + { + full: 'process.supplemental_groups', + normalize: ['array'], + schema_name: 'group', + short: 'An array of supplemental groups.', + }, + { + beta: 'Reusing the `group` fields in this location is currently considered beta.', + full: 'process.attested_groups', + normalize: ['array'], + schema_name: 'group', + short: 'The externally attested groups based on an external source such as the Kube API.', + }, + { + full: 'process.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'process.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'process.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + { + beta: 'This field reuse is beta and subject to change.', + full: 'process.elf', + schema_name: 'elf', + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + }, + { + full: 'process.entry_meta.source', + schema_name: 'source', + short: 'Remote client information such as ip, port and geo location.', + }, + { + full: 'process.user', + schema_name: 'user', + short: 'The effective user (euid).', + }, + { + full: 'process.saved_user', + schema_name: 'user', + short: 'The saved user (suid).', + }, + { + full: 'process.real_user', + schema_name: 'user', + short: 'The real user (ruid). Identifies the real owner of the process.', + }, + { + beta: 'Reusing the `user` fields in this location is currently considered beta.', + full: 'process.attested_user', + schema_name: 'user', + short: 'The externally attested user based on an external source such as the Kube API.', + }, + { + full: 'process.parent', + schema_name: 'process', + short: 'Information about the parent process.', + }, + { + full: 'process.entry_leader', + schema_name: 'process', + short: + 'First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.', + }, + { + full: 'process.session_leader', + schema_name: 'process', + short: + 'Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux', + }, + { + full: 'process.group_leader', + schema_name: 'process', + short: + 'Information about the process group leader. In some cases this may be the same as the top level process.', + }, + { + full: 'process.parent.group_leader', + schema_name: 'process', + short: + "Information about the parent's process group leader. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.entry_leader.parent', + schema_name: 'process', + short: + "Information about the entry leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.session_leader.parent', + schema_name: 'process', + short: + "Information about the session leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.entry_leader.parent.session_leader', + schema_name: 'process', + short: + 'Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.', + }, + { + full: 'process.session_leader.parent.session_leader', + schema_name: 'process', + short: + 'Information about the parent session of the session leader. Only pid, start and entity_id fields are set.', + }, + { + full: 'process.previous', + normalize: ['array'], + schema_name: 'process', + short: + 'An array of previous executions for the process, including the initial fork. Only executable and args are set.', + }, + ], + short: 'These fields contain information about a process.', + title: 'Process', + type: 'group', + }, + registry: { + description: 'Fields related to Windows Registry operations.', + fields: { + 'registry.data.bytes': { + dashed_name: 'registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'registry.data.strings': { + dashed_name: 'registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'registry.data.type': { + dashed_name: 'registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'registry.hive': { + dashed_name: 'registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'registry.key': { + dashed_name: 'registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'registry.path': { + dashed_name: 'registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'registry.value': { + dashed_name: 'registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + short: 'Name of the value written.', + type: 'keyword', + }, + }, + group: 2, + name: 'registry', + prefix: 'registry.', + reusable: { + expected: [ + { + as: 'registry', + at: 'threat.indicator', + full: 'threat.indicator.registry', + }, + { + as: 'registry', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.registry', + }, + ], + top_level: true, + }, + short: 'Fields related to Windows Registry operations.', + title: 'Registry', + type: 'group', + }, + related: { + description: + 'This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.', + fields: { + 'related.hash': { + dashed_name: 'related-hash', + description: + "All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).", + flat_name: 'related.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: ['array'], + short: 'All the hashes seen on your event.', + type: 'keyword', + }, + 'related.hosts': { + dashed_name: 'related-hosts', + description: + 'All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.', + flat_name: 'related.hosts', + ignore_above: 1024, + level: 'extended', + name: 'hosts', + normalize: ['array'], + short: 'All the host identifiers seen on your event.', + type: 'keyword', + }, + 'related.ip': { + dashed_name: 'related-ip', + description: 'All of the IPs seen on your event.', + flat_name: 'related.ip', + level: 'extended', + name: 'ip', + normalize: ['array'], + short: 'All of the IPs seen on your event.', + type: 'ip', + }, + 'related.user': { + dashed_name: 'related-user', + description: 'All the user names or other user identifiers seen on the event.', + flat_name: 'related.user', + ignore_above: 1024, + level: 'extended', + name: 'user', + normalize: ['array'], + short: 'All the user names or other user identifiers seen on the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'related', + prefix: 'related.', + short: 'Fields meant to facilitate pivoting around a piece of data.', + title: 'Related', + type: 'group', + }, + risk: { + beta: 'These fields are in beta and are subject to change.', + description: + 'Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk.', + fields: { + 'risk.calculated_level': { + dashed_name: 'risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'risk.calculated_score': { + dashed_name: 'risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'risk.calculated_score_norm': { + dashed_name: 'risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'risk.static_level': { + dashed_name: 'risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'risk.static_score': { + dashed_name: 'risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'risk.static_score_norm': { + dashed_name: 'risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + }, + group: 2, + name: 'risk', + prefix: 'risk.', + reusable: { + expected: [ + { as: 'risk', at: 'host', full: 'host.risk' }, + { as: 'risk', at: 'user', full: 'user.risk' }, + ], + top_level: false, + }, + short: 'Fields for describing risk score and level.', + title: 'Risk information', + type: 'group', + }, + rule: { + description: + 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.\nExamples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.', + fields: { + 'rule.author': { + dashed_name: 'rule-author', + description: + 'Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.', + example: '["Star-Lord"]', + flat_name: 'rule.author', + ignore_above: 1024, + level: 'extended', + name: 'author', + normalize: ['array'], + short: 'Rule author', + type: 'keyword', + }, + 'rule.category': { + dashed_name: 'rule-category', + description: + 'A categorization value keyword used by the entity using the rule for detection of this event.', + example: 'Attempted Information Leak', + flat_name: 'rule.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: [], + short: 'Rule category', + type: 'keyword', + }, + 'rule.description': { + dashed_name: 'rule-description', + description: 'The description of the rule generating the event.', + example: 'Block requests to public DNS over HTTPS / TLS protocols', + flat_name: 'rule.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Rule description', + type: 'keyword', + }, + 'rule.id': { + dashed_name: 'rule-id', + description: + 'A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.', + example: 101, + flat_name: 'rule.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Rule ID', + type: 'keyword', + }, + 'rule.license': { + dashed_name: 'rule-license', + description: + 'Name of the license under which the rule used to generate this event is made available.', + example: 'Apache 2.0', + flat_name: 'rule.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Rule license', + type: 'keyword', + }, + 'rule.name': { + dashed_name: 'rule-name', + description: 'The name of the rule or signature generating the event.', + example: 'BLOCK_DNS_over_TLS', + flat_name: 'rule.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Rule name', + type: 'keyword', + }, + 'rule.reference': { + dashed_name: 'rule-reference', + description: + "Reference URL to additional information about the rule used to generate this event.\nThe URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.", + example: 'https://en.wikipedia.org/wiki/DNS_over_TLS', + flat_name: 'rule.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Rule reference URL', + type: 'keyword', + }, + 'rule.ruleset': { + dashed_name: 'rule-ruleset', + description: + 'Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.', + example: 'Standard_Protocol_Filters', + flat_name: 'rule.ruleset', + ignore_above: 1024, + level: 'extended', + name: 'ruleset', + normalize: [], + short: 'Rule ruleset', + type: 'keyword', + }, + 'rule.uuid': { + dashed_name: 'rule-uuid', + description: + 'A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.', + example: 1100110011, + flat_name: 'rule.uuid', + ignore_above: 1024, + level: 'extended', + name: 'uuid', + normalize: [], + short: 'Rule UUID', + type: 'keyword', + }, + 'rule.version': { + dashed_name: 'rule-version', + description: 'The version / revision of the rule being used for analysis.', + example: 1.1, + flat_name: 'rule.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Rule version', + type: 'keyword', + }, + }, + group: 2, + name: 'rule', + prefix: 'rule.', + short: 'Fields to capture details about rules used to generate alerts or other notable events.', + title: 'Rule', + type: 'group', + }, + server: { + description: + 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.', + fields: { + 'server.address': { + dashed_name: 'server-address', + description: + 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'server.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Server network address.', + type: 'keyword', + }, + 'server.as.number': { + dashed_name: 'server-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'server.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'server.as.organization.name': { + dashed_name: 'server-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'server.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'server.bytes': { + dashed_name: 'server-bytes', + description: 'Bytes sent from the server to the client.', + example: 184, + flat_name: 'server.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the server to the client.', + type: 'long', + }, + 'server.domain': { + dashed_name: 'server-domain', + description: + 'The domain name of the server system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'server.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the server.', + type: 'keyword', + }, + 'server.geo.city_name': { + dashed_name: 'server-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'server.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'server.geo.continent_code': { + dashed_name: 'server-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'server.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'server.geo.continent_name': { + dashed_name: 'server-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'server.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'server.geo.country_iso_code': { + dashed_name: 'server-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'server.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'server.geo.country_name': { + dashed_name: 'server-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'server.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'server.geo.location': { + dashed_name: 'server-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'server.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'server.geo.name': { + dashed_name: 'server-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'server.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'server.geo.postal_code': { + dashed_name: 'server-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'server.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'server.geo.region_iso_code': { + dashed_name: 'server-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'server.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'server.geo.region_name': { + dashed_name: 'server-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'server.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'server.geo.timezone': { + dashed_name: 'server-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'server.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'server.ip': { + dashed_name: 'server-ip', + description: 'IP address of the server (IPv4 or IPv6).', + flat_name: 'server.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the server.', + type: 'ip', + }, + 'server.mac': { + dashed_name: 'server-mac', + description: + 'MAC address of the server.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'server.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the server.', + type: 'keyword', + }, + 'server.nat.ip': { + dashed_name: 'server-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Server NAT ip', + type: 'ip', + }, + 'server.nat.port': { + dashed_name: 'server-nat-port', + description: + 'Translated port of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Server NAT port', + type: 'long', + }, + 'server.packets': { + dashed_name: 'server-packets', + description: 'Packets sent from the server to the client.', + example: 12, + flat_name: 'server.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the server to the client.', + type: 'long', + }, + 'server.port': { + dashed_name: 'server-port', + description: 'Port of the server.', + flat_name: 'server.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the server.', + type: 'long', + }, + 'server.registered_domain': { + dashed_name: 'server-registered-domain', + description: + 'The highest registered server domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'server.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered server domain, stripped of the subdomain.', + type: 'keyword', + }, + 'server.subdomain': { + dashed_name: 'server-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'server.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'server.top_level_domain': { + dashed_name: 'server-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'server.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'server.user.domain': { + dashed_name: 'server-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'server.user.email': { + dashed_name: 'server-user-email', + description: 'User email address.', + flat_name: 'server.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'server.user.full_name': { + dashed_name: 'server-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'server.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'server.user.group.domain': { + dashed_name: 'server-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'server.user.group.id': { + dashed_name: 'server-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'server.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'server.user.group.name': { + dashed_name: 'server-user-group-name', + description: 'Name of the group.', + flat_name: 'server.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'server.user.hash': { + dashed_name: 'server-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'server.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'server.user.id': { + dashed_name: 'server-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'server.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'server.user.name': { + dashed_name: 'server-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'server.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'server.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'server.user.roles': { + dashed_name: 'server-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'server.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'server', + nestings: ['server.as', 'server.geo', 'server.user'], + prefix: 'server.', + reused_here: [ + { + full: 'server.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'server.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'server.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the server side of a network connection, used with client.', + title: 'Server', + type: 'group', + }, + service: { + description: + 'The service fields describe the service for or from which the data was collected.\nThese fields help you find and correlate logs for a specific service and version.', + fields: { + 'service.address': { + dashed_name: 'service-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Address of this service.', + type: 'keyword', + }, + 'service.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.ephemeral_id': { + dashed_name: 'service-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.id': { + dashed_name: 'service-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.name': { + dashed_name: 'service-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the service.', + type: 'keyword', + }, + 'service.node.name': { + dashed_name: 'service-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.node.role': { + dashed_name: 'service-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.node.roles': { + dashed_name: 'service-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.address': { + dashed_name: 'service-origin-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.origin.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.origin.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-origin-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.origin.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.origin.ephemeral_id': { + dashed_name: 'service-origin-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.origin.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.origin.id': { + dashed_name: 'service-origin-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.origin.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.origin.name': { + dashed_name: 'service-origin-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.origin.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.origin.node.name': { + dashed_name: 'service-origin-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.origin.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.origin.node.role': { + dashed_name: 'service-origin-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.origin.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.origin.node.roles': { + dashed_name: 'service-origin-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.origin.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.state': { + dashed_name: 'service-origin-state', + description: 'Current state of the service.', + flat_name: 'service.origin.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.origin.type': { + dashed_name: 'service-origin-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.origin.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.origin.version': { + dashed_name: 'service-origin-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.origin.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.state': { + dashed_name: 'service-state', + description: 'Current state of the service.', + flat_name: 'service.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.address': { + dashed_name: 'service-target-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.target.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.target.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-target-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.target.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.target.ephemeral_id': { + dashed_name: 'service-target-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.target.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.target.id': { + dashed_name: 'service-target-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.target.name': { + dashed_name: 'service-target-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.target.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.target.node.name': { + dashed_name: 'service-target-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.target.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.target.node.role': { + dashed_name: 'service-target-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.target.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.target.node.roles': { + dashed_name: 'service-target-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.target.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.target.state': { + dashed_name: 'service-target-state', + description: 'Current state of the service.', + flat_name: 'service.target.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.type': { + dashed_name: 'service-target-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.target.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.target.version': { + dashed_name: 'service-target-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.target.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.type': { + dashed_name: 'service-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the service.', + type: 'keyword', + }, + 'service.version': { + dashed_name: 'service-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the service.', + type: 'keyword', + }, + }, + footnote: + 'The service fields may be self-nested under service.origin.* and service.target.* to describe origin or target services in the context of incoming or outgoing requests, respectively. However, the fieldsets service.origin.* and service.target.* must not be confused with the root service fieldset that is used to describe the actual service under observation. The fieldset service.origin.* may only be used in the context of incoming requests or events to describe the originating service of the request. The fieldset service.target.* may only be used in the context of outgoing requests or events to describe the target service of the request.', + group: 2, + name: 'service', + nestings: ['service.origin', 'service.target'], + prefix: 'service.', + reusable: { + expected: [ + { + as: 'origin', + at: 'service', + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.origin', + short_override: 'Describes the origin service in case of an incoming request or event.', + }, + { + as: 'target', + at: 'service', + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.target', + short_override: 'Describes the target service in case of an outgoing request or event.', + }, + ], + top_level: true, + }, + reused_here: [ + { + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.origin', + schema_name: 'service', + short: 'Describes the origin service in case of an incoming request or event.', + }, + { + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.target', + schema_name: 'service', + short: 'Describes the target service in case of an outgoing request or event.', + }, + ], + short: 'Fields describing the service for or from which the data was collected.', + title: 'Service', + type: 'group', + }, + source: { + description: + 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.\nSource fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.', + fields: { + 'source.address': { + dashed_name: 'source-address', + description: + 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'source.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Source network address.', + type: 'keyword', + }, + 'source.as.number': { + dashed_name: 'source-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'source.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'source.as.organization.name': { + dashed_name: 'source-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'source.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'source.bytes': { + dashed_name: 'source-bytes', + description: 'Bytes sent from the source to the destination.', + example: 184, + flat_name: 'source.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the source to the destination.', + type: 'long', + }, + 'source.domain': { + dashed_name: 'source-domain', + description: + 'The domain name of the source system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'source.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the source.', + type: 'keyword', + }, + 'source.geo.city_name': { + dashed_name: 'source-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'source.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'source.geo.continent_code': { + dashed_name: 'source-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'source.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'source.geo.continent_name': { + dashed_name: 'source-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'source.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'source.geo.country_iso_code': { + dashed_name: 'source-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'source.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'source.geo.country_name': { + dashed_name: 'source-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'source.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'source.geo.location': { + dashed_name: 'source-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'source.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'source.geo.name': { + dashed_name: 'source-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'source.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'source.geo.postal_code': { + dashed_name: 'source-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'source.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'source.geo.region_iso_code': { + dashed_name: 'source-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'source.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'source.geo.region_name': { + dashed_name: 'source-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'source.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'source.geo.timezone': { + dashed_name: 'source-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'source.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'source.ip': { + dashed_name: 'source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'source.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the source.', + type: 'ip', + }, + 'source.mac': { + dashed_name: 'source-mac', + description: + 'MAC address of the source.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'source.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the source.', + type: 'keyword', + }, + 'source.nat.ip': { + dashed_name: 'source-nat-ip', + description: + 'Translated ip of source based NAT sessions (e.g. internal client to internet)\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'source.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Source NAT ip', + type: 'ip', + }, + 'source.nat.port': { + dashed_name: 'source-nat-port', + description: + 'Translated port of source based NAT sessions. (e.g. internal client to internet)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'source.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Source NAT port', + type: 'long', + }, + 'source.packets': { + dashed_name: 'source-packets', + description: 'Packets sent from the source to the destination.', + example: 12, + flat_name: 'source.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the source to the destination.', + type: 'long', + }, + 'source.port': { + dashed_name: 'source-port', + description: 'Port of the source.', + flat_name: 'source.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the source.', + type: 'long', + }, + 'source.registered_domain': { + dashed_name: 'source-registered-domain', + description: + 'The highest registered source domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'source.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered source domain, stripped of the subdomain.', + type: 'keyword', + }, + 'source.subdomain': { + dashed_name: 'source-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'source.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'source.top_level_domain': { + dashed_name: 'source-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'source.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'source.user.domain': { + dashed_name: 'source-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'source.user.email': { + dashed_name: 'source-user-email', + description: 'User email address.', + flat_name: 'source.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'source.user.full_name': { + dashed_name: 'source-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'source.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'source.user.group.domain': { + dashed_name: 'source-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'source.user.group.id': { + dashed_name: 'source-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'source.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'source.user.group.name': { + dashed_name: 'source-user-group-name', + description: 'Name of the group.', + flat_name: 'source.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'source.user.hash': { + dashed_name: 'source-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'source.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'source.user.id': { + dashed_name: 'source-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'source.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'source.user.name': { + dashed_name: 'source-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'source.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'source.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'source.user.roles': { + dashed_name: 'source-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'source.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'source', + nestings: ['source.as', 'source.geo', 'source.user'], + prefix: 'source.', + reusable: { + expected: [ + { + as: 'source', + at: 'process.entry_meta', + full: 'process.entry_meta.source', + short_override: 'Remote client information such as ip, port and geo location.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'source.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'source.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'source.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the source side of a network connection, used with destination.', + title: 'Source', + type: 'group', + }, + threat: { + description: + 'Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.\nThese fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").', + fields: { + 'threat.enrichments': { + dashed_name: 'threat-enrichments', + description: + 'A list of associated indicators objects enriching the event, and the context of that association/enrichment.', + flat_name: 'threat.enrichments', + level: 'extended', + name: 'enrichments', + normalize: ['array'], + short: 'List of objects containing indicators enriching the event.', + type: 'nested', + }, + 'threat.enrichments.indicator': { + dashed_name: 'threat-enrichments-indicator', + description: 'Object containing associated indicators enriching the event.', + flat_name: 'threat.enrichments.indicator', + level: 'extended', + name: 'enrichments.indicator', + normalize: [], + short: 'Object containing indicators enriching the event.', + type: 'object', + }, + 'threat.enrichments.indicator.as.number': { + dashed_name: 'threat-enrichments-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.enrichments.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.enrichments.indicator.as.organization.name': { + dashed_name: 'threat-enrichments-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.enrichments.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.confidence': { + dashed_name: 'threat-enrichments-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.enrichments.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.enrichments.indicator.description': { + dashed_name: 'threat-enrichments-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.enrichments.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.enrichments.indicator.email.address': { + dashed_name: 'threat-enrichments-indicator-email-address', + description: + 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.enrichments.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.accessed': { + dashed_name: 'threat-enrichments-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.enrichments.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.attributes': { + dashed_name: 'threat-enrichments-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.enrichments.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.enrichments.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.enrichments.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.status': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.enrichments.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.enrichments.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.enrichments.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.created': { + dashed_name: 'threat-enrichments-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.enrichments.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.enrichments.indicator.file.ctime': { + dashed_name: 'threat-enrichments-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.enrichments.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.device': { + dashed_name: 'threat-enrichments-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.enrichments.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.directory': { + dashed_name: 'threat-enrichments-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.enrichments.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.drive_letter': { + dashed_name: 'threat-enrichments-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.enrichments.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.architecture': { + dashed_name: 'threat-enrichments-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.enrichments.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + dashed_name: 'threat-enrichments-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.enrichments.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + dashed_name: 'threat-enrichments-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.enrichments.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + dashed_name: 'threat-enrichments-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.enrichments.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.enrichments.indicator.file.elf.exports': { + dashed_name: 'threat-enrichments-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.enrichments.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.class': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.data': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.enrichments.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.enrichments.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.imports': { + dashed_name: 'threat-enrichments-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.segments': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-enrichments-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.enrichments.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + dashed_name: 'threat-enrichments-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.extension': { + dashed_name: 'threat-enrichments-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.fork_name': { + dashed_name: 'threat-enrichments-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.enrichments.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.gid': { + dashed_name: 'threat-enrichments-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.group': { + dashed_name: 'threat-enrichments-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.md5': { + dashed_name: 'threat-enrichments-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha1': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha256': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha384': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha512': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + dashed_name: 'threat-enrichments-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.enrichments.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.tlsh': { + dashed_name: 'threat-enrichments-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.enrichments.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.inode': { + dashed_name: 'threat-enrichments-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.enrichments.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mime_type': { + dashed_name: 'threat-enrichments-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.enrichments.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mode': { + dashed_name: 'threat-enrichments-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.enrichments.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mtime': { + dashed_name: 'threat-enrichments-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.enrichments.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.enrichments.indicator.file.name': { + dashed_name: 'threat-enrichments-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.enrichments.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.owner': { + dashed_name: 'threat-enrichments-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.enrichments.indicator.file.path': { + dashed_name: 'threat-enrichments-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.enrichments.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.architecture': { + dashed_name: 'threat-enrichments-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.enrichments.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.company': { + dashed_name: 'threat-enrichments-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.description': { + dashed_name: 'threat-enrichments-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.enrichments.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.file_version': { + dashed_name: 'threat-enrichments-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.enrichments.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.imphash': { + dashed_name: 'threat-enrichments-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.enrichments.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + dashed_name: 'threat-enrichments-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.enrichments.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.pehash': { + dashed_name: 'threat-enrichments-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.enrichments.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.product': { + dashed_name: 'threat-enrichments-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.enrichments.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.size': { + dashed_name: 'threat-enrichments-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.enrichments.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.enrichments.indicator.file.target_path': { + dashed_name: 'threat-enrichments-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.enrichments.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.type': { + dashed_name: 'threat-enrichments-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.enrichments.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.uid': { + dashed_name: 'threat-enrichments-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.indicator.first_seen': { + dashed_name: 'threat-enrichments-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.first_seen', + level: 'extended', + name: 'enrichments.indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.enrichments.indicator.geo.city_name': { + dashed_name: 'threat-enrichments-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.enrichments.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_code': { + dashed_name: 'threat-enrichments-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.enrichments.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_name': { + dashed_name: 'threat-enrichments-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.enrichments.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.enrichments.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_name': { + dashed_name: 'threat-enrichments-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.enrichments.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.location': { + dashed_name: 'threat-enrichments-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.enrichments.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.enrichments.indicator.geo.name': { + dashed_name: 'threat-enrichments-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.enrichments.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.postal_code': { + dashed_name: 'threat-enrichments-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.enrichments.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.enrichments.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_name': { + dashed_name: 'threat-enrichments-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.enrichments.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.timezone': { + dashed_name: 'threat-enrichments-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.enrichments.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.enrichments.indicator.ip': { + dashed_name: 'threat-enrichments-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.enrichments.indicator.ip', + level: 'extended', + name: 'enrichments.indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.enrichments.indicator.last_seen': { + dashed_name: 'threat-enrichments-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.last_seen', + level: 'extended', + name: 'enrichments.indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.enrichments.indicator.marking.tlp.version': { + dashed_name: 'threat-enrichments-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.enrichments.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + 'threat.enrichments.indicator.modified_at': { + dashed_name: 'threat-enrichments-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.modified_at', + level: 'extended', + name: 'enrichments.indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.enrichments.indicator.port': { + dashed_name: 'threat-enrichments-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.enrichments.indicator.port', + level: 'extended', + name: 'enrichments.indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.enrichments.indicator.provider': { + dashed_name: 'threat-enrichments-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.enrichments.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.enrichments.indicator.reference': { + dashed_name: 'threat-enrichments-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.enrichments.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.bytes': { + dashed_name: 'threat-enrichments-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.enrichments.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.strings': { + dashed_name: 'threat-enrichments-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.enrichments.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.registry.data.type': { + dashed_name: 'threat-enrichments-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.enrichments.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.hive': { + dashed_name: 'threat-enrichments-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.enrichments.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.key': { + dashed_name: 'threat-enrichments-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.enrichments.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.path': { + dashed_name: 'threat-enrichments-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.enrichments.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.value': { + dashed_name: 'threat-enrichments-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.enrichments.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.enrichments.indicator.scanner_stats': { + dashed_name: 'threat-enrichments-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.enrichments.indicator.scanner_stats', + level: 'extended', + name: 'enrichments.indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.enrichments.indicator.sightings': { + dashed_name: 'threat-enrichments-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.enrichments.indicator.sightings', + level: 'extended', + name: 'enrichments.indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.enrichments.indicator.type': { + dashed_name: 'threat-enrichments-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.enrichments.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.domain': { + dashed_name: 'threat-enrichments-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.enrichments.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.extension': { + dashed_name: 'threat-enrichments-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.fragment': { + dashed_name: 'threat-enrichments-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.enrichments.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.full': { + dashed_name: 'threat-enrichments-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.enrichments.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.original': { + dashed_name: 'threat-enrichments-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.enrichments.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.password': { + dashed_name: 'threat-enrichments-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.enrichments.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.path': { + dashed_name: 'threat-enrichments-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.enrichments.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.port': { + dashed_name: 'threat-enrichments-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.enrichments.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.enrichments.indicator.url.query': { + dashed_name: 'threat-enrichments-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.enrichments.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.registered_domain': { + dashed_name: 'threat-enrichments-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.enrichments.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.scheme': { + dashed_name: 'threat-enrichments-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.enrichments.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.subdomain': { + dashed_name: 'threat-enrichments-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.enrichments.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.top_level_domain': { + dashed_name: 'threat-enrichments-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.enrichments.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.username': { + dashed_name: 'threat-enrichments-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.enrichments.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.matched.atomic': { + dashed_name: 'threat-enrichments-matched-atomic', + description: + 'Identifies the atomic indicator value that matched a local environment endpoint or network event.', + example: 'bad-domain.com', + flat_name: 'threat.enrichments.matched.atomic', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.atomic', + normalize: [], + short: 'Matched indicator value', + type: 'keyword', + }, + 'threat.enrichments.matched.field': { + dashed_name: 'threat-enrichments-matched-field', + description: + 'Identifies the field of the atomic indicator that matched a local environment endpoint or network event.', + example: 'file.hash.sha256', + flat_name: 'threat.enrichments.matched.field', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.field', + normalize: [], + short: 'Matched indicator field', + type: 'keyword', + }, + 'threat.enrichments.matched.id': { + dashed_name: 'threat-enrichments-matched-id', + description: 'Identifies the _id of the indicator document enriching the event.', + example: 'ff93aee5-86a1-4a61-b0e6-0cdc313d01b5', + flat_name: 'threat.enrichments.matched.id', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.id', + normalize: [], + short: 'Matched indicator identifier', + type: 'keyword', + }, + 'threat.enrichments.matched.index': { + dashed_name: 'threat-enrichments-matched-index', + description: 'Identifies the _index of the indicator document enriching the event.', + example: 'filebeat-8.0.0-2021.05.23-000011', + flat_name: 'threat.enrichments.matched.index', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.index', + normalize: [], + short: 'Matched indicator index', + type: 'keyword', + }, + 'threat.enrichments.matched.occurred': { + dashed_name: 'threat-enrichments-matched-occurred', + description: 'Indicates when the indicator match was generated', + example: '2021-10-05T17:00:58.326Z', + flat_name: 'threat.enrichments.matched.occurred', + level: 'extended', + name: 'enrichments.matched.occurred', + normalize: [], + short: 'Date of match', + type: 'date', + }, + 'threat.enrichments.matched.type': { + dashed_name: 'threat-enrichments-matched-type', + description: + 'Identifies the type of match that caused the event to be enriched with the given indicator', + example: 'indicator_match_rule', + flat_name: 'threat.enrichments.matched.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.type', + normalize: [], + short: 'Type of indicator match', + type: 'keyword', + }, + 'threat.feed.dashboard_id': { + dashed_name: 'threat-feed-dashboard-id', + description: + 'The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.', + example: '5ba16340-72e6-11eb-a3e3-b3cc7c78a70f', + flat_name: 'threat.feed.dashboard_id', + ignore_above: 1024, + level: 'extended', + name: 'feed.dashboard_id', + normalize: [], + short: 'Feed dashboard ID.', + type: 'keyword', + }, + 'threat.feed.description': { + dashed_name: 'threat-feed-description', + description: 'Description of the threat feed in a UI friendly format.', + example: 'Threat feed from the AlienVault Open Threat eXchange network.', + flat_name: 'threat.feed.description', + ignore_above: 1024, + level: 'extended', + name: 'feed.description', + normalize: [], + short: 'Description of the threat feed.', + type: 'keyword', + }, + 'threat.feed.name': { + dashed_name: 'threat-feed-name', + description: 'The name of the threat feed in UI friendly format.', + example: 'AlienVault OTX', + flat_name: 'threat.feed.name', + ignore_above: 1024, + level: 'extended', + name: 'feed.name', + normalize: [], + short: 'Name of the threat feed.', + type: 'keyword', + }, + 'threat.feed.reference': { + dashed_name: 'threat-feed-reference', + description: 'Reference information for the threat feed in a UI friendly format.', + example: 'https://otx.alienvault.com', + flat_name: 'threat.feed.reference', + ignore_above: 1024, + level: 'extended', + name: 'feed.reference', + normalize: [], + short: 'Reference for the threat feed.', + type: 'keyword', + }, + 'threat.framework': { + dashed_name: 'threat-framework', + description: + 'Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.', + example: 'MITRE ATT&CK', + flat_name: 'threat.framework', + ignore_above: 1024, + level: 'extended', + name: 'framework', + normalize: [], + short: 'Threat classification framework.', + type: 'keyword', + }, + 'threat.group.alias': { + dashed_name: 'threat-group-alias', + description: + 'The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group alias(es).', + example: '[ "Magecart Group 6" ]', + flat_name: 'threat.group.alias', + ignore_above: 1024, + level: 'extended', + name: 'group.alias', + normalize: ['array'], + short: 'Alias of the group.', + type: 'keyword', + }, + 'threat.group.id': { + dashed_name: 'threat-group-id', + description: + 'The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group id.', + example: 'G0037', + flat_name: 'threat.group.id', + ignore_above: 1024, + level: 'extended', + name: 'group.id', + normalize: [], + short: 'ID of the group.', + type: 'keyword', + }, + 'threat.group.name': { + dashed_name: 'threat-group-name', + description: + 'The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group name.', + example: 'FIN6', + flat_name: 'threat.group.name', + ignore_above: 1024, + level: 'extended', + name: 'group.name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + 'threat.group.reference': { + dashed_name: 'threat-group-reference', + description: + 'The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group reference URL.', + example: 'https://attack.mitre.org/groups/G0037/', + flat_name: 'threat.group.reference', + ignore_above: 1024, + level: 'extended', + name: 'group.reference', + normalize: [], + short: 'Reference URL of the group.', + type: 'keyword', + }, + 'threat.indicator.as.number': { + dashed_name: 'threat-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.indicator.as.organization.name': { + dashed_name: 'threat-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.indicator.confidence': { + dashed_name: 'threat-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.indicator.description': { + dashed_name: 'threat-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.indicator.email.address': { + dashed_name: 'threat-indicator-email-address', + description: + 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.indicator.file.accessed': { + dashed_name: 'threat-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.indicator.file.attributes': { + dashed_name: 'threat-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.exists': { + dashed_name: 'threat-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.status': { + dashed_name: 'threat-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.team_id': { + dashed_name: 'threat-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.indicator.file.code_signature.trusted': { + dashed_name: 'threat-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.valid': { + dashed_name: 'threat-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.indicator.file.created': { + dashed_name: 'threat-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.indicator.file.ctime': { + dashed_name: 'threat-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.indicator.file.device': { + dashed_name: 'threat-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.indicator.file.directory': { + dashed_name: 'threat-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.drive_letter': { + dashed_name: 'threat-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.elf.architecture': { + dashed_name: 'threat-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.byte_order': { + dashed_name: 'threat-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.cpu_type': { + dashed_name: 'threat-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.creation_date': { + dashed_name: 'threat-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.indicator.file.elf.exports': { + dashed_name: 'threat-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.class': { + dashed_name: 'threat-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.data': { + dashed_name: 'threat-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.indicator.file.elf.header.object_version': { + dashed_name: 'threat-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.type': { + dashed_name: 'threat-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.version': { + dashed_name: 'threat-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.imports': { + dashed_name: 'threat-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.sections': { + dashed_name: 'threat-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.flags': { + dashed_name: 'threat-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.name': { + dashed_name: 'threat-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.type': { + dashed_name: 'threat-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.indicator.file.elf.segments': { + dashed_name: 'threat-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.indicator.file.elf.segments.sections': { + dashed_name: 'threat-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.indicator.file.elf.segments.type': { + dashed_name: 'threat-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.indicator.file.elf.telfhash': { + dashed_name: 'threat-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.extension': { + dashed_name: 'threat-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.file.fork_name': { + dashed_name: 'threat-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.indicator.file.gid': { + dashed_name: 'threat-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.indicator.file.group': { + dashed_name: 'threat-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.indicator.file.hash.md5': { + dashed_name: 'threat-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha1': { + dashed_name: 'threat-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha256': { + dashed_name: 'threat-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha384': { + dashed_name: 'threat-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha512': { + dashed_name: 'threat-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.ssdeep': { + dashed_name: 'threat-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.tlsh': { + dashed_name: 'threat-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.indicator.file.inode': { + dashed_name: 'threat-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.indicator.file.mime_type': { + dashed_name: 'threat-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.indicator.file.mode': { + dashed_name: 'threat-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.indicator.file.mtime': { + dashed_name: 'threat-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.indicator.file.name': { + dashed_name: 'threat-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.indicator.file.owner': { + dashed_name: 'threat-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.indicator.file.path': { + dashed_name: 'threat-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.architecture': { + dashed_name: 'threat-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.company': { + dashed_name: 'threat-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.description': { + dashed_name: 'threat-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.file_version': { + dashed_name: 'threat-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.imphash': { + dashed_name: 'threat-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.original_file_name': { + dashed_name: 'threat-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.pehash': { + dashed_name: 'threat-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.indicator.file.pe.product': { + dashed_name: 'threat-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.size': { + dashed_name: 'threat-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.indicator.file.target_path': { + dashed_name: 'threat-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.indicator.file.type': { + dashed_name: 'threat-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.indicator.file.uid': { + dashed_name: 'threat-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.indicator.file.x509.alternative_names': { + dashed_name: 'threat-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.country': { + dashed_name: 'threat-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.not_after': { + dashed_name: 'threat-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.not_before': { + dashed_name: 'threat-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.file.x509.public_key_size': { + dashed_name: 'threat-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.file.x509.serial_number': { + dashed_name: 'threat-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.country': { + dashed_name: 'threat-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.locality': { + dashed_name: 'threat-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organization': { + dashed_name: 'threat-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.version_number': { + dashed_name: 'threat-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.indicator.first_seen': { + dashed_name: 'threat-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.first_seen', + level: 'extended', + name: 'indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.indicator.geo.city_name': { + dashed_name: 'threat-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_code': { + dashed_name: 'threat-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_name': { + dashed_name: 'threat-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.indicator.geo.country_iso_code': { + dashed_name: 'threat-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.country_name': { + dashed_name: 'threat-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.indicator.geo.location': { + dashed_name: 'threat-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.indicator.geo.name': { + dashed_name: 'threat-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.indicator.geo.postal_code': { + dashed_name: 'threat-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_iso_code': { + dashed_name: 'threat-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_name': { + dashed_name: 'threat-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.indicator.geo.timezone': { + dashed_name: 'threat-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.indicator.ip': { + dashed_name: 'threat-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.indicator.ip', + level: 'extended', + name: 'indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.indicator.last_seen': { + dashed_name: 'threat-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.last_seen', + level: 'extended', + name: 'indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.indicator.marking.tlp': { + dashed_name: 'threat-indicator-marking-tlp', + description: 'Traffic Light Protocol sharing markings.', + example: 'CLEAR', + expected_values: ['WHITE', 'CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED'], + flat_name: 'threat.indicator.marking.tlp', + ignore_above: 1024, + level: 'extended', + name: 'indicator.marking.tlp', + normalize: [], + short: 'Indicator TLP marking', + type: 'keyword', + }, + 'threat.indicator.modified_at': { + dashed_name: 'threat-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.modified_at', + level: 'extended', + name: 'indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.indicator.port': { + dashed_name: 'threat-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.indicator.port', + level: 'extended', + name: 'indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.indicator.provider': { + dashed_name: 'threat-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.indicator.reference': { + dashed_name: 'threat-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.indicator.registry.data.bytes': { + dashed_name: 'threat-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.indicator.registry.data.strings': { + dashed_name: 'threat-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.indicator.registry.data.type': { + dashed_name: 'threat-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.indicator.registry.hive': { + dashed_name: 'threat-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.indicator.registry.key': { + dashed_name: 'threat-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.indicator.registry.path': { + dashed_name: 'threat-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.indicator.registry.value': { + dashed_name: 'threat-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.indicator.scanner_stats': { + dashed_name: 'threat-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.indicator.scanner_stats', + level: 'extended', + name: 'indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.indicator.sightings': { + dashed_name: 'threat-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.indicator.sightings', + level: 'extended', + name: 'indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.indicator.type': { + dashed_name: 'threat-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.indicator.url.domain': { + dashed_name: 'threat-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.indicator.url.extension': { + dashed_name: 'threat-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.url.fragment': { + dashed_name: 'threat-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.indicator.url.full': { + dashed_name: 'threat-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.indicator.url.original': { + dashed_name: 'threat-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.indicator.url.password': { + dashed_name: 'threat-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.indicator.url.path': { + dashed_name: 'threat-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.indicator.url.port': { + dashed_name: 'threat-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.indicator.url.query': { + dashed_name: 'threat-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.indicator.url.registered_domain': { + dashed_name: 'threat-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.indicator.url.scheme': { + dashed_name: 'threat-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.indicator.url.subdomain': { + dashed_name: 'threat-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.indicator.url.top_level_domain': { + dashed_name: 'threat-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.indicator.url.username': { + dashed_name: 'threat-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.indicator.x509.alternative_names': { + dashed_name: 'threat-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.common_name': { + dashed_name: 'threat-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.country': { + dashed_name: 'threat-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.locality': { + dashed_name: 'threat-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organization': { + dashed_name: 'threat-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.not_after': { + dashed_name: 'threat-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.x509.not_before': { + dashed_name: 'threat-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_curve': { + dashed_name: 'threat-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_exponent': { + dashed_name: 'threat-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.x509.public_key_size': { + dashed_name: 'threat-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.x509.serial_number': { + dashed_name: 'threat-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.signature_algorithm': { + dashed_name: 'threat-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.common_name': { + dashed_name: 'threat-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.country': { + dashed_name: 'threat-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.locality': { + dashed_name: 'threat-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organization': { + dashed_name: 'threat-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.version_number': { + dashed_name: 'threat-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.software.alias': { + dashed_name: 'threat-software-alias', + description: + 'The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® associated software description.', + example: '[ "X-Agent" ]', + flat_name: 'threat.software.alias', + ignore_above: 1024, + level: 'extended', + name: 'software.alias', + normalize: ['array'], + short: 'Alias of the software', + type: 'keyword', + }, + 'threat.software.id': { + dashed_name: 'threat-software-id', + description: + 'The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software id.', + example: 'S0552', + flat_name: 'threat.software.id', + ignore_above: 1024, + level: 'extended', + name: 'software.id', + normalize: [], + short: 'ID of the software', + type: 'keyword', + }, + 'threat.software.name': { + dashed_name: 'threat-software-name', + description: + 'The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software name.', + example: 'AdFind', + flat_name: 'threat.software.name', + ignore_above: 1024, + level: 'extended', + name: 'software.name', + normalize: [], + short: 'Name of the software.', + type: 'keyword', + }, + 'threat.software.platforms': { + dashed_name: 'threat-software-platforms', + description: + 'The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values.', + example: '[ "Windows" ]', + expected_values: [ + 'AWS', + 'Azure', + 'Azure AD', + 'GCP', + 'Linux', + 'macOS', + 'Network', + 'Office 365', + 'SaaS', + 'Windows', + ], + flat_name: 'threat.software.platforms', + ignore_above: 1024, + level: 'extended', + name: 'software.platforms', + normalize: ['array'], + short: 'Platforms of the software.', + type: 'keyword', + }, + 'threat.software.reference': { + dashed_name: 'threat-software-reference', + description: + 'The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software reference URL.', + example: 'https://attack.mitre.org/software/S0552/', + flat_name: 'threat.software.reference', + ignore_above: 1024, + level: 'extended', + name: 'software.reference', + normalize: [], + short: 'Software reference URL.', + type: 'keyword', + }, + 'threat.software.type': { + dashed_name: 'threat-software-type', + description: + 'The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type.', + example: 'Tool', + expected_values: ['Malware', 'Tool'], + flat_name: 'threat.software.type', + ignore_above: 1024, + level: 'extended', + name: 'software.type', + normalize: [], + short: 'Software type.', + type: 'keyword', + }, + 'threat.tactic.id': { + dashed_name: 'threat-tactic-id', + description: + 'The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'TA0002', + flat_name: 'threat.tactic.id', + ignore_above: 1024, + level: 'extended', + name: 'tactic.id', + normalize: ['array'], + short: 'Threat tactic id.', + type: 'keyword', + }, + 'threat.tactic.name': { + dashed_name: 'threat-tactic-name', + description: + 'Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)', + example: 'Execution', + flat_name: 'threat.tactic.name', + ignore_above: 1024, + level: 'extended', + name: 'tactic.name', + normalize: ['array'], + short: 'Threat tactic.', + type: 'keyword', + }, + 'threat.tactic.reference': { + dashed_name: 'threat-tactic-reference', + description: + 'The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'https://attack.mitre.org/tactics/TA0002/', + flat_name: 'threat.tactic.reference', + ignore_above: 1024, + level: 'extended', + name: 'tactic.reference', + normalize: ['array'], + short: 'Threat tactic URL reference.', + type: 'keyword', + }, + 'threat.technique.id': { + dashed_name: 'threat-technique-id', + description: + 'The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'T1059', + flat_name: 'threat.technique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.id', + normalize: ['array'], + short: 'Threat technique id.', + type: 'keyword', + }, + 'threat.technique.name': { + dashed_name: 'threat-technique-name', + description: + 'The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'Command and Scripting Interpreter', + flat_name: 'threat.technique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.name', + normalize: ['array'], + short: 'Threat technique name.', + type: 'keyword', + }, + 'threat.technique.reference': { + dashed_name: 'threat-technique-reference', + description: + 'The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'https://attack.mitre.org/techniques/T1059/', + flat_name: 'threat.technique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.reference', + normalize: ['array'], + short: 'Threat technique URL reference.', + type: 'keyword', + }, + 'threat.technique.subtechnique.id': { + dashed_name: 'threat-technique-subtechnique-id', + description: + 'The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'T1059.001', + flat_name: 'threat.technique.subtechnique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.id', + normalize: ['array'], + short: 'Threat subtechnique id.', + type: 'keyword', + }, + 'threat.technique.subtechnique.name': { + dashed_name: 'threat-technique-subtechnique-name', + description: + 'The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'PowerShell', + flat_name: 'threat.technique.subtechnique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.subtechnique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.subtechnique.name', + normalize: ['array'], + short: 'Threat subtechnique name.', + type: 'keyword', + }, + 'threat.technique.subtechnique.reference': { + dashed_name: 'threat-technique-subtechnique-reference', + description: + 'The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'https://attack.mitre.org/techniques/T1059/001/', + flat_name: 'threat.technique.subtechnique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.reference', + normalize: ['array'], + short: 'Threat subtechnique URL reference.', + type: 'keyword', + }, + 'threat.threat.indicator.marking.tlp.version': { + dashed_name: 'threat-threat-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.threat.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'threat.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + }, + group: 2, + name: 'threat', + nestings: [ + 'threat.enrichments.indicator.as', + 'threat.enrichments.indicator.file', + 'threat.enrichments.indicator.geo', + 'threat.enrichments.indicator.registry', + 'threat.enrichments.indicator.url', + 'threat.enrichments.indicator.x509', + 'threat.indicator.as', + 'threat.indicator.file', + 'threat.indicator.geo', + 'threat.indicator.registry', + 'threat.indicator.url', + 'threat.indicator.x509', + ], + prefix: 'threat.', + reused_here: [ + { + full: 'threat.indicator.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'threat.enrichments.indicator.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'threat.indicator.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'threat.enrichments.indicator.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'threat.indicator.file', + schema_name: 'file', + short: 'Fields describing files.', + }, + { + full: 'threat.enrichments.indicator.file', + schema_name: 'file', + short: 'Fields describing files.', + }, + { + full: 'threat.indicator.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'threat.enrichments.indicator.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'threat.indicator.registry', + schema_name: 'registry', + short: 'Fields related to Windows Registry operations.', + }, + { + full: 'threat.enrichments.indicator.registry', + schema_name: 'registry', + short: 'Fields related to Windows Registry operations.', + }, + { + full: 'threat.indicator.url', + schema_name: 'url', + short: 'Fields that let you store URLs in various forms.', + }, + { + full: 'threat.enrichments.indicator.url', + schema_name: 'url', + short: 'Fields that let you store URLs in various forms.', + }, + ], + short: 'Fields to classify events and alerts according to a threat taxonomy.', + title: 'Threat', + type: 'group', + }, + tls: { + description: + 'Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.', + fields: { + 'tls.cipher': { + dashed_name: 'tls-cipher', + description: 'String indicating the cipher used during the current connection.', + example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + flat_name: 'tls.cipher', + ignore_above: 1024, + level: 'extended', + name: 'cipher', + normalize: [], + short: 'String indicating the cipher used during the current connection.', + type: 'keyword', + }, + 'tls.client.certificate': { + dashed_name: 'tls-client-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.client.certificate', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.certificate_chain': { + dashed_name: 'tls-client-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.client.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.md5': { + dashed_name: 'tls-client-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.client.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha1': { + dashed_name: 'tls-client-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.client.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha256': { + dashed_name: 'tls-client-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.client.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.issuer': { + dashed_name: 'tls-client-issuer', + description: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.client.issuer', + ignore_above: 1024, + level: 'extended', + name: 'client.issuer', + normalize: [], + short: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.ja3': { + dashed_name: 'tls-client-ja3', + description: + 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + example: 'd4e5b18d6b55c71272893221c96ba240', + flat_name: 'tls.client.ja3', + ignore_above: 1024, + level: 'extended', + name: 'client.ja3', + normalize: [], + short: 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.client.not_after': { + dashed_name: 'tls-client-not-after', + description: 'Date/Time indicating when client certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_after', + level: 'extended', + name: 'client.not_after', + normalize: [], + short: 'Date/Time indicating when client certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.not_before': { + dashed_name: 'tls-client-not-before', + description: 'Date/Time indicating when client certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_before', + level: 'extended', + name: 'client.not_before', + normalize: [], + short: 'Date/Time indicating when client certificate is first considered valid.', + type: 'date', + }, + 'tls.client.server_name': { + dashed_name: 'tls-client-server-name', + description: + 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.', + example: 'www.elastic.co', + flat_name: 'tls.client.server_name', + ignore_above: 1024, + level: 'extended', + name: 'client.server_name', + normalize: [], + short: 'Hostname the client is trying to connect to. Also called the SNI.', + type: 'keyword', + }, + 'tls.client.subject': { + dashed_name: 'tls-client-subject', + description: + 'Distinguished name of subject of the x.509 certificate presented by the client.', + example: 'CN=myclient, OU=Documentation Team, DC=example, DC=com', + flat_name: 'tls.client.subject', + ignore_above: 1024, + level: 'extended', + name: 'client.subject', + normalize: [], + short: 'Distinguished name of subject of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.supported_ciphers': { + dashed_name: 'tls-client-supported-ciphers', + description: 'Array of ciphers offered by the client during the client hello.', + example: + '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]', + flat_name: 'tls.client.supported_ciphers', + ignore_above: 1024, + level: 'extended', + name: 'client.supported_ciphers', + normalize: ['array'], + short: 'Array of ciphers offered by the client during the client hello.', + type: 'keyword', + }, + 'tls.client.x509.alternative_names': { + dashed_name: 'tls-client-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.client.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.client.x509.issuer.common_name': { + dashed_name: 'tls-client-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.country': { + dashed_name: 'tls-client-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.client.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.client.x509.issuer.distinguished_name': { + dashed_name: 'tls-client-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.locality': { + dashed_name: 'tls-client-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.client.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.issuer.organization': { + dashed_name: 'tls-client-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.client.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.organizational_unit': { + dashed_name: 'tls-client-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.client.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.state_or_province': { + dashed_name: 'tls-client-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.not_after': { + dashed_name: 'tls-client-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.client.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.x509.not_before': { + dashed_name: 'tls-client-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.client.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.client.x509.public_key_algorithm': { + dashed_name: 'tls-client-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.client.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.client.x509.public_key_curve': { + dashed_name: 'tls-client-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.client.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.client.x509.public_key_exponent': { + dashed_name: 'tls-client-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.client.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.client.x509.public_key_size': { + dashed_name: 'tls-client-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.client.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.client.x509.serial_number': { + dashed_name: 'tls-client-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.client.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.signature_algorithm': { + dashed_name: 'tls-client-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.client.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.client.x509.subject.common_name': { + dashed_name: 'tls-client-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.client.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.country': { + dashed_name: 'tls-client-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.client.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.client.x509.subject.distinguished_name': { + dashed_name: 'tls-client-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.client.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.client.x509.subject.locality': { + dashed_name: 'tls-client-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.client.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.subject.organization': { + dashed_name: 'tls-client-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.client.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.organizational_unit': { + dashed_name: 'tls-client-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.client.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.state_or_province': { + dashed_name: 'tls-client-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.version_number': { + dashed_name: 'tls-client-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.client.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.curve': { + dashed_name: 'tls-curve', + description: 'String indicating the curve used for the given cipher, when applicable.', + example: 'secp256r1', + flat_name: 'tls.curve', + ignore_above: 1024, + level: 'extended', + name: 'curve', + normalize: [], + short: 'String indicating the curve used for the given cipher, when applicable.', + type: 'keyword', + }, + 'tls.established': { + dashed_name: 'tls-established', + description: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + flat_name: 'tls.established', + level: 'extended', + name: 'established', + normalize: [], + short: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + type: 'boolean', + }, + 'tls.next_protocol': { + dashed_name: 'tls-next-protocol', + description: + 'String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.', + example: 'http/1.1', + flat_name: 'tls.next_protocol', + ignore_above: 1024, + level: 'extended', + name: 'next_protocol', + normalize: [], + short: 'String indicating the protocol being tunneled.', + type: 'keyword', + }, + 'tls.resumed': { + dashed_name: 'tls-resumed', + description: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + flat_name: 'tls.resumed', + level: 'extended', + name: 'resumed', + normalize: [], + short: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + type: 'boolean', + }, + 'tls.server.certificate': { + dashed_name: 'tls-server-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.server.certificate', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.certificate_chain': { + dashed_name: 'tls-server-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.server.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.md5': { + dashed_name: 'tls-server-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.server.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha1': { + dashed_name: 'tls-server-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.server.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha256': { + dashed_name: 'tls-server-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.server.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.issuer': { + dashed_name: 'tls-server-issuer', + description: 'Subject of the issuer of the x.509 certificate presented by the server.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.issuer', + ignore_above: 1024, + level: 'extended', + name: 'server.issuer', + normalize: [], + short: 'Subject of the issuer of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.ja3s': { + dashed_name: 'tls-server-ja3s', + description: + 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + example: '394441ab65754e2207b1e1b457b3641d', + flat_name: 'tls.server.ja3s', + ignore_above: 1024, + level: 'extended', + name: 'server.ja3s', + normalize: [], + short: 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.server.not_after': { + dashed_name: 'tls-server-not-after', + description: 'Timestamp indicating when server certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_after', + level: 'extended', + name: 'server.not_after', + normalize: [], + short: 'Timestamp indicating when server certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.not_before': { + dashed_name: 'tls-server-not-before', + description: 'Timestamp indicating when server certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_before', + level: 'extended', + name: 'server.not_before', + normalize: [], + short: 'Timestamp indicating when server certificate is first considered valid.', + type: 'date', + }, + 'tls.server.subject': { + dashed_name: 'tls-server-subject', + description: 'Subject of the x.509 certificate presented by the server.', + example: 'CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.subject', + ignore_above: 1024, + level: 'extended', + name: 'server.subject', + normalize: [], + short: 'Subject of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.x509.alternative_names': { + dashed_name: 'tls-server-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.server.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.server.x509.issuer.common_name': { + dashed_name: 'tls-server-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.country': { + dashed_name: 'tls-server-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.server.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.server.x509.issuer.distinguished_name': { + dashed_name: 'tls-server-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.locality': { + dashed_name: 'tls-server-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.server.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.issuer.organization': { + dashed_name: 'tls-server-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.server.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.organizational_unit': { + dashed_name: 'tls-server-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.server.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.state_or_province': { + dashed_name: 'tls-server-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.not_after': { + dashed_name: 'tls-server-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.server.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.x509.not_before': { + dashed_name: 'tls-server-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.server.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.server.x509.public_key_algorithm': { + dashed_name: 'tls-server-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.server.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.server.x509.public_key_curve': { + dashed_name: 'tls-server-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.server.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.server.x509.public_key_exponent': { + dashed_name: 'tls-server-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.server.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.server.x509.public_key_size': { + dashed_name: 'tls-server-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.server.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.server.x509.serial_number': { + dashed_name: 'tls-server-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.server.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.signature_algorithm': { + dashed_name: 'tls-server-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.server.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.server.x509.subject.common_name': { + dashed_name: 'tls-server-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.server.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.country': { + dashed_name: 'tls-server-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.server.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.server.x509.subject.distinguished_name': { + dashed_name: 'tls-server-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.server.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.server.x509.subject.locality': { + dashed_name: 'tls-server-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.server.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.subject.organization': { + dashed_name: 'tls-server-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.server.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.organizational_unit': { + dashed_name: 'tls-server-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.server.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.state_or_province': { + dashed_name: 'tls-server-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.version_number': { + dashed_name: 'tls-server-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.server.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.version': { + dashed_name: 'tls-version', + description: 'Numeric part of the version parsed from the original string.', + example: '1.2', + flat_name: 'tls.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Numeric part of the version parsed from the original string.', + type: 'keyword', + }, + 'tls.version_protocol': { + dashed_name: 'tls-version-protocol', + description: 'Normalized lowercase protocol name parsed from original string.', + example: 'tls', + flat_name: 'tls.version_protocol', + ignore_above: 1024, + level: 'extended', + name: 'version_protocol', + normalize: [], + short: 'Normalized lowercase protocol name parsed from original string.', + type: 'keyword', + }, + }, + group: 2, + name: 'tls', + nestings: ['tls.client.x509', 'tls.server.x509'], + prefix: 'tls.', + reused_here: [ + { + full: 'tls.client.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'tls.server.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + ], + short: 'Fields describing a TLS connection.', + title: 'TLS', + type: 'group', + }, + tracing: { + description: + 'Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.\nUnlike most field sets in ECS, the tracing fields are *not* nested under the field set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, and so on.', + fields: { + 'span.id': { + dashed_name: 'span-id', + description: + 'Unique identifier of the span within the scope of its trace.\nA span represents an operation within a transaction, such as a request to another service, or a database query.', + example: '3ff9a8981b7ccd5a', + flat_name: 'span.id', + ignore_above: 1024, + level: 'extended', + name: 'span.id', + normalize: [], + short: 'Unique identifier of the span within the scope of its trace.', + type: 'keyword', + }, + 'trace.id': { + dashed_name: 'trace-id', + description: + 'Unique identifier of the trace.\nA trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.', + example: '4bf92f3577b34da6a3ce929d0e0e4736', + flat_name: 'trace.id', + ignore_above: 1024, + level: 'extended', + name: 'trace.id', + normalize: [], + short: 'Unique identifier of the trace.', + type: 'keyword', + }, + 'transaction.id': { + dashed_name: 'transaction-id', + description: + 'Unique identifier of the transaction within the scope of its trace.\nA transaction is the highest level of work measured within a service, such as a request to a server.', + example: '00f067aa0ba902b7', + flat_name: 'transaction.id', + ignore_above: 1024, + level: 'extended', + name: 'transaction.id', + normalize: [], + short: 'Unique identifier of the transaction within the scope of its trace.', + type: 'keyword', + }, + }, + group: 2, + name: 'tracing', + prefix: '', + root: true, + short: 'Fields related to distributed tracing.', + title: 'Tracing', + type: 'group', + }, + url: { + description: + 'URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.', + fields: { + 'url.domain': { + dashed_name: 'url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Domain of the url.', + type: 'keyword', + }, + 'url.extension': { + dashed_name: 'url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'url.fragment': { + dashed_name: 'url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'url.full': { + dashed_name: 'url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'url.full', + level: 'extended', + multi_fields: [{ flat_name: 'url.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'url.original': { + dashed_name: 'url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'url.password': { + dashed_name: 'url-password', + description: 'Password of the request.', + flat_name: 'url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + short: 'Password of the request.', + type: 'keyword', + }, + 'url.path': { + dashed_name: 'url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'url.path', + level: 'extended', + name: 'path', + normalize: [], + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'url.port': { + dashed_name: 'url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'url.query': { + dashed_name: 'url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + short: 'Query string of the request.', + type: 'keyword', + }, + 'url.registered_domain': { + dashed_name: 'url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'url.scheme': { + dashed_name: 'url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + short: 'Scheme of the url.', + type: 'keyword', + }, + 'url.subdomain': { + dashed_name: 'url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'url.top_level_domain': { + dashed_name: 'url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'url.username': { + dashed_name: 'url-username', + description: 'Username of the request.', + flat_name: 'url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + short: 'Username of the request.', + type: 'keyword', + }, + }, + group: 2, + name: 'url', + prefix: 'url.', + reusable: { + expected: [ + { as: 'url', at: 'threat.indicator', full: 'threat.indicator.url' }, + { + as: 'url', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.url', + }, + ], + top_level: true, + }, + short: 'Fields that let you store URLs in various forms.', + title: 'URL', + type: 'group', + }, + user: { + description: + 'The user fields describe information about the user that is relevant to the event.\nFields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.', + fields: { + 'user.changes.domain': { + dashed_name: 'user-changes-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.changes.email': { + dashed_name: 'user-changes-email', + description: 'User email address.', + flat_name: 'user.changes.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.changes.full_name': { + dashed_name: 'user-changes-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.changes.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.changes.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.changes.group.domain': { + dashed_name: 'user-changes-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.changes.group.id': { + dashed_name: 'user-changes-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.changes.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.changes.group.name': { + dashed_name: 'user-changes-group-name', + description: 'Name of the group.', + flat_name: 'user.changes.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.changes.hash': { + dashed_name: 'user-changes-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.changes.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.changes.id': { + dashed_name: 'user-changes-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.changes.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.changes.name': { + dashed_name: 'user-changes-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.changes.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.changes.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.changes.roles': { + dashed_name: 'user-changes-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.changes.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.domain': { + dashed_name: 'user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.domain': { + dashed_name: 'user-effective-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.email': { + dashed_name: 'user-effective-email', + description: 'User email address.', + flat_name: 'user.effective.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.effective.full_name': { + dashed_name: 'user-effective-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.effective.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.effective.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.effective.group.domain': { + dashed_name: 'user-effective-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.effective.group.id': { + dashed_name: 'user-effective-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.effective.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.effective.group.name': { + dashed_name: 'user-effective-group-name', + description: 'Name of the group.', + flat_name: 'user.effective.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.effective.hash': { + dashed_name: 'user-effective-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.effective.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.effective.id': { + dashed_name: 'user-effective-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.effective.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.effective.name': { + dashed_name: 'user-effective-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.effective.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.effective.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.effective.roles': { + dashed_name: 'user-effective-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.effective.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.email': { + dashed_name: 'user-email', + description: 'User email address.', + flat_name: 'user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + short: 'User email address.', + type: 'keyword', + }, + 'user.full_name': { + dashed_name: 'user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.group.domain': { + dashed_name: 'user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.group.id': { + dashed_name: 'user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.group.name': { + dashed_name: 'user-group-name', + description: 'Name of the group.', + flat_name: 'user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.hash': { + dashed_name: 'user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.id': { + dashed_name: 'user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.name': { + dashed_name: 'user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.risk.calculated_level': { + dashed_name: 'user-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'user.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'user.risk.calculated_score': { + dashed_name: 'user-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'user.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'user.risk.calculated_score_norm': { + dashed_name: 'user-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'user.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'user.risk.static_level': { + dashed_name: 'user-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'user.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'user.risk.static_score': { + dashed_name: 'user-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'user.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'user.risk.static_score_norm': { + dashed_name: 'user-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'user.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'user.roles': { + dashed_name: 'user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.target.domain': { + dashed_name: 'user-target-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.target.email': { + dashed_name: 'user-target-email', + description: 'User email address.', + flat_name: 'user.target.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.target.full_name': { + dashed_name: 'user-target-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.target.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.target.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.target.group.domain': { + dashed_name: 'user-target-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.target.group.id': { + dashed_name: 'user-target-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.target.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.target.group.name': { + dashed_name: 'user-target-group-name', + description: 'Name of the group.', + flat_name: 'user.target.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.target.hash': { + dashed_name: 'user-target-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.target.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.target.id': { + dashed_name: 'user-target-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.target.name': { + dashed_name: 'user-target-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.target.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.target.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.target.roles': { + dashed_name: 'user-target-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.target.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'user', + nestings: ['user.changes', 'user.effective', 'user.group', 'user.risk', 'user.target'], + prefix: 'user.', + reusable: { + expected: [ + { as: 'user', at: 'client', full: 'client.user' }, + { as: 'user', at: 'destination', full: 'destination.user' }, + { as: 'user', at: 'server', full: 'server.user' }, + { as: 'user', at: 'source', full: 'source.user' }, + { + as: 'target', + at: 'user', + full: 'user.target', + short_override: 'Targeted user of action taken.', + }, + { + as: 'effective', + at: 'user', + full: 'user.effective', + short_override: 'User whose privileges were assumed.', + }, + { + as: 'changes', + at: 'user', + full: 'user.changes', + short_override: 'Captures changes made to a user.', + }, + { + as: 'user', + at: 'process', + full: 'process.user', + short_override: 'The effective user (euid).', + }, + { + as: 'saved_user', + at: 'process', + full: 'process.saved_user', + short_override: 'The saved user (suid).', + }, + { + as: 'real_user', + at: 'process', + full: 'process.real_user', + short_override: 'The real user (ruid). Identifies the real owner of the process.', + }, + { + as: 'attested_user', + at: 'process', + beta: 'Reusing the `user` fields in this location is currently considered beta.', + full: 'process.attested_user', + short_override: + 'The externally attested user based on an external source such as the Kube API.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'user.group', + schema_name: 'group', + short: "User's group relevant to the event.", + }, + { + full: 'user.risk', + schema_name: 'risk', + short: 'Fields for describing risk score and level.', + }, + { + full: 'user.target', + schema_name: 'user', + short: 'Targeted user of action taken.', + }, + { + full: 'user.effective', + schema_name: 'user', + short: 'User whose privileges were assumed.', + }, + { + full: 'user.changes', + schema_name: 'user', + short: 'Captures changes made to a user.', + }, + ], + short: 'Fields to describe the user relevant to the event.', + title: 'User', + type: 'group', + }, + user_agent: { + description: + 'The user_agent fields normally come from a browser request.\nThey often show up in web service logs coming from the parsed user agent string.', + fields: { + 'user_agent.device.name': { + dashed_name: 'user-agent-device-name', + description: 'Name of the device.', + example: 'iPhone', + flat_name: 'user_agent.device.name', + ignore_above: 1024, + level: 'extended', + name: 'device.name', + normalize: [], + short: 'Name of the device.', + type: 'keyword', + }, + 'user_agent.name': { + dashed_name: 'user-agent-name', + description: 'Name of the user agent.', + example: 'Safari', + flat_name: 'user_agent.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the user agent.', + type: 'keyword', + }, + 'user_agent.original': { + dashed_name: 'user-agent-original', + description: 'Unparsed user_agent string.', + example: + 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', + flat_name: 'user_agent.original', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + short: 'Unparsed user_agent string.', + type: 'keyword', + }, + 'user_agent.os.family': { + dashed_name: 'user-agent-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'user_agent.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'user_agent.os.full': { + dashed_name: 'user-agent-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'user_agent.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'user_agent.os.kernel': { + dashed_name: 'user-agent-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'user_agent.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'user_agent.os.name': { + dashed_name: 'user-agent-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'user_agent.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'user_agent.os.platform': { + dashed_name: 'user-agent-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'user_agent.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'user_agent.os.type': { + dashed_name: 'user-agent-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'user_agent.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'user_agent.os.version': { + dashed_name: 'user-agent-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'user_agent.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'user_agent.version': { + dashed_name: 'user-agent-version', + description: 'Version of the user agent.', + example: 12, + flat_name: 'user_agent.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Version of the user agent.', + type: 'keyword', + }, + }, + group: 2, + name: 'user_agent', + nestings: ['user_agent.os'], + prefix: 'user_agent.', + reused_here: [ + { + full: 'user_agent.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + ], + short: 'Fields to describe a browser user_agent string.', + title: 'User agent', + type: 'group', + }, + vlan: { + description: + 'The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging.\nObserver.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.', + fields: { + 'vlan.id': { + dashed_name: 'vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'vlan.name': { + dashed_name: 'vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + }, + group: 2, + name: 'vlan', + prefix: 'vlan.', + reusable: { + expected: [ + { as: 'vlan', at: 'observer.ingress', full: 'observer.ingress.vlan' }, + { as: 'vlan', at: 'observer.egress', full: 'observer.egress.vlan' }, + { as: 'vlan', at: 'network', full: 'network.vlan' }, + { as: 'vlan', at: 'network.inner', full: 'network.inner.vlan' }, + ], + top_level: false, + }, + short: 'Fields to describe observed VLAN information.', + title: 'VLAN', + type: 'group', + }, + vulnerability: { + description: + 'The vulnerability fields describe information about a vulnerability that is relevant to an event.', + fields: { + 'vulnerability.category': { + dashed_name: 'vulnerability-category', + description: + 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])\nThis field must be an array.', + example: '["Firewall"]', + flat_name: 'vulnerability.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: ['array'], + short: 'Category of a vulnerability.', + type: 'keyword', + }, + 'vulnerability.classification': { + dashed_name: 'vulnerability-classification', + description: + 'The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)', + example: 'CVSS', + flat_name: 'vulnerability.classification', + ignore_above: 1024, + level: 'extended', + name: 'classification', + normalize: [], + short: 'Classification of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.description': { + dashed_name: 'vulnerability-description', + description: + 'The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])', + example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...', + flat_name: 'vulnerability.description', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'vulnerability.description.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'description', + normalize: [], + short: 'Description of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.enumeration': { + dashed_name: 'vulnerability-enumeration', + description: + 'The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)', + example: 'CVE', + flat_name: 'vulnerability.enumeration', + ignore_above: 1024, + level: 'extended', + name: 'enumeration', + normalize: [], + short: 'Identifier of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.id': { + dashed_name: 'vulnerability-id', + description: + 'The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]', + example: 'CVE-2019-00001', + flat_name: 'vulnerability.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'ID of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.reference': { + dashed_name: 'vulnerability-reference', + description: + 'A resource that provides additional information, context, and mitigations for the identified vulnerability.', + example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', + flat_name: 'vulnerability.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Reference of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.report_id': { + dashed_name: 'vulnerability-report-id', + description: 'The report or scan identification number.', + example: 20191018.0001, + flat_name: 'vulnerability.report_id', + ignore_above: 1024, + level: 'extended', + name: 'report_id', + normalize: [], + short: 'Scan identification number.', + type: 'keyword', + }, + 'vulnerability.scanner.vendor': { + dashed_name: 'vulnerability-scanner-vendor', + description: 'The name of the vulnerability scanner vendor.', + example: 'Tenable', + flat_name: 'vulnerability.scanner.vendor', + ignore_above: 1024, + level: 'extended', + name: 'scanner.vendor', + normalize: [], + short: 'Name of the scanner vendor.', + type: 'keyword', + }, + 'vulnerability.score.base': { + dashed_name: 'vulnerability-score-base', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.base', + level: 'extended', + name: 'score.base', + normalize: [], + short: 'Vulnerability Base score.', + type: 'float', + }, + 'vulnerability.score.environmental': { + dashed_name: 'vulnerability-score-environmental', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.environmental', + level: 'extended', + name: 'score.environmental', + normalize: [], + short: 'Vulnerability Environmental score.', + type: 'float', + }, + 'vulnerability.score.temporal': { + dashed_name: 'vulnerability-score-temporal', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)', + flat_name: 'vulnerability.score.temporal', + level: 'extended', + name: 'score.temporal', + normalize: [], + short: 'Vulnerability Temporal score.', + type: 'float', + }, + 'vulnerability.score.version': { + dashed_name: 'vulnerability-score-version', + description: + 'The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 2, + flat_name: 'vulnerability.score.version', + ignore_above: 1024, + level: 'extended', + name: 'score.version', + normalize: [], + short: 'CVSS version.', + type: 'keyword', + }, + 'vulnerability.severity': { + dashed_name: 'vulnerability-severity', + description: + 'The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 'Critical', + flat_name: 'vulnerability.severity', + ignore_above: 1024, + level: 'extended', + name: 'severity', + normalize: [], + short: 'Severity of the vulnerability.', + type: 'keyword', + }, + }, + group: 2, + name: 'vulnerability', + prefix: 'vulnerability.', + short: 'Fields to describe the vulnerability relevant to an event.', + title: 'Vulnerability', + type: 'group', + }, + x509: { + description: + 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.', + fields: { + 'x509.alternative_names': { + dashed_name: 'x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'x509.issuer.common_name': { + dashed_name: 'x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.country': { + dashed_name: 'x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'x509.issuer.distinguished_name': { + dashed_name: 'x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.locality': { + dashed_name: 'x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + short: 'List of locality names (L)', + type: 'keyword', + }, + 'x509.issuer.organization': { + dashed_name: 'x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.organizational_unit': { + dashed_name: 'x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.state_or_province': { + dashed_name: 'x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'x509.not_after': { + dashed_name: 'x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'x509.not_before': { + dashed_name: 'x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'x509.public_key_algorithm': { + dashed_name: 'x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'x509.public_key_curve': { + dashed_name: 'x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'x509.public_key_exponent': { + dashed_name: 'x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'x509.public_key_size': { + dashed_name: 'x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'x509.serial_number': { + dashed_name: 'x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'x509.signature_algorithm': { + dashed_name: 'x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'x509.subject.common_name': { + dashed_name: 'x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'x509.subject.country': { + dashed_name: 'x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'x509.subject.distinguished_name': { + dashed_name: 'x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'x509.subject.locality': { + dashed_name: 'x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + short: 'List of locality names (L)', + type: 'keyword', + }, + 'x509.subject.organization': { + dashed_name: 'x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'x509.subject.organizational_unit': { + dashed_name: 'x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'x509.subject.state_or_province': { + dashed_name: 'x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'x509.version_number': { + dashed_name: 'x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + short: 'Version of x509 format.', + type: 'keyword', + }, + }, + group: 2, + name: 'x509', + prefix: 'x509.', + reusable: { + expected: [ + { as: 'x509', at: 'file', full: 'file.x509' }, + { as: 'x509', at: 'threat.indicator', full: 'threat.indicator.x509' }, + { + as: 'x509', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.x509', + }, + { as: 'x509', at: 'tls.client', full: 'tls.client.x509' }, + { as: 'x509', at: 'tls.server', full: 'tls.server.x509' }, + ], + top_level: false, + }, + short: 'These fields contain x509 certificate metadata.', + title: 'x509 Certificate', + type: 'group', + }, +}; diff --git a/packages/kbn-ecs/generated/elf.ts b/packages/kbn-ecs/generated/elf.ts new file mode 100644 index 0000000000000..3036fa8690733 --- /dev/null +++ b/packages/kbn-ecs/generated/elf.ts @@ -0,0 +1,90 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain Linux Executable Linkable Format (ELF) metadata. + */ +export interface EcsElf { + /** + * Machine architecture of the ELF file. + */ + architecture?: string; + /** + * Byte sequence of ELF file. + */ + byte_order?: string; + /** + * CPU type of the ELF file. + */ + cpu_type?: string; + /** + * Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + */ + creation_date?: string; + /** + * List of exported element names and types. + */ + exports?: Array>; + header?: { + /** + * Version of the ELF Application Binary Interface (ABI). + */ + abi_version?: string; + /** + * Header class of the ELF file. + */ + class?: string; + /** + * Data table of the ELF header. + */ + data?: string; + /** + * Header entrypoint of the ELF file. + */ + entrypoint?: number; + /** + * "0x1" for original ELF files. + */ + object_version?: string; + /** + * Application Binary Interface (ABI) of the Linux OS. + */ + os_abi?: string; + /** + * Header type of the ELF file. + */ + type?: string; + /** + * Version of the ELF header. + */ + version?: string; + }; + + /** + * List of imported element names and types. + */ + imports?: Array>; + /** + * An array containing an object for each section of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + */ + sections?: Array>; + /** + * An array containing an object for each segment of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + */ + segments?: Array>; + /** + * List of shared libraries used by this ELF object. + */ + shared_libraries?: string[]; + /** + * telfhash symbol hash for ELF file. + */ + telfhash?: string; +} diff --git a/packages/kbn-ecs/generated/email.ts b/packages/kbn-ecs/generated/email.ts new file mode 100644 index 0000000000000..6148733a28a14 --- /dev/null +++ b/packages/kbn-ecs/generated/email.ts @@ -0,0 +1,94 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Event details relating to an email transaction. + * This field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the `email.*` fields. + */ +export interface EcsEmail { + /** + * A list of objects describing the attachment files sent along with an email message. + */ + attachments?: Array>; + bcc?: { + /** + * The email address of BCC recipient + */ + address?: string[]; + }; + + cc?: { + /** + * The email address of CC recipient + */ + address?: string[]; + }; + + /** + * Information about how the message is to be displayed. + * Typically a MIME type. + */ + content_type?: string; + /** + * The date and time when the email message was received by the service or client. + */ + delivery_timestamp?: string; + /** + * The direction of the message based on the sending and receiving domains. + */ + direction?: string; + from?: { + /** + * The email address of the sender, typically from the RFC 5322 `From:` header field. + */ + address?: string[]; + }; + + /** + * Unique identifier given to the email by the source that created the event. + * Identifier is not persistent across hops. + */ + local_id?: string; + /** + * Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + */ + message_id?: string; + /** + * The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. + */ + origination_timestamp?: string; + reply_to?: { + /** + * The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. + */ + address?: string[]; + }; + + sender?: { + /** + * Per RFC 5322, specifies the address responsible for the actual transmission of the message. + */ + address?: string; + }; + + /** + * A brief summary of the topic of the message. + */ + subject?: string; + to?: { + /** + * The email address of recipient + */ + address?: string[]; + }; + + /** + * The name of the application that was used to draft and send the original email message. + */ + x_mailer?: string; +} diff --git a/packages/kbn-ecs/src/ecs/error.ts b/packages/kbn-ecs/generated/error.ts similarity index 52% rename from packages/kbn-ecs/src/ecs/error.ts rename to packages/kbn-ecs/generated/error.ts index ad5373b1bfea7..37266f4d4604f 100644 --- a/packages/kbn-ecs/src/ecs/error.ts +++ b/packages/kbn-ecs/generated/error.ts @@ -7,14 +7,28 @@ */ /** - * https://www.elastic.co/guide/en/ecs/master/ecs-error.html - * - * @internal + * These fields can represent errors of any kind. + * Use them for errors that happen while fetching events or in cases where the event itself contains an error. */ export interface EcsError { + /** + * Error code describing the error. + */ code?: string; + /** + * Unique identifier for the error. + */ id?: string; + /** + * Error message. + */ message?: string; + /** + * The stack trace of this error in plain text. + */ stack_trace?: string; + /** + * The type of the error, for example the class name of the exception. + */ type?: string; } diff --git a/packages/kbn-ecs/generated/event.ts b/packages/kbn-ecs/generated/event.ts new file mode 100644 index 0000000000000..bab8fe9dfa1ca --- /dev/null +++ b/packages/kbn-ecs/generated/event.ts @@ -0,0 +1,156 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The event fields are used for context information about the log or metric event itself. + * A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + */ +export interface EcsEvent { + /** + * The action captured by the event. + * This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + */ + action?: string; + /** + * Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. + * For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. + * If no validation is performed then the field should be omitted. + * The allowed values are: + * `verified` - The `agent.id` field value matches expected value obtained from auth metadata. + * `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. + * `missing` - There was no `agent.id` field in the event to validate. + * `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. + */ + agent_id_status?: string; + /** + * This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + * `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + * This field is an array. This will allow proper categorization of some events that fall in multiple categories. + */ + category?: string[]; + /** + * Identification code for this event, if one exists. + * Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + */ + code?: string; + /** + * event.created contains the date/time when the event was first read by an agent, or by your pipeline. + * This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + * In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + * In case the two timestamps are identical, @timestamp should be used. + */ + created?: string; + /** + * Name of the dataset. + * If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. + * It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. + */ + dataset?: string; + /** + * Duration of the event in nanoseconds. + * If event.start and event.end are known this value should be the difference between the end and start time. + */ + duration?: number; + /** + * event.end contains the date when the event ended or when the activity was last observed. + */ + end?: string; + /** + * Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + */ + hash?: string; + /** + * Unique ID to describe the event. + */ + id?: string; + /** + * Timestamp when an event arrived in the central data store. + * This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + * In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + */ + ingested?: string; + /** + * This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + * `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + * The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + */ + kind?: string; + /** + * Name of the module this data is coming from. + * If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. + */ + module?: string; + /** + * Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + * This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + */ + original?: string; + /** + * This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + * `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + * Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + * Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + * Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + */ + outcome?: string; + /** + * Source of the event. + * Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + */ + provider?: string; + /** + * Reason why this event happened, according to the source. + * This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + */ + reason?: string; + /** + * Reference URL linking to additional information about this event. + * This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + */ + reference?: string; + /** + * Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + */ + risk_score?: number; + /** + * Normalized risk score or priority of the event, on a scale of 0 to 100. + * This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + */ + risk_score_norm?: number; + /** + * Sequence number of the event. + * The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + */ + sequence?: number; + /** + * The numeric severity of the event according to your event source. + * What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + * The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + */ + severity?: number; + /** + * event.start contains the date when the event started or when the activity was first observed. + */ + start?: string; + /** + * This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + * Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + */ + timezone?: string; + /** + * This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + * `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + * This field is an array. This will allow proper categorization of some events that fall in multiple event types. + */ + type?: string[]; + /** + * URL linking to an external system to continue investigation of this event. + * This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + */ + url?: string; +} diff --git a/packages/kbn-ecs/generated/faas.ts b/packages/kbn-ecs/generated/faas.ts new file mode 100644 index 0000000000000..91704dd91348e --- /dev/null +++ b/packages/kbn-ecs/generated/faas.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The user fields describe information about the function as a service (FaaS) that is relevant to the event. + */ +export interface EcsFaas { + /** + * Boolean value indicating a cold start of a function. + */ + coldstart?: boolean; + /** + * The execution ID of the current function execution. + */ + execution?: string; + /** + * The unique identifier of a serverless function. + * For AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix. + */ + id?: string; + /** + * The name of a serverless function. + */ + name?: string; + /** + * Details about the function trigger. + */ + trigger?: Record; + /** + * The version of a serverless function. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/file.ts b/packages/kbn-ecs/generated/file.ts new file mode 100644 index 0000000000000..c759adace6246 --- /dev/null +++ b/packages/kbn-ecs/generated/file.ts @@ -0,0 +1,408 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * A file is defined as a set of information that has been created on, or has existed on a filesystem. + * File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + */ +export interface EcsFile { + /** + * Last time the file was accessed. + * Note that not all filesystems keep track of access time. + */ + accessed?: string; + /** + * Array of file attributes. + * Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + */ + attributes?: string[]; + code_signature?: { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; + }; + + /** + * File creation time. + * Note that not all filesystems store the creation time. + */ + created?: string; + /** + * Last time the file attributes or metadata changed. + * Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + */ + ctime?: string; + /** + * Device that is the source of the file. + */ + device?: string; + /** + * Directory where the file is located. It should include the drive letter, when appropriate. + */ + directory?: string; + /** + * Drive letter where the file is located. This field is only relevant on Windows. + * The value should be uppercase, and not include the colon. + */ + drive_letter?: string; + elf?: { + /** + * Machine architecture of the ELF file. + */ + architecture?: string; + /** + * Byte sequence of ELF file. + */ + byte_order?: string; + /** + * CPU type of the ELF file. + */ + cpu_type?: string; + /** + * Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + */ + creation_date?: string; + /** + * List of exported element names and types. + */ + exports?: Array>; + header?: { + /** + * Version of the ELF Application Binary Interface (ABI). + */ + abi_version?: string; + /** + * Header class of the ELF file. + */ + class?: string; + /** + * Data table of the ELF header. + */ + data?: string; + /** + * Header entrypoint of the ELF file. + */ + entrypoint?: number; + /** + * "0x1" for original ELF files. + */ + object_version?: string; + /** + * Application Binary Interface (ABI) of the Linux OS. + */ + os_abi?: string; + /** + * Header type of the ELF file. + */ + type?: string; + /** + * Version of the ELF header. + */ + version?: string; + }; + + /** + * List of imported element names and types. + */ + imports?: Array>; + /** + * An array containing an object for each section of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + */ + sections?: Array>; + /** + * An array containing an object for each segment of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + */ + segments?: Array>; + /** + * List of shared libraries used by this ELF object. + */ + shared_libraries?: string[]; + /** + * telfhash symbol hash for ELF file. + */ + telfhash?: string; + }; + + /** + * File extension, excluding the leading dot. + * Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + */ + extension?: string; + /** + * A fork is additional data associated with a filesystem object. + * On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + * On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + */ + fork_name?: string; + /** + * Primary group ID (GID) of the file. + */ + gid?: string; + /** + * Primary group name of the file. + */ + group?: string; + hash?: { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; + }; + + /** + * Inode representing the file in the filesystem. + */ + inode?: string; + /** + * MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + */ + mime_type?: string; + /** + * Mode of the file in octal representation. + */ + mode?: string; + /** + * Last time the file content was modified. + */ + mtime?: string; + /** + * Name of the file including the extension, without the directory. + */ + name?: string; + /** + * File owner's username. + */ + owner?: string; + /** + * Full path to the file, including the file name. It should include the drive letter, when appropriate. + */ + path?: string; + pe?: { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; + }; + + /** + * File size in bytes. + * Only relevant when `file.type` is "file". + */ + size?: number; + /** + * Target path for symlinks. + */ + target_path?: string; + /** + * File type (file, dir, or symlink). + */ + type?: string; + /** + * The user ID (UID) or security identifier (SID) of the file owner. + */ + uid?: string; + x509?: { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; + }; +} diff --git a/packages/kbn-ecs/generated/geo.ts b/packages/kbn-ecs/generated/geo.ts new file mode 100644 index 0000000000000..bbb2cfdd67552 --- /dev/null +++ b/packages/kbn-ecs/generated/geo.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Geo fields can carry data about a specific location related to an event. + * This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + */ +export interface EcsGeo { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; +} diff --git a/packages/kbn-ecs/src/ecs/group.ts b/packages/kbn-ecs/generated/group.ts similarity index 58% rename from packages/kbn-ecs/src/ecs/group.ts rename to packages/kbn-ecs/generated/group.ts index fe91ce82b64cb..64af8ae4b9176 100644 --- a/packages/kbn-ecs/src/ecs/group.ts +++ b/packages/kbn-ecs/generated/group.ts @@ -7,12 +7,20 @@ */ /** - * https://www.elastic.co/guide/en/ecs/master/ecs-group.html - * - * @internal + * The group fields are meant to represent groups that are relevant to the event. */ export interface EcsGroup { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ id?: string; + /** + * Name of the group. + */ name?: string; } diff --git a/packages/kbn-ecs/generated/hash.ts b/packages/kbn-ecs/generated/hash.ts new file mode 100644 index 0000000000000..9e744fe84a6b3 --- /dev/null +++ b/packages/kbn-ecs/generated/hash.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The hash fields represent different bitwise hash algorithms and their values. + * Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + * Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). + */ +export interface EcsHash { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; +} diff --git a/packages/kbn-ecs/generated/host.ts b/packages/kbn-ecs/generated/host.ts new file mode 100644 index 0000000000000..aa2f082dbb60e --- /dev/null +++ b/packages/kbn-ecs/generated/host.ts @@ -0,0 +1,226 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * A host is defined as a general computing instance. + * ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + */ +export interface EcsHost { + /** + * Operating system architecture. + */ + architecture?: string; + boot?: { + /** + * Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. + */ + id?: string; + }; + + cpu?: { + /** + * Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. + * Scaling factor: 1000. + * For example: For a two core host, this value should be the average of the two cores, between 0 and 1. + */ + usage?: number; + }; + + disk?: { + read?: { + /** + * The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + */ + bytes?: number; + }; + + write?: { + /** + * The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + */ + bytes?: number; + }; + }; + + /** + * Name of the domain of which the host is a member. + * For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + */ + domain?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * Hostname of the host. + * It normally contains what the `hostname` command returns on the host machine. + */ + hostname?: string; + /** + * Unique host id. + * As hostname is not always unique, use values that are meaningful in your environment. + * Example: The current usage of `beat.name`. + */ + id?: string; + /** + * Host ip addresses. + */ + ip?: string[]; + /** + * Host MAC addresses. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string[]; + /** + * Name of the host. + * It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + */ + name?: string; + network?: { + egress?: { + /** + * The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + */ + bytes?: number; + /** + * The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + */ + packets?: number; + }; + + ingress?: { + /** + * The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + */ + bytes?: number; + /** + * The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + */ + packets?: number; + }; + }; + + os?: { + /** + * OS family (such as redhat, debian, freebsd, windows). + */ + family?: string; + /** + * Operating system name, including the version or code name. + */ + full?: string; + /** + * Operating system kernel version as a raw string. + */ + kernel?: string; + /** + * Operating system name, without the version. + */ + name?: string; + /** + * Operating system platform (such centos, ubuntu, windows). + */ + platform?: string; + /** + * Use the `os.type` field to categorize the operating system into one of the broad commercial families. + * If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + */ + type?: string; + /** + * Operating system version as a raw string. + */ + version?: string; + }; + + /** + * This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. + */ + pid_ns_ino?: string; + risk?: { + /** + * A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_level?: string; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_score?: number; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + */ + calculated_score_norm?: number; + /** + * A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_level?: string; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_score?: number; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + */ + static_score_norm?: number; + }; + + /** + * Type of host. + * For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + */ + type?: string; + /** + * Seconds the host has been up. + */ + uptime?: number; +} diff --git a/packages/kbn-ecs/generated/http.ts b/packages/kbn-ecs/generated/http.ts new file mode 100644 index 0000000000000..d1a464ffaad95 --- /dev/null +++ b/packages/kbn-ecs/generated/http.ts @@ -0,0 +1,81 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields related to HTTP activity. Use the `url` field set to store the url of the request. + */ +export interface EcsHttp { + request?: { + body?: { + /** + * Size in bytes of the request body. + */ + bytes?: number; + /** + * The full HTTP request body. + */ + content?: string; + }; + + /** + * Total size in bytes of the request (body and headers). + */ + bytes?: number; + /** + * A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + * The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + */ + id?: string; + /** + * HTTP request method. + * The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + */ + method?: string; + /** + * Mime type of the body of the request. + * This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + */ + mime_type?: string; + /** + * Referrer for this HTTP request. + */ + referrer?: string; + }; + + response?: { + body?: { + /** + * Size in bytes of the response body. + */ + bytes?: number; + /** + * The full HTTP response body. + */ + content?: string; + }; + + /** + * Total size in bytes of the response (body and headers). + */ + bytes?: number; + /** + * Mime type of the body of the response. + * This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + */ + mime_type?: string; + /** + * HTTP response status code. + */ + status_code?: number; + }; + + /** + * HTTP version. + */ + version?: string; +} diff --git a/packages/kbn-ecs/src/ecs/index.ts b/packages/kbn-ecs/generated/index.ts similarity index 78% rename from packages/kbn-ecs/src/ecs/index.ts rename to packages/kbn-ecs/generated/index.ts index e47671515b3de..7b6b198cf2c37 100644 --- a/packages/kbn-ecs/src/ecs/index.ts +++ b/packages/kbn-ecs/generated/index.ts @@ -6,33 +6,43 @@ * Side Public License, v 1. */ -import { EcsBase } from './base'; - import { EcsAgent } from './agent'; -import { EcsAutonomousSystem } from './autonomous_system'; +import { EcsAs } from './as'; +import { EcsBase } from './base'; import { EcsClient } from './client'; import { EcsCloud } from './cloud'; +import { EcsCodeSignature } from './code_signature'; import { EcsContainer } from './container'; import { EcsDataStream } from './data_stream'; import { EcsDestination } from './destination'; +import { EcsDevice } from './device'; +import { EcsDll } from './dll'; import { EcsDns } from './dns'; +import { EcsEcs } from './ecs'; +import { EcsElf } from './elf'; import { EcsEmail } from './email'; import { EcsError } from './error'; import { EcsEvent } from './event'; import { EcsFaas } from './faas'; import { EcsFile } from './file'; +import { EcsGeo } from './geo'; import { EcsGroup } from './group'; +import { EcsHash } from './hash'; import { EcsHost } from './host'; import { EcsHttp } from './http'; +import { EcsInterface } from './interface'; import { EcsLog } from './log'; import { EcsNetwork } from './network'; import { EcsObserver } from './observer'; import { EcsOrchestrator } from './orchestrator'; import { EcsOrganization } from './organization'; +import { EcsOs } from './os'; import { EcsPackage } from './package'; +import { EcsPe } from './pe'; import { EcsProcess } from './process'; import { EcsRegistry } from './registry'; import { EcsRelated } from './related'; +import { EcsRisk } from './risk'; import { EcsRule } from './rule'; import { EcsServer } from './server'; import { EcsService } from './service'; @@ -43,34 +53,56 @@ import { EcsTracing } from './tracing'; import { EcsUrl } from './url'; import { EcsUser } from './user'; import { EcsUserAgent } from './user_agent'; +import { EcsVlan } from './vlan'; import { EcsVulnerability } from './vulnerability'; +import { EcsX509 } from './x509'; + +export const EcsVersion = '8.6.0' as const; + +/** + * Exporting raw schema files for easy programmatic use + */ +export { EcsFlat } from './ecs_flat'; +export { EcsNested } from './ecs_nested'; export type { EcsAgent, - EcsAutonomousSystem, + EcsAs, EcsBase, EcsClient, EcsCloud, + EcsCodeSignature, EcsContainer, EcsDataStream, EcsDestination, + EcsDevice, + EcsDll, EcsDns, + EcsEcs, + EcsElf, EcsEmail, EcsError, + EcsEvent, EcsFaas, EcsFile, + EcsGeo, EcsGroup, + EcsHash, EcsHost, EcsHttp, + EcsInterface, EcsLog, EcsNetwork, EcsObserver, EcsOrchestrator, EcsOrganization, + EcsOs, EcsPackage, + EcsPe, EcsProcess, EcsRegistry, EcsRelated, + EcsRisk, EcsRule, EcsServer, EcsService, @@ -81,45 +113,23 @@ export type { EcsUrl, EcsUser, EcsUserAgent, + EcsVlan, EcsVulnerability, + EcsX509, }; -export type { - EcsEvent, - EcsEventCategory, - EcsEventKind, - EcsEventOutcome, - EcsEventType, -} from './event'; - -interface EcsField { - /** - * These typings were written as of ECS 8.4.0. - * Don't change this value without checking the rest - * of the types to conform to that ECS version. - * - * https://www.elastic.co/guide/en/ecs/master/index.html - */ - version: '8.4.0'; -} - -/** - * Represents the full ECS schema. - * - * @public - */ export type Ecs = EcsBase & EcsTracing & { - ecs: EcsField; - agent?: EcsAgent; - as?: EcsAutonomousSystem; client?: EcsClient; cloud?: EcsCloud; container?: EcsContainer; data_stream?: EcsDataStream; destination?: EcsDestination; + device?: EcsDevice; + dll?: EcsDll; dns?: EcsDns; + ecs: EcsEcs; email?: EcsEmail; error?: EcsError; event?: EcsEvent; diff --git a/packages/kbn-ecs/generated/interface.ts b/packages/kbn-ecs/generated/interface.ts new file mode 100644 index 0000000000000..c6ad119c2b144 --- /dev/null +++ b/packages/kbn-ecs/generated/interface.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + */ +export interface EcsInterface { + /** + * Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + */ + alias?: string; + /** + * Interface ID as reported by an observer (typically SNMP interface ID). + */ + id?: string; + /** + * Interface name as reported by the system. + */ + name?: string; +} diff --git a/packages/kbn-ecs/generated/log.ts b/packages/kbn-ecs/generated/log.ts new file mode 100644 index 0000000000000..ae4e84b2975f2 --- /dev/null +++ b/packages/kbn-ecs/generated/log.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Details about the event's logging mechanism or logging transport. + * The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. + * The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + */ +export interface EcsLog { + file?: { + /** + * Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + * If the event wasn't read from a log file, do not populate this field. + */ + path?: string; + }; + + /** + * Original log level of the log event. + * If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + * Some examples are `warn`, `err`, `i`, `informational`. + */ + level?: string; + /** + * The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + */ + logger?: string; + origin?: { + file?: { + /** + * The line number of the file containing the source code which originated the log event. + */ + line?: number; + /** + * The name of the file containing the source code which originated the log event. + * Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + */ + name?: string; + }; + + /** + * The name of the function or method which originated the log event. + */ + function?: string; + }; + + /** + * The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + */ + syslog?: Record; +} diff --git a/packages/kbn-ecs/generated/macho.ts b/packages/kbn-ecs/generated/macho.ts new file mode 100644 index 0000000000000..4f6ae41df01b3 --- /dev/null +++ b/packages/kbn-ecs/generated/macho.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain Mac OS Mach Object file format (Mach-O) metadata. + */ +export interface EcsMacho { + /** + * A hash of the Go language imports in a Mach-O file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). + */ + go_import_hash?: string; + /** + * List of imported Go language element names and types. + */ + go_imports?: Record; + /** + * Shannon entropy calculation from the list of Go imports. + */ + go_imports_names_entropy?: number; + /** + * Variance for Shannon entropy calculation from the list of Go imports. + */ + go_imports_names_var_entropy?: number; + /** + * Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. + */ + go_stripped?: boolean; + /** + * A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * This is a synonym for symhash. + */ + import_hash?: string; + /** + * List of imported element names and types. + */ + imports?: Record; + /** + * Shannon entropy calculation from the list of imported element names and types. + */ + imports_names_entropy?: number; + /** + * Variance for Shannon entropy calculation from the list of imported element names and types. + */ + imports_names_var_entropy?: number; + /** + * An array containing an object for each section of the Mach-O file. + * The keys that should be present in these objects are defined by sub-fields underneath `macho.sections.*`. + */ + sections?: Record; + /** + * A hash of the imports in a Mach-O file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * This is a Mach-O implementation of the Windows PE imphash + */ + symhash?: string; +} diff --git a/packages/kbn-ecs/generated/network.ts b/packages/kbn-ecs/generated/network.ts new file mode 100644 index 0000000000000..3fbcaddfa5fab --- /dev/null +++ b/packages/kbn-ecs/generated/network.ts @@ -0,0 +1,83 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The network is defined as the communication path over which a host or network event happens. + * The network.* fields should be populated with details about the network activity associated with an event. + */ +export interface EcsNetwork { + /** + * When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + * For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + * The field value must be normalized to lowercase for querying. + */ + application?: string; + /** + * Total bytes transferred in both directions. + * If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + */ + bytes?: number; + /** + * A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + * Learn more at https://github.com/corelight/community-id-spec. + */ + community_id?: string; + /** + * Direction of the network traffic. + * When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + * When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + * Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + */ + direction?: string; + /** + * Host IP address when the source IP address is the proxy. + */ + forwarded_ip?: string; + /** + * IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + */ + iana_number?: string; + /** + * Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + */ + inner?: Record; + /** + * Name given by operators to sections of their network. + */ + name?: string; + /** + * Total packets transferred in both directions. + * If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + */ + packets?: number; + /** + * In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + * The field value must be normalized to lowercase for querying. + */ + protocol?: string; + /** + * Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + * The field value must be normalized to lowercase for querying. + */ + transport?: string; + /** + * In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + * The field value must be normalized to lowercase for querying. + */ + type?: string; + vlan?: { + /** + * VLAN ID as reported by the observer. + */ + id?: string; + /** + * Optional VLAN name as reported by the observer. + */ + name?: string; + }; +} diff --git a/packages/kbn-ecs/generated/observer.ts b/packages/kbn-ecs/generated/observer.ts new file mode 100644 index 0000000000000..ae4c6f5b8e47a --- /dev/null +++ b/packages/kbn-ecs/generated/observer.ts @@ -0,0 +1,144 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. + * This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + */ +export interface EcsObserver { + /** + * Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + */ + egress?: Record; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * Hostname of the observer. + */ + hostname?: string; + /** + * Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + */ + ingress?: Record; + /** + * IP addresses of the observer. + */ + ip?: string[]; + /** + * MAC addresses of the observer. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string[]; + /** + * Custom name of the observer. + * This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + * If no custom name is needed, the field can be left empty. + */ + name?: string; + os?: { + /** + * OS family (such as redhat, debian, freebsd, windows). + */ + family?: string; + /** + * Operating system name, including the version or code name. + */ + full?: string; + /** + * Operating system kernel version as a raw string. + */ + kernel?: string; + /** + * Operating system name, without the version. + */ + name?: string; + /** + * Operating system platform (such centos, ubuntu, windows). + */ + platform?: string; + /** + * Use the `os.type` field to categorize the operating system into one of the broad commercial families. + * If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + */ + type?: string; + /** + * Operating system version as a raw string. + */ + version?: string; + }; + + /** + * The product name of the observer. + */ + product?: string; + /** + * Observer serial number. + */ + serial_number?: string; + /** + * The type of the observer the data is coming from. + * There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + */ + type?: string; + /** + * Vendor name of the observer. + */ + vendor?: string; + /** + * Observer version. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/orchestrator.ts b/packages/kbn-ecs/generated/orchestrator.ts new file mode 100644 index 0000000000000..386f182209a29 --- /dev/null +++ b/packages/kbn-ecs/generated/orchestrator.ts @@ -0,0 +1,74 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields that describe the resources which container orchestrators manage or act upon. + */ +export interface EcsOrchestrator { + /** + * API version being used to carry out the action + */ + api_version?: string; + cluster?: { + /** + * Unique ID of the cluster. + */ + id?: string; + /** + * Name of the cluster. + */ + name?: string; + /** + * URL of the API used to manage the cluster. + */ + url?: string; + /** + * The version of the cluster. + */ + version?: string; + }; + + /** + * Namespace in which the action is taking place. + */ + namespace?: string; + /** + * Organization affected by the event (for multi-tenant orchestrator setups). + */ + organization?: string; + resource?: { + /** + * Unique ID of the resource being acted upon. + */ + id?: string; + /** + * IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running). + */ + ip?: string[]; + /** + * Name of the resource being acted upon. + */ + name?: string; + parent?: { + /** + * Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet). + */ + type?: string; + }; + + /** + * Type of resource being acted upon. + */ + type?: string; + }; + + /** + * Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + */ + type?: string; +} diff --git a/packages/kbn-ecs/src/ecs/organization.ts b/packages/kbn-ecs/generated/organization.ts similarity index 58% rename from packages/kbn-ecs/src/ecs/organization.ts rename to packages/kbn-ecs/generated/organization.ts index e42e04a33e0bc..1d07ba866405f 100644 --- a/packages/kbn-ecs/src/ecs/organization.ts +++ b/packages/kbn-ecs/generated/organization.ts @@ -7,11 +7,16 @@ */ /** - * https://www.elastic.co/guide/en/ecs/master/ecs-organization.html - * - * @internal + * The organization fields enrich data with information about the company or entity the data is associated with. + * These fields help you arrange or filter data stored in an index by one or multiple organizations. */ export interface EcsOrganization { + /** + * Unique identifier for the organization. + */ id?: string; + /** + * Organization name. + */ name?: string; } diff --git a/packages/kbn-ecs/generated/os.ts b/packages/kbn-ecs/generated/os.ts new file mode 100644 index 0000000000000..120c73163a9df --- /dev/null +++ b/packages/kbn-ecs/generated/os.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The OS fields contain information about the operating system. + */ +export interface EcsOs { + /** + * OS family (such as redhat, debian, freebsd, windows). + */ + family?: string; + /** + * Operating system name, including the version or code name. + */ + full?: string; + /** + * Operating system kernel version as a raw string. + */ + kernel?: string; + /** + * Operating system name, without the version. + */ + name?: string; + /** + * Operating system platform (such centos, ubuntu, windows). + */ + platform?: string; + /** + * Use the `os.type` field to categorize the operating system into one of the broad commercial families. + * If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + */ + type?: string; + /** + * Operating system version as a raw string. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/package.ts b/packages/kbn-ecs/generated/package.ts new file mode 100644 index 0000000000000..95b6708dc1c76 --- /dev/null +++ b/packages/kbn-ecs/generated/package.ts @@ -0,0 +1,68 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + */ +export interface EcsPackage { + /** + * Package architecture. + */ + architecture?: string; + /** + * Additional information about the build version of the installed package. + * For example use the commit SHA of a non-released package. + */ + build_version?: string; + /** + * Checksum of the installed package for verification. + */ + checksum?: string; + /** + * Description of the package. + */ + description?: string; + /** + * Indicating how the package was installed, e.g. user-local, global. + */ + install_scope?: string; + /** + * Time when package was installed. + */ + installed?: string; + /** + * License under which the package was released. + * Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + */ + license?: string; + /** + * Package name + */ + name?: string; + /** + * Path where the package is installed. + */ + path?: string; + /** + * Home page or reference URL of the software in this package, if available. + */ + reference?: string; + /** + * Package size in bytes. + */ + size?: number; + /** + * Type of package. + * This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + */ + type?: string; + /** + * Package version + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/pe.ts b/packages/kbn-ecs/generated/pe.ts new file mode 100644 index 0000000000000..91ba52d8f4a11 --- /dev/null +++ b/packages/kbn-ecs/generated/pe.ts @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain Windows Portable Executable (PE) metadata. + */ +export interface EcsPe { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; +} diff --git a/packages/kbn-ecs/generated/process.ts b/packages/kbn-ecs/generated/process.ts new file mode 100644 index 0000000000000..fad38c5e9775f --- /dev/null +++ b/packages/kbn-ecs/generated/process.ts @@ -0,0 +1,1283 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * These fields contain information about a process. + * These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + */ +export interface EcsProcess { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + code_signature?: { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; + }; + + /** + * Full command line that started the process, including the absolute path to the executable, and all arguments. + * Some arguments may be filtered to protect sensitive information. + */ + command_line?: string; + elf?: { + /** + * Machine architecture of the ELF file. + */ + architecture?: string; + /** + * Byte sequence of ELF file. + */ + byte_order?: string; + /** + * CPU type of the ELF file. + */ + cpu_type?: string; + /** + * Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + */ + creation_date?: string; + /** + * List of exported element names and types. + */ + exports?: Array>; + header?: { + /** + * Version of the ELF Application Binary Interface (ABI). + */ + abi_version?: string; + /** + * Header class of the ELF file. + */ + class?: string; + /** + * Data table of the ELF header. + */ + data?: string; + /** + * Header entrypoint of the ELF file. + */ + entrypoint?: number; + /** + * "0x1" for original ELF files. + */ + object_version?: string; + /** + * Application Binary Interface (ABI) of the Linux OS. + */ + os_abi?: string; + /** + * Header type of the ELF file. + */ + type?: string; + /** + * Version of the ELF header. + */ + version?: string; + }; + + /** + * List of imported element names and types. + */ + imports?: Array>; + /** + * An array containing an object for each section of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + */ + sections?: Array>; + /** + * An array containing an object for each segment of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + */ + segments?: Array>; + /** + * List of shared libraries used by this ELF object. + */ + shared_libraries?: string[]; + /** + * telfhash symbol hash for ELF file. + */ + telfhash?: string; + }; + + /** + * The time the process ended. + */ + end?: string; + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + entry_leader?: { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + attested_groups?: { + /** + * Name of the group. + */ + name?: string; + }; + + attested_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * Full command line that started the process, including the absolute path to the executable, and all arguments. + * Some arguments may be filtered to protect sensitive information. + */ + command_line?: string; + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + entry_meta?: { + source?: { + /** + * IP address of the source (IPv4 or IPv6). + */ + ip?: string; + }; + + /** + * The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console + * Note: This field is only set on process.session_leader. + */ + type?: string; + }; + + /** + * Absolute path to the process executable. + */ + executable?: string; + group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Whether the process is connected to an interactive shell. + * Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + * Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + */ + interactive?: boolean; + /** + * Process name. + * Sometimes called program name or similar. + */ + name?: string; + parent?: { + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Process id. + */ + pid?: number; + session_leader?: { + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Process id. + */ + pid?: number; + /** + * The time the process started. + */ + start?: string; + }; + + /** + * The time the process started. + */ + start?: string; + }; + + /** + * Process id. + */ + pid?: number; + real_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + real_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * This boolean is used to identify if a leader process is the same as the top level process. + * For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. + * This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) + * Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` + * Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. + */ + same_as_process?: boolean; + saved_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + saved_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The time the process started. + */ + start?: string; + supplemental_groups?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Information about the controlling TTY device. If set, the process belongs to an interactive session. + */ + tty?: Record; + user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The working directory of the process. + */ + working_directory?: string; + }; + + /** + * Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution. + * May be filtered to protect sensitive information. + */ + env_vars?: string[]; + /** + * Absolute path to the process executable. + */ + executable?: string; + /** + * The exit code of the process, if this is a termination event. + * The field should be absent if there is no exit code for the event (e.g. process start). + */ + exit_code?: number; + group_leader?: { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + /** + * Full command line that started the process, including the absolute path to the executable, and all arguments. + * Some arguments may be filtered to protect sensitive information. + */ + command_line?: string; + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Absolute path to the process executable. + */ + executable?: string; + group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Whether the process is connected to an interactive shell. + * Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + * Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + */ + interactive?: boolean; + /** + * Process name. + * Sometimes called program name or similar. + */ + name?: string; + /** + * Process id. + */ + pid?: number; + real_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + real_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * This boolean is used to identify if a leader process is the same as the top level process. + * For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. + * This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) + * Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` + * Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. + */ + same_as_process?: boolean; + saved_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + saved_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The time the process started. + */ + start?: string; + supplemental_groups?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Information about the controlling TTY device. If set, the process belongs to an interactive session. + */ + tty?: Record; + user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The working directory of the process. + */ + working_directory?: string; + }; + + hash?: { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; + }; + + /** + * Whether the process is connected to an interactive shell. + * Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + * Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + */ + interactive?: boolean; + /** + * A chunk of input or output (IO) from a single process. + * This field only appears on the top level process object, which is the process that wrote the output or read the input. + */ + io?: Record; + /** + * Process name. + * Sometimes called program name or similar. + */ + name?: string; + parent?: { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + code_signature?: { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; + }; + + /** + * Full command line that started the process, including the absolute path to the executable, and all arguments. + * Some arguments may be filtered to protect sensitive information. + */ + command_line?: string; + elf?: { + /** + * Machine architecture of the ELF file. + */ + architecture?: string; + /** + * Byte sequence of ELF file. + */ + byte_order?: string; + /** + * CPU type of the ELF file. + */ + cpu_type?: string; + /** + * Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + */ + creation_date?: string; + /** + * List of exported element names and types. + */ + exports?: Array>; + header?: { + /** + * Version of the ELF Application Binary Interface (ABI). + */ + abi_version?: string; + /** + * Header class of the ELF file. + */ + class?: string; + /** + * Data table of the ELF header. + */ + data?: string; + /** + * Header entrypoint of the ELF file. + */ + entrypoint?: number; + /** + * "0x1" for original ELF files. + */ + object_version?: string; + /** + * Application Binary Interface (ABI) of the Linux OS. + */ + os_abi?: string; + /** + * Header type of the ELF file. + */ + type?: string; + /** + * Version of the ELF header. + */ + version?: string; + }; + + /** + * List of imported element names and types. + */ + imports?: Array>; + /** + * An array containing an object for each section of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + */ + sections?: Array>; + /** + * An array containing an object for each segment of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + */ + segments?: Array>; + /** + * List of shared libraries used by this ELF object. + */ + shared_libraries?: string[]; + /** + * telfhash symbol hash for ELF file. + */ + telfhash?: string; + }; + + /** + * The time the process ended. + */ + end?: string; + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Absolute path to the process executable. + */ + executable?: string; + /** + * The exit code of the process, if this is a termination event. + * The field should be absent if there is no exit code for the event (e.g. process start). + */ + exit_code?: number; + group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + group_leader?: { + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Process id. + */ + pid?: number; + /** + * The time the process started. + */ + start?: string; + }; + + hash?: { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; + }; + + /** + * Whether the process is connected to an interactive shell. + * Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + * Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + */ + interactive?: boolean; + /** + * Process name. + * Sometimes called program name or similar. + */ + name?: string; + pe?: { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; + }; + + /** + * Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + * Identifier of the group of processes the process belongs to. + */ + pgid?: number; + /** + * Process id. + */ + pid?: number; + real_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + real_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + saved_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + saved_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The time the process started. + */ + start?: string; + supplemental_groups?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + thread?: { + /** + * Thread ID. + */ + id?: number; + /** + * Thread name. + */ + name?: string; + }; + + /** + * Process title. + * The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + */ + title?: string; + /** + * Information about the controlling TTY device. If set, the process belongs to an interactive session. + */ + tty?: Record; + /** + * Seconds the process has been up. + */ + uptime?: number; + user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The working directory of the process. + */ + working_directory?: string; + }; + + pe?: { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; + }; + + /** + * Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + * Identifier of the group of processes the process belongs to. + */ + pgid?: number; + /** + * Process id. + */ + pid?: number; + previous?: { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + /** + * Absolute path to the process executable. + */ + executable?: string; + }; + + real_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + real_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + saved_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + saved_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + session_leader?: { + /** + * Array of process arguments, starting with the absolute path to the executable. + * May be filtered to protect sensitive information. + */ + args?: string[]; + /** + * Length of the process.args array. + * This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + */ + args_count?: number; + /** + * Full command line that started the process, including the absolute path to the executable, and all arguments. + * Some arguments may be filtered to protect sensitive information. + */ + command_line?: string; + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Absolute path to the process executable. + */ + executable?: string; + group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Whether the process is connected to an interactive shell. + * Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive. + * Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY. + */ + interactive?: boolean; + /** + * Process name. + * Sometimes called program name or similar. + */ + name?: string; + parent?: { + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Process id. + */ + pid?: number; + session_leader?: { + /** + * Unique identifier for the process. + * The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + * Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + */ + entity_id?: string; + /** + * Process id. + */ + pid?: number; + /** + * The time the process started. + */ + start?: string; + }; + + /** + * The time the process started. + */ + start?: string; + }; + + /** + * Process id. + */ + pid?: number; + real_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + real_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * This boolean is used to identify if a leader process is the same as the top level process. + * For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`. + * This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader) + * Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true` + * Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`. + */ + same_as_process?: boolean; + saved_group?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + saved_user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The time the process started. + */ + start?: string; + supplemental_groups?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Information about the controlling TTY device. If set, the process belongs to an interactive session. + */ + tty?: Record; + user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The working directory of the process. + */ + working_directory?: string; + }; + + /** + * The time the process started. + */ + start?: string; + supplemental_groups?: { + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + thread?: { + /** + * Thread ID. + */ + id?: number; + /** + * Thread name. + */ + name?: string; + }; + + /** + * Process title. + * The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + */ + title?: string; + /** + * Information about the controlling TTY device. If set, the process belongs to an interactive session. + */ + tty?: Record; + /** + * Seconds the process has been up. + */ + uptime?: number; + user?: { + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + }; + + /** + * The working directory of the process. + */ + working_directory?: string; +} diff --git a/packages/kbn-ecs/generated/registry.ts b/packages/kbn-ecs/generated/registry.ts new file mode 100644 index 0000000000000..f1f5ade606b12 --- /dev/null +++ b/packages/kbn-ecs/generated/registry.ts @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields related to Windows Registry operations. + */ +export interface EcsRegistry { + data?: { + /** + * Original bytes written with base64 encoding. + * For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + */ + bytes?: string; + /** + * Content when writing string types. + * Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + */ + strings?: string[]; + /** + * Standard registry type for encoding contents + */ + type?: string; + }; + + /** + * Abbreviated name for the hive. + */ + hive?: string; + /** + * Hive-relative path of keys. + */ + key?: string; + /** + * Full path, including hive, key and value + */ + path?: string; + /** + * Name of the value written. + */ + value?: string; +} diff --git a/packages/kbn-ecs/generated/related.ts b/packages/kbn-ecs/generated/related.ts new file mode 100644 index 0000000000000..dc6e1d6b40130 --- /dev/null +++ b/packages/kbn-ecs/generated/related.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * This field set is meant to facilitate pivoting around a piece of data. + * Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. + * A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + */ +export interface EcsRelated { + /** + * All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + */ + hash?: string[]; + /** + * All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + */ + hosts?: string[]; + /** + * All of the IPs seen on your event. + */ + ip?: string[]; + /** + * All the user names or other user identifiers seen on the event. + */ + user?: string[]; +} diff --git a/packages/kbn-ecs/generated/risk.ts b/packages/kbn-ecs/generated/risk.ts new file mode 100644 index 0000000000000..ef71b13af721b --- /dev/null +++ b/packages/kbn-ecs/generated/risk.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. + */ +export interface EcsRisk { + /** + * A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_level?: string; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_score?: number; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + */ + calculated_score_norm?: number; + /** + * A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_level?: string; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_score?: number; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + */ + static_score_norm?: number; +} diff --git a/packages/kbn-ecs/generated/rule.ts b/packages/kbn-ecs/generated/rule.ts new file mode 100644 index 0000000000000..d632db2e967ca --- /dev/null +++ b/packages/kbn-ecs/generated/rule.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. + * Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + */ +export interface EcsRule { + /** + * Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + */ + author?: string[]; + /** + * A categorization value keyword used by the entity using the rule for detection of this event. + */ + category?: string; + /** + * The description of the rule generating the event. + */ + description?: string; + /** + * A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + */ + id?: string; + /** + * Name of the license under which the rule used to generate this event is made available. + */ + license?: string; + /** + * The name of the rule or signature generating the event. + */ + name?: string; + /** + * Reference URL to additional information about the rule used to generate this event. + * The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + */ + reference?: string; + /** + * Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + */ + ruleset?: string; + /** + * A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + */ + uuid?: string; + /** + * The version / revision of the rule being used for analysis. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/schema.ts b/packages/kbn-ecs/generated/schema.ts new file mode 100644 index 0000000000000..72e60f123f788 --- /dev/null +++ b/packages/kbn-ecs/generated/schema.ts @@ -0,0 +1,22185 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export const EcsSchema = { + agent: { + description: + 'The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.\nExamples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.', + fields: { + 'agent.build.original': { + dashed_name: 'agent-build-original', + description: + 'Extended build information for the agent.\nThis field is intended to contain any build information that a data source may provide, no specific formatting is required.', + example: + 'metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]', + flat_name: 'agent.build.original', + ignore_above: 1024, + level: 'core', + name: 'build.original', + normalize: [], + short: 'Extended build information for the agent.', + type: 'keyword', + }, + 'agent.ephemeral_id': { + dashed_name: 'agent-ephemeral-id', + description: + 'Ephemeral identifier of this agent (if one exists).\nThis id normally changes across restarts, but `agent.id` does not.', + example: '8a4f500f', + flat_name: 'agent.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this agent.', + type: 'keyword', + }, + 'agent.id': { + dashed_name: 'agent-id', + description: + 'Unique identifier of this agent (if one exists).\nExample: For Beats this would be beat.id.', + example: '8a4f500d', + flat_name: 'agent.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of this agent.', + type: 'keyword', + }, + 'agent.name': { + dashed_name: 'agent-name', + description: + 'Custom name of the agent.\nThis is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.', + example: 'foo', + flat_name: 'agent.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Custom name of the agent.', + type: 'keyword', + }, + 'agent.type': { + dashed_name: 'agent-type', + description: + 'Type of the agent.\nThe agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + example: 'filebeat', + flat_name: 'agent.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of the agent.', + type: 'keyword', + }, + 'agent.version': { + dashed_name: 'agent-version', + description: 'Version of the agent.', + example: '6.0.0-rc2', + flat_name: 'agent.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the agent.', + type: 'keyword', + }, + }, + footnote: + 'Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the agent running in the app/service. The agent information does not change if data is sent through queuing systems like Kafka, Redis, or processing systems such as Logstash or APM Server.', + group: 2, + name: 'agent', + prefix: 'agent.', + short: 'Fields about the monitoring agent.', + title: 'Agent', + type: 'group', + }, + as: { + description: + 'An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.', + fields: { + 'as.number': { + dashed_name: 'as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'as.number', + level: 'extended', + name: 'number', + normalize: [], + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'as.organization.name': { + dashed_name: 'as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + short: 'Organization name.', + type: 'keyword', + }, + }, + group: 2, + name: 'as', + prefix: 'as.', + reusable: { + expected: [ + { as: 'as', at: 'client', full: 'client.as' }, + { as: 'as', at: 'destination', full: 'destination.as' }, + { as: 'as', at: 'server', full: 'server.as' }, + { as: 'as', at: 'source', full: 'source.as' }, + { as: 'as', at: 'threat.indicator', full: 'threat.indicator.as' }, + { + as: 'as', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.as', + }, + ], + top_level: false, + }, + short: 'Fields describing an Autonomous System (Internet routing prefix).', + title: 'Autonomous System', + type: 'group', + }, + base: { + description: + 'The `base` field set contains all fields which are at the root of the events. These fields are common across all types of events.', + fields: { + '@timestamp': { + dashed_name: 'timestamp', + description: + 'Date/time when the event originated.\nThis is the date/time extracted from the event, typically representing when the event was generated by the source.\nIf the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.\nRequired field for all events.', + example: '2016-05-23T08:05:34.853Z', + flat_name: '@timestamp', + level: 'core', + name: '@timestamp', + normalize: [], + required: true, + short: 'Date/time when the event originated.', + type: 'date', + }, + labels: { + dashed_name: 'labels', + description: + 'Custom key/value pairs.\nCan be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.\nExample: `docker` and `k8s` labels.', + example: '{"application": "foo-bar", "env": "production"}', + flat_name: 'labels', + level: 'core', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Custom key/value pairs.', + type: 'object', + }, + message: { + dashed_name: 'message', + description: + 'For log events the message field contains the log message, optimized for viewing in a log viewer.\nFor structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.\nIf multiple messages exist, they can be combined into one message.', + example: 'Hello World', + flat_name: 'message', + level: 'core', + name: 'message', + normalize: [], + short: 'Log message optimized for viewing in a log viewer.', + type: 'match_only_text', + }, + tags: { + dashed_name: 'tags', + description: 'List of keywords used to tag each event.', + example: '["production", "env2"]', + flat_name: 'tags', + ignore_above: 1024, + level: 'core', + name: 'tags', + normalize: ['array'], + short: 'List of keywords used to tag each event.', + type: 'keyword', + }, + }, + group: 1, + name: 'base', + prefix: '', + root: true, + short: 'All fields defined directly at the root of the events.', + title: 'Base', + type: 'group', + }, + client: { + description: + 'A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.', + fields: { + 'client.address': { + dashed_name: 'client-address', + description: + 'Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'client.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Client network address.', + type: 'keyword', + }, + 'client.as.number': { + dashed_name: 'client-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'client.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'client.as.organization.name': { + dashed_name: 'client-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'client.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'client.bytes': { + dashed_name: 'client-bytes', + description: 'Bytes sent from the client to the server.', + example: 184, + flat_name: 'client.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the client to the server.', + type: 'long', + }, + 'client.domain': { + dashed_name: 'client-domain', + description: + 'The domain name of the client system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'client.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the client.', + type: 'keyword', + }, + 'client.geo.city_name': { + dashed_name: 'client-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'client.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'client.geo.continent_code': { + dashed_name: 'client-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'client.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'client.geo.continent_name': { + dashed_name: 'client-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'client.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'client.geo.country_iso_code': { + dashed_name: 'client-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'client.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'client.geo.country_name': { + dashed_name: 'client-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'client.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'client.geo.location': { + dashed_name: 'client-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'client.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'client.geo.name': { + dashed_name: 'client-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'client.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'client.geo.postal_code': { + dashed_name: 'client-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'client.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'client.geo.region_iso_code': { + dashed_name: 'client-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'client.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'client.geo.region_name': { + dashed_name: 'client-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'client.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'client.geo.timezone': { + dashed_name: 'client-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'client.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'client.ip': { + dashed_name: 'client-ip', + description: 'IP address of the client (IPv4 or IPv6).', + flat_name: 'client.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the client.', + type: 'ip', + }, + 'client.mac': { + dashed_name: 'client-mac', + description: + 'MAC address of the client.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'client.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the client.', + type: 'keyword', + }, + 'client.nat.ip': { + dashed_name: 'client-nat-ip', + description: + 'Translated IP of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Client NAT ip address', + type: 'ip', + }, + 'client.nat.port': { + dashed_name: 'client-nat-port', + description: + 'Translated port of source based NAT sessions (e.g. internal client to internet).\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'client.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Client NAT port', + type: 'long', + }, + 'client.packets': { + dashed_name: 'client-packets', + description: 'Packets sent from the client to the server.', + example: 12, + flat_name: 'client.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the client to the server.', + type: 'long', + }, + 'client.port': { + dashed_name: 'client-port', + description: 'Port of the client.', + flat_name: 'client.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the client.', + type: 'long', + }, + 'client.registered_domain': { + dashed_name: 'client-registered-domain', + description: + 'The highest registered client domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'client.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered client domain, stripped of the subdomain.', + type: 'keyword', + }, + 'client.subdomain': { + dashed_name: 'client-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'client.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'client.top_level_domain': { + dashed_name: 'client-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'client.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'client.user.domain': { + dashed_name: 'client-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'client.user.email': { + dashed_name: 'client-user-email', + description: 'User email address.', + flat_name: 'client.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'client.user.full_name': { + dashed_name: 'client-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'client.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'client.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'client.user.group.domain': { + dashed_name: 'client-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'client.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'client.user.group.id': { + dashed_name: 'client-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'client.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'client.user.group.name': { + dashed_name: 'client-user-group-name', + description: 'Name of the group.', + flat_name: 'client.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'client.user.hash': { + dashed_name: 'client-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'client.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'client.user.id': { + dashed_name: 'client-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'client.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'client.user.name': { + dashed_name: 'client-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'client.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'client.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'client.user.roles': { + dashed_name: 'client-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'client.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'client', + nestings: ['client.as', 'client.geo', 'client.user'], + prefix: 'client.', + reused_here: [ + { + full: 'client.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'client.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'client.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the client side of a network connection, used with server.', + title: 'Client', + type: 'group', + }, + cloud: { + description: 'Fields related to the cloud or infrastructure the events are coming from.', + fields: { + 'cloud.account.id': { + dashed_name: 'cloud-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.account.name': { + dashed_name: 'cloud-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.availability_zone': { + dashed_name: 'cloud-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.instance.id': { + dashed_name: 'cloud-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.instance.name': { + dashed_name: 'cloud-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.machine.type': { + dashed_name: 'cloud-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.account.id': { + dashed_name: 'cloud-origin-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.origin.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.origin.account.name': { + dashed_name: 'cloud-origin-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.origin.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.origin.availability_zone': { + dashed_name: 'cloud-origin-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.origin.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.instance.id': { + dashed_name: 'cloud-origin-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.origin.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.origin.instance.name': { + dashed_name: 'cloud-origin-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.origin.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.origin.machine.type': { + dashed_name: 'cloud-origin-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.origin.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.origin.project.id': { + dashed_name: 'cloud-origin-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.origin.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.origin.project.name': { + dashed_name: 'cloud-origin-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.origin.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.origin.provider': { + dashed_name: 'cloud-origin-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.origin.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.origin.region': { + dashed_name: 'cloud-origin-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.origin.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.origin.service.name': { + dashed_name: 'cloud-origin-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.origin.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.project.id': { + dashed_name: 'cloud-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.project.name': { + dashed_name: 'cloud-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.provider': { + dashed_name: 'cloud-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.region': { + dashed_name: 'cloud-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.service.name': { + dashed_name: 'cloud-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + short: 'The cloud service name.', + type: 'keyword', + }, + 'cloud.target.account.id': { + dashed_name: 'cloud-target-account-id', + description: + 'The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier.', + example: 666777888999, + flat_name: 'cloud.target.account.id', + ignore_above: 1024, + level: 'extended', + name: 'account.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account or organization id.', + type: 'keyword', + }, + 'cloud.target.account.name': { + dashed_name: 'cloud-target-account-name', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment.\nExamples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + flat_name: 'cloud.target.account.name', + ignore_above: 1024, + level: 'extended', + name: 'account.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud account name.', + type: 'keyword', + }, + 'cloud.target.availability_zone': { + dashed_name: 'cloud-target-availability-zone', + description: 'Availability zone in which this host, resource, or service is located.', + example: 'us-east-1c', + flat_name: 'cloud.target.availability_zone', + ignore_above: 1024, + level: 'extended', + name: 'availability_zone', + normalize: [], + original_fieldset: 'cloud', + short: 'Availability zone in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.instance.id': { + dashed_name: 'cloud-target-instance-id', + description: 'Instance ID of the host machine.', + example: 'i-1234567890abcdef0', + flat_name: 'cloud.target.instance.id', + ignore_above: 1024, + level: 'extended', + name: 'instance.id', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance ID of the host machine.', + type: 'keyword', + }, + 'cloud.target.instance.name': { + dashed_name: 'cloud-target-instance-name', + description: 'Instance name of the host machine.', + flat_name: 'cloud.target.instance.name', + ignore_above: 1024, + level: 'extended', + name: 'instance.name', + normalize: [], + original_fieldset: 'cloud', + short: 'Instance name of the host machine.', + type: 'keyword', + }, + 'cloud.target.machine.type': { + dashed_name: 'cloud-target-machine-type', + description: 'Machine type of the host machine.', + example: 't2.medium', + flat_name: 'cloud.target.machine.type', + ignore_above: 1024, + level: 'extended', + name: 'machine.type', + normalize: [], + original_fieldset: 'cloud', + short: 'Machine type of the host machine.', + type: 'keyword', + }, + 'cloud.target.project.id': { + dashed_name: 'cloud-target-project-id', + description: + 'The cloud project identifier.\nExamples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + flat_name: 'cloud.target.project.id', + ignore_above: 1024, + level: 'extended', + name: 'project.id', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project id.', + type: 'keyword', + }, + 'cloud.target.project.name': { + dashed_name: 'cloud-target-project-name', + description: + 'The cloud project name.\nExamples: Google Cloud Project name, Azure Project name.', + example: 'my project', + flat_name: 'cloud.target.project.name', + ignore_above: 1024, + level: 'extended', + name: 'project.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud project name.', + type: 'keyword', + }, + 'cloud.target.provider': { + dashed_name: 'cloud-target-provider', + description: + 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', + example: 'aws', + flat_name: 'cloud.target.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + original_fieldset: 'cloud', + short: 'Name of the cloud provider.', + type: 'keyword', + }, + 'cloud.target.region': { + dashed_name: 'cloud-target-region', + description: 'Region in which this host, resource, or service is located.', + example: 'us-east-1', + flat_name: 'cloud.target.region', + ignore_above: 1024, + level: 'extended', + name: 'region', + normalize: [], + original_fieldset: 'cloud', + short: 'Region in which this host, resource, or service is located.', + type: 'keyword', + }, + 'cloud.target.service.name': { + dashed_name: 'cloud-target-service-name', + description: + 'The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server.\nExamples: app engine, app service, cloud run, fargate, lambda.', + example: 'lambda', + flat_name: 'cloud.target.service.name', + ignore_above: 1024, + level: 'extended', + name: 'service.name', + normalize: [], + original_fieldset: 'cloud', + short: 'The cloud service name.', + type: 'keyword', + }, + }, + footnote: + "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.\nThe cloud fields may be self-nested under cloud.origin.* and cloud.target.* to describe origin or target service's cloud information in the context of incoming or outgoing requests, respectively. However, the fieldsets cloud.origin.* and cloud.target.* must not be confused with the root cloud fieldset that is used to describe the cloud context of the actual service under observation. The fieldset cloud.origin.* may only be used in the context of incoming requests or events to provide the originating service's cloud information. The fieldset cloud.target.* may only be used in the context of outgoing requests or events to describe the target service's cloud information.", + group: 2, + name: 'cloud', + nestings: ['cloud.origin', 'cloud.target'], + prefix: 'cloud.', + reusable: { + expected: [ + { + as: 'origin', + at: 'cloud', + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.origin', + short_override: + 'Provides the cloud information of the origin entity in case of an incoming request or event.', + }, + { + as: 'target', + at: 'cloud', + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.target', + short_override: + 'Provides the cloud information of the target entity in case of an outgoing request or event.', + }, + ], + top_level: true, + }, + reused_here: [ + { + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.origin', + schema_name: 'cloud', + short: + 'Provides the cloud information of the origin entity in case of an incoming request or event.', + }, + { + beta: 'Reusing the `cloud` fields in this location is currently considered beta.', + full: 'cloud.target', + schema_name: 'cloud', + short: + 'Provides the cloud information of the target entity in case of an outgoing request or event.', + }, + ], + short: 'Fields about the cloud resource.', + title: 'Cloud', + type: 'group', + }, + code_signature: { + description: 'These fields contain information about binary code signatures.', + fields: { + 'code_signature.digest_algorithm': { + dashed_name: 'code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'code_signature.exists': { + dashed_name: 'code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'code_signature.signing_id': { + dashed_name: 'code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'code_signature.status': { + dashed_name: 'code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'code_signature.subject_name': { + dashed_name: 'code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'code_signature.team_id': { + dashed_name: 'code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'code_signature.timestamp': { + dashed_name: 'code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'code_signature.trusted': { + dashed_name: 'code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'code_signature.valid': { + dashed_name: 'code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + }, + group: 2, + name: 'code_signature', + prefix: 'code_signature.', + reusable: { + expected: [ + { as: 'code_signature', at: 'file', full: 'file.code_signature' }, + { as: 'code_signature', at: 'process', full: 'process.code_signature' }, + { as: 'code_signature', at: 'dll', full: 'dll.code_signature' }, + ], + top_level: false, + }, + short: 'These fields contain information about binary code signatures.', + title: 'Code Signature', + type: 'group', + }, + container: { + description: + 'Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime.', + fields: { + 'container.cpu.usage': { + dashed_name: 'container-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.disk.read.bytes': { + dashed_name: 'container-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'container.disk.write.bytes': { + dashed_name: 'container-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'container.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'container.id': { + dashed_name: 'container-id', + description: 'Unique container id.', + flat_name: 'container.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique container id.', + type: 'keyword', + }, + 'container.image.hash.all': { + dashed_name: 'container-image-hash-all', + description: + 'An array of digests of the image the container was built on. Each digest consists of the hash algorithm and value in this format: `algorithm:value`. Algorithm names should align with the field names in the ECS hash field set.', + example: '[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]', + flat_name: 'container.image.hash.all', + ignore_above: 1024, + level: 'extended', + name: 'image.hash.all', + normalize: ['array'], + short: 'An array of digests of the image the container was built on.', + type: 'keyword', + }, + 'container.image.name': { + dashed_name: 'container-image-name', + description: 'Name of the image the container was built on.', + flat_name: 'container.image.name', + ignore_above: 1024, + level: 'extended', + name: 'image.name', + normalize: [], + short: 'Name of the image the container was built on.', + type: 'keyword', + }, + 'container.image.tag': { + dashed_name: 'container-image-tag', + description: 'Container image tags.', + flat_name: 'container.image.tag', + ignore_above: 1024, + level: 'extended', + name: 'image.tag', + normalize: ['array'], + short: 'Container image tags.', + type: 'keyword', + }, + 'container.labels': { + dashed_name: 'container-labels', + description: 'Image labels.', + flat_name: 'container.labels', + level: 'extended', + name: 'labels', + normalize: [], + object_type: 'keyword', + short: 'Image labels.', + type: 'object', + }, + 'container.memory.usage': { + dashed_name: 'container-memory-usage', + description: 'Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000.', + flat_name: 'container.memory.usage', + level: 'extended', + name: 'memory.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent memory used, between 0 and 1.', + type: 'scaled_float', + }, + 'container.name': { + dashed_name: 'container-name', + description: 'Container name.', + flat_name: 'container.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Container name.', + type: 'keyword', + }, + 'container.network.egress.bytes': { + dashed_name: 'container-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'container.network.ingress.bytes': { + dashed_name: 'container-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.', + flat_name: 'container.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'container.runtime': { + dashed_name: 'container-runtime', + description: 'Runtime managing this container.', + example: 'docker', + flat_name: 'container.runtime', + ignore_above: 1024, + level: 'extended', + name: 'runtime', + normalize: [], + short: 'Runtime managing this container.', + type: 'keyword', + }, + }, + group: 2, + name: 'container', + prefix: 'container.', + short: 'Fields describing the container that generated this event.', + title: 'Container', + type: 'group', + }, + data_stream: { + beta: 'These fields are in beta and are subject to change.', + description: + 'The data_stream fields take part in defining the new data stream naming scheme.\nIn the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post].\nAn Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].', + fields: { + 'data_stream.dataset': { + dashed_name: 'data-stream-dataset', + description: + 'The field can contain anything that makes sense to signify the source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'nginx.access', + flat_name: 'data_stream.dataset', + level: 'extended', + name: 'dataset', + normalize: [], + short: 'The field can contain anything that makes sense to signify the source of the data.', + type: 'constant_keyword', + }, + 'data_stream.namespace': { + dashed_name: 'data-stream-namespace', + description: + 'A user defined namespace. Namespaces are useful to allow grouping of data.\nMany users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`.\nBeyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:\n * Must not contain `-`\n * No longer than 100 characters', + example: 'production', + flat_name: 'data_stream.namespace', + level: 'extended', + name: 'namespace', + normalize: [], + short: 'A user defined namespace. Namespaces are useful to allow grouping of data.', + type: 'constant_keyword', + }, + 'data_stream.type': { + dashed_name: 'data-stream-type', + description: + 'An overarching type for the data stream.\nCurrently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.', + example: 'logs', + flat_name: 'data_stream.type', + level: 'extended', + name: 'type', + normalize: [], + short: 'An overarching type for the data stream.', + type: 'constant_keyword', + }, + }, + group: 2, + name: 'data_stream', + prefix: 'data_stream.', + short: 'The data_stream fields take part in defining the new data stream naming scheme.', + title: 'Data Stream', + type: 'group', + }, + destination: { + description: + 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.\nDestination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.', + fields: { + 'destination.address': { + dashed_name: 'destination-address', + description: + 'Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'destination.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Destination network address.', + type: 'keyword', + }, + 'destination.as.number': { + dashed_name: 'destination-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'destination.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'destination.as.organization.name': { + dashed_name: 'destination-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'destination.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'destination.bytes': { + dashed_name: 'destination-bytes', + description: 'Bytes sent from the destination to the source.', + example: 184, + flat_name: 'destination.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the destination to the source.', + type: 'long', + }, + 'destination.domain': { + dashed_name: 'destination-domain', + description: + 'The domain name of the destination system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'destination.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the destination.', + type: 'keyword', + }, + 'destination.geo.city_name': { + dashed_name: 'destination-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'destination.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'destination.geo.continent_code': { + dashed_name: 'destination-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'destination.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'destination.geo.continent_name': { + dashed_name: 'destination-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'destination.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'destination.geo.country_iso_code': { + dashed_name: 'destination-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'destination.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'destination.geo.country_name': { + dashed_name: 'destination-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'destination.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'destination.geo.location': { + dashed_name: 'destination-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'destination.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'destination.geo.name': { + dashed_name: 'destination-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'destination.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'destination.geo.postal_code': { + dashed_name: 'destination-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'destination.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'destination.geo.region_iso_code': { + dashed_name: 'destination-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'destination.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'destination.geo.region_name': { + dashed_name: 'destination-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'destination.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'destination.geo.timezone': { + dashed_name: 'destination-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'destination.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'destination.ip': { + dashed_name: 'destination-ip', + description: 'IP address of the destination (IPv4 or IPv6).', + flat_name: 'destination.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the destination.', + type: 'ip', + }, + 'destination.mac': { + dashed_name: 'destination-mac', + description: + 'MAC address of the destination.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'destination.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the destination.', + type: 'keyword', + }, + 'destination.nat.ip': { + dashed_name: 'destination-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Destination NAT ip', + type: 'ip', + }, + 'destination.nat.port': { + dashed_name: 'destination-nat-port', + description: + 'Port the source session is translated to by NAT Device.\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'destination.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Destination NAT Port', + type: 'long', + }, + 'destination.packets': { + dashed_name: 'destination-packets', + description: 'Packets sent from the destination to the source.', + example: 12, + flat_name: 'destination.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the destination to the source.', + type: 'long', + }, + 'destination.port': { + dashed_name: 'destination-port', + description: 'Port of the destination.', + flat_name: 'destination.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the destination.', + type: 'long', + }, + 'destination.registered_domain': { + dashed_name: 'destination-registered-domain', + description: + 'The highest registered destination domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'destination.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered destination domain, stripped of the subdomain.', + type: 'keyword', + }, + 'destination.subdomain': { + dashed_name: 'destination-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'destination.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'destination.top_level_domain': { + dashed_name: 'destination-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'destination.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'destination.user.domain': { + dashed_name: 'destination-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'destination.user.email': { + dashed_name: 'destination-user-email', + description: 'User email address.', + flat_name: 'destination.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'destination.user.full_name': { + dashed_name: 'destination-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'destination.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'destination.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'destination.user.group.domain': { + dashed_name: 'destination-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'destination.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'destination.user.group.id': { + dashed_name: 'destination-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'destination.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'destination.user.group.name': { + dashed_name: 'destination-user-group-name', + description: 'Name of the group.', + flat_name: 'destination.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'destination.user.hash': { + dashed_name: 'destination-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'destination.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'destination.user.id': { + dashed_name: 'destination-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'destination.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'destination.user.name': { + dashed_name: 'destination-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'destination.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'destination.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'destination.user.roles': { + dashed_name: 'destination-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'destination.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'destination', + nestings: ['destination.as', 'destination.geo', 'destination.user'], + prefix: 'destination.', + reused_here: [ + { + full: 'destination.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'destination.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'destination.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the destination side of a network connection, used with source.', + title: 'Destination', + type: 'group', + }, + device: { + beta: 'These fields are in beta and are subject to change.', + description: + 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.\nThis field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).', + fields: { + 'device.id': { + dashed_name: 'device-id', + description: + 'The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.\nFor GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.', + example: '00000000-54b3-e7c7-0000-000046bffd97', + flat_name: 'device.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a device.', + type: 'keyword', + }, + 'device.manufacturer': { + dashed_name: 'device-manufacturer', + description: 'The vendor name of the device manufacturer.', + example: 'Samsung', + flat_name: 'device.manufacturer', + ignore_above: 1024, + level: 'extended', + name: 'manufacturer', + normalize: [], + short: 'The vendor name of the device manufacturer.', + type: 'keyword', + }, + 'device.model.identifier': { + dashed_name: 'device-model-identifier', + description: 'The machine readable identifier of the device model.', + example: 'SM-G920F', + flat_name: 'device.model.identifier', + ignore_above: 1024, + level: 'extended', + name: 'model.identifier', + normalize: [], + short: 'The machine readable identifier of the device model.', + type: 'keyword', + }, + 'device.model.name': { + dashed_name: 'device-model-name', + description: 'The human readable marketing name of the device model.', + example: 'Samsung Galaxy S6', + flat_name: 'device.model.name', + ignore_above: 1024, + level: 'extended', + name: 'model.name', + normalize: [], + short: 'The human readable marketing name of the device model.', + type: 'keyword', + }, + }, + group: 2, + name: 'device', + prefix: 'device.', + short: 'Fields characterizing a (mobile) device a process or application is running on.', + title: 'Device', + type: 'group', + }, + dll: { + description: + 'These fields contain information about code libraries dynamically loaded into processes.\n\nMany operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:\n* Dynamic-link library (`.dll`) commonly used on Windows\n* Shared Object (`.so`) commonly used on Unix-like operating systems\n* Dynamic library (`.dylib`) commonly used on macOS', + fields: { + 'dll.code_signature.digest_algorithm': { + dashed_name: 'dll-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'dll.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.exists': { + dashed_name: 'dll-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'dll.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'dll.code_signature.signing_id': { + dashed_name: 'dll-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'dll.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.status': { + dashed_name: 'dll-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'dll.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'dll.code_signature.subject_name': { + dashed_name: 'dll-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'dll.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'dll.code_signature.team_id': { + dashed_name: 'dll-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'dll.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'dll.code_signature.timestamp': { + dashed_name: 'dll-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'dll.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'dll.code_signature.trusted': { + dashed_name: 'dll-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'dll.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'dll.code_signature.valid': { + dashed_name: 'dll-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'dll.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'dll.hash.md5': { + dashed_name: 'dll-hash-md5', + description: 'MD5 hash.', + flat_name: 'dll.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'dll.hash.sha1': { + dashed_name: 'dll-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'dll.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'dll.hash.sha256': { + dashed_name: 'dll-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'dll.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'dll.hash.sha384': { + dashed_name: 'dll-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'dll.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'dll.hash.sha512': { + dashed_name: 'dll-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'dll.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'dll.hash.ssdeep': { + dashed_name: 'dll-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'dll.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'dll.hash.tlsh': { + dashed_name: 'dll-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'dll.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'dll.name': { + dashed_name: 'dll-name', + description: 'Name of the library.\nThis generally maps to the name of the file on disk.', + example: 'kernel32.dll', + flat_name: 'dll.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the library.', + type: 'keyword', + }, + 'dll.path': { + dashed_name: 'dll-path', + description: 'Full file path of the library.', + example: 'C:\\Windows\\System32\\kernel32.dll', + flat_name: 'dll.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Full file path of the library.', + type: 'keyword', + }, + 'dll.pe.architecture': { + dashed_name: 'dll-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'dll.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'dll.pe.company': { + dashed_name: 'dll-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'dll.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.description': { + dashed_name: 'dll-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'dll.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.file_version': { + dashed_name: 'dll-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'dll.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'dll.pe.imphash': { + dashed_name: 'dll-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'dll.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'dll.pe.original_file_name': { + dashed_name: 'dll-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'dll.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'dll.pe.pehash': { + dashed_name: 'dll-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'dll.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'dll.pe.product': { + dashed_name: 'dll-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'dll.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + }, + group: 2, + name: 'dll', + nestings: ['dll.code_signature', 'dll.hash', 'dll.pe'], + prefix: 'dll.', + reused_here: [ + { + full: 'dll.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'dll.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'dll.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + ], + short: + 'These fields contain information about code libraries dynamically loaded into processes.', + title: 'DLL', + type: 'group', + }, + dns: { + description: + 'Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).', + fields: { + 'dns.answers': { + dashed_name: 'dns-answers', + description: + 'An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.', + flat_name: 'dns.answers', + level: 'extended', + name: 'answers', + normalize: ['array'], + short: 'Array of DNS answers.', + type: 'object', + }, + 'dns.answers.class': { + dashed_name: 'dns-answers-class', + description: 'The class of DNS data contained in this resource record.', + example: 'IN', + flat_name: 'dns.answers.class', + ignore_above: 1024, + level: 'extended', + name: 'answers.class', + normalize: [], + short: 'The class of DNS data contained in this resource record.', + type: 'keyword', + }, + 'dns.answers.data': { + dashed_name: 'dns-answers-data', + description: + 'The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record.', + example: '10.10.10.10', + flat_name: 'dns.answers.data', + ignore_above: 1024, + level: 'extended', + name: 'answers.data', + normalize: [], + short: 'The data describing the resource.', + type: 'keyword', + }, + 'dns.answers.name': { + dashed_name: 'dns-answers-name', + description: + "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.", + example: 'www.example.com', + flat_name: 'dns.answers.name', + ignore_above: 1024, + level: 'extended', + name: 'answers.name', + normalize: [], + short: 'The domain name to which this resource record pertains.', + type: 'keyword', + }, + 'dns.answers.ttl': { + dashed_name: 'dns-answers-ttl', + description: + 'The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.', + example: 180, + flat_name: 'dns.answers.ttl', + level: 'extended', + name: 'answers.ttl', + normalize: [], + short: + 'The time interval in seconds that this resource record may be cached before it should be discarded.', + type: 'long', + }, + 'dns.answers.type': { + dashed_name: 'dns-answers-type', + description: 'The type of data contained in this resource record.', + example: 'CNAME', + flat_name: 'dns.answers.type', + ignore_above: 1024, + level: 'extended', + name: 'answers.type', + normalize: [], + short: 'The type of data contained in this resource record.', + type: 'keyword', + }, + 'dns.header_flags': { + dashed_name: 'dns-header-flags', + description: 'Array of 2 letter DNS header flags.', + example: '["RD", "RA"]', + expected_values: ['AA', 'TC', 'RD', 'RA', 'AD', 'CD', 'DO'], + flat_name: 'dns.header_flags', + ignore_above: 1024, + level: 'extended', + name: 'header_flags', + normalize: ['array'], + short: 'Array of DNS header flags.', + type: 'keyword', + }, + 'dns.id': { + dashed_name: 'dns-id', + description: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + example: 62111, + flat_name: 'dns.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: + 'The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.', + type: 'keyword', + }, + 'dns.op_code': { + dashed_name: 'dns-op-code', + description: + 'The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.', + example: 'QUERY', + flat_name: 'dns.op_code', + ignore_above: 1024, + level: 'extended', + name: 'op_code', + normalize: [], + short: 'The DNS operation code that specifies the kind of query in the message.', + type: 'keyword', + }, + 'dns.question.class': { + dashed_name: 'dns-question-class', + description: 'The class of records being queried.', + example: 'IN', + flat_name: 'dns.question.class', + ignore_above: 1024, + level: 'extended', + name: 'question.class', + normalize: [], + short: 'The class of records being queried.', + type: 'keyword', + }, + 'dns.question.name': { + dashed_name: 'dns-question-name', + description: + 'The name being queried.\nIf the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \\t, \\r, and \\n respectively.', + example: 'www.example.com', + flat_name: 'dns.question.name', + ignore_above: 1024, + level: 'extended', + name: 'question.name', + normalize: [], + short: 'The name being queried.', + type: 'keyword', + }, + 'dns.question.registered_domain': { + dashed_name: 'dns-question-registered-domain', + description: + 'The highest registered domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'dns.question.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.registered_domain', + normalize: [], + short: 'The highest registered domain, stripped of the subdomain.', + type: 'keyword', + }, + 'dns.question.subdomain': { + dashed_name: 'dns-question-subdomain', + description: + 'The subdomain is all of the labels under the registered_domain.\nIf the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'www', + flat_name: 'dns.question.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'question.subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'dns.question.top_level_domain': { + dashed_name: 'dns-question-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'dns.question.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'question.top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'dns.question.type': { + dashed_name: 'dns-question-type', + description: 'The type of record being queried.', + example: 'AAAA', + flat_name: 'dns.question.type', + ignore_above: 1024, + level: 'extended', + name: 'question.type', + normalize: [], + short: 'The type of record being queried.', + type: 'keyword', + }, + 'dns.resolved_ip': { + dashed_name: 'dns-resolved-ip', + description: + 'Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.', + example: '["10.10.10.10", "10.10.10.11"]', + flat_name: 'dns.resolved_ip', + level: 'extended', + name: 'resolved_ip', + normalize: ['array'], + short: 'Array containing all IPs seen in answers.data', + type: 'ip', + }, + 'dns.response_code': { + dashed_name: 'dns-response-code', + description: 'The DNS response code.', + example: 'NOERROR', + flat_name: 'dns.response_code', + ignore_above: 1024, + level: 'extended', + name: 'response_code', + normalize: [], + short: 'The DNS response code.', + type: 'keyword', + }, + 'dns.type': { + dashed_name: 'dns-type', + description: + 'The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.', + example: 'answer', + flat_name: 'dns.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of DNS event captured, query or answer.', + type: 'keyword', + }, + }, + group: 2, + name: 'dns', + prefix: 'dns.', + short: 'Fields describing DNS queries and answers.', + title: 'DNS', + type: 'group', + }, + ecs: { + description: 'Meta-information specific to ECS.', + fields: { + 'ecs.version': { + dashed_name: 'ecs-version', + description: + 'ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.', + example: '1.0.0', + flat_name: 'ecs.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + required: true, + short: 'ECS version this event conforms to.', + type: 'keyword', + }, + }, + group: 2, + name: 'ecs', + prefix: 'ecs.', + short: 'Meta-information specific to ECS.', + title: 'ECS', + type: 'group', + }, + elf: { + beta: 'These fields are in beta and are subject to change.', + description: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + fields: { + 'elf.architecture': { + dashed_name: 'elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'elf.byte_order': { + dashed_name: 'elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'elf.cpu_type': { + dashed_name: 'elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'elf.creation_date': { + dashed_name: 'elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + short: 'Build or compile date.', + type: 'date', + }, + 'elf.exports': { + dashed_name: 'elf-exports', + description: 'List of exported element names and types.', + flat_name: 'elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'elf.header.abi_version': { + dashed_name: 'elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'elf.header.class': { + dashed_name: 'elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'elf.header.data': { + dashed_name: 'elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'elf.header.entrypoint': { + dashed_name: 'elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'elf.header.object_version': { + dashed_name: 'elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'elf.header.os_abi': { + dashed_name: 'elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'elf.header.type': { + dashed_name: 'elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'elf.header.version': { + dashed_name: 'elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'elf.imports': { + dashed_name: 'elf-imports', + description: 'List of imported element names and types.', + flat_name: 'elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'elf.sections': { + dashed_name: 'elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'elf.sections.chi2': { + dashed_name: 'elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'elf.sections.entropy': { + dashed_name: 'elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'elf.sections.flags': { + dashed_name: 'elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'elf.sections.name': { + dashed_name: 'elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + short: 'ELF Section List name.', + type: 'keyword', + }, + 'elf.sections.physical_offset': { + dashed_name: 'elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'elf.sections.physical_size': { + dashed_name: 'elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + short: 'ELF Section List physical size.', + type: 'long', + }, + 'elf.sections.type': { + dashed_name: 'elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + short: 'ELF Section List type.', + type: 'keyword', + }, + 'elf.sections.virtual_address': { + dashed_name: 'elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'elf.sections.virtual_size': { + dashed_name: 'elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'elf.segments': { + dashed_name: 'elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + short: 'ELF object segment list.', + type: 'nested', + }, + 'elf.segments.sections': { + dashed_name: 'elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'elf.segments.type': { + dashed_name: 'elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + short: 'ELF object segment type.', + type: 'keyword', + }, + 'elf.shared_libraries': { + dashed_name: 'elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'elf.telfhash': { + dashed_name: 'elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + }, + group: 2, + name: 'elf', + prefix: 'elf.', + reusable: { + expected: [ + { + as: 'elf', + at: 'file', + beta: 'This field reuse is beta and subject to change.', + full: 'file.elf', + }, + { + as: 'elf', + at: 'process', + beta: 'This field reuse is beta and subject to change.', + full: 'process.elf', + }, + ], + top_level: false, + }, + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + title: 'ELF Header', + type: 'group', + }, + email: { + description: + 'Event details relating to an email transaction.\nThis field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the `email.*` fields.', + fields: { + 'email.attachments': { + dashed_name: 'email-attachments', + description: + 'A list of objects describing the attachment files sent along with an email message.', + flat_name: 'email.attachments', + level: 'extended', + name: 'attachments', + normalize: ['array'], + short: 'List of objects describing the attachments.', + type: 'nested', + }, + 'email.attachments.file.extension': { + dashed_name: 'email-attachments-file-extension', + description: 'Attachment file extension, excluding the leading dot.', + example: 'txt', + flat_name: 'email.attachments.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.extension', + normalize: [], + short: 'Attachment file extension.', + type: 'keyword', + }, + 'email.attachments.file.hash.md5': { + dashed_name: 'email-attachments-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'email.attachments.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha1': { + dashed_name: 'email-attachments-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'email.attachments.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha256': { + dashed_name: 'email-attachments-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'email.attachments.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha384': { + dashed_name: 'email-attachments-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'email.attachments.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.sha512': { + dashed_name: 'email-attachments-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'email.attachments.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.ssdeep': { + dashed_name: 'email-attachments-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'email.attachments.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'email.attachments.file.hash.tlsh': { + dashed_name: 'email-attachments-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'email.attachments.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'email.attachments.file.mime_type': { + dashed_name: 'email-attachments-file-mime-type', + description: + 'The MIME media type of the attachment.\nThis value will typically be extracted from the `Content-Type` MIME header field.', + example: 'text/plain', + flat_name: 'email.attachments.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.mime_type', + normalize: [], + short: 'MIME type of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.name': { + dashed_name: 'email-attachments-file-name', + description: 'Name of the attachment file including the file extension.', + example: 'attachment.txt', + flat_name: 'email.attachments.file.name', + ignore_above: 1024, + level: 'extended', + name: 'attachments.file.name', + normalize: [], + short: 'Name of the attachment file.', + type: 'keyword', + }, + 'email.attachments.file.size': { + dashed_name: 'email-attachments-file-size', + description: 'Attachment file size in bytes.', + example: 64329, + flat_name: 'email.attachments.file.size', + level: 'extended', + name: 'attachments.file.size', + normalize: [], + short: 'Attachment file size.', + type: 'long', + }, + 'email.bcc.address': { + dashed_name: 'email-bcc-address', + description: 'The email address of BCC recipient', + example: 'bcc.user1@example.com', + flat_name: 'email.bcc.address', + ignore_above: 1024, + level: 'extended', + name: 'bcc.address', + normalize: ['array'], + short: 'Email address of BCC recipient', + type: 'keyword', + }, + 'email.cc.address': { + dashed_name: 'email-cc-address', + description: 'The email address of CC recipient', + example: 'cc.user1@example.com', + flat_name: 'email.cc.address', + ignore_above: 1024, + level: 'extended', + name: 'cc.address', + normalize: ['array'], + short: 'Email address of CC recipient', + type: 'keyword', + }, + 'email.content_type': { + dashed_name: 'email-content-type', + description: + 'Information about how the message is to be displayed.\nTypically a MIME type.', + example: 'text/plain', + flat_name: 'email.content_type', + ignore_above: 1024, + level: 'extended', + name: 'content_type', + normalize: [], + short: 'MIME type of the email message.', + type: 'keyword', + }, + 'email.delivery_timestamp': { + dashed_name: 'email-delivery-timestamp', + description: + 'The date and time when the email message was received by the service or client.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.delivery_timestamp', + level: 'extended', + name: 'delivery_timestamp', + normalize: [], + short: 'Date and time when message was delivered.', + type: 'date', + }, + 'email.direction': { + dashed_name: 'email-direction', + description: 'The direction of the message based on the sending and receiving domains.', + example: 'inbound', + flat_name: 'email.direction', + ignore_above: 1024, + level: 'extended', + name: 'direction', + normalize: [], + short: 'Direction of the message.', + type: 'keyword', + }, + 'email.from.address': { + dashed_name: 'email-from-address', + description: + 'The email address of the sender, typically from the RFC 5322 `From:` header field.', + example: 'sender@example.com', + flat_name: 'email.from.address', + ignore_above: 1024, + level: 'extended', + name: 'from.address', + normalize: ['array'], + short: "The sender's email address.", + type: 'keyword', + }, + 'email.local_id': { + dashed_name: 'email-local-id', + description: + 'Unique identifier given to the email by the source that created the event.\nIdentifier is not persistent across hops.', + example: 'c26dbea0-80d5-463b-b93c-4e8b708219ce', + flat_name: 'email.local_id', + ignore_above: 1024, + level: 'extended', + name: 'local_id', + normalize: [], + short: 'Unique identifier given by the source.', + type: 'keyword', + }, + 'email.message_id': { + dashed_name: 'email-message-id', + description: + 'Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message.', + example: '81ce15$8r2j59@mail01.example.com', + flat_name: 'email.message_id', + level: 'extended', + name: 'message_id', + normalize: [], + short: 'Value from the Message-ID header.', + type: 'wildcard', + }, + 'email.origination_timestamp': { + dashed_name: 'email-origination-timestamp', + description: + 'The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user.', + example: '2020-11-10T22:12:34.8196921Z', + flat_name: 'email.origination_timestamp', + level: 'extended', + name: 'origination_timestamp', + normalize: [], + short: 'Date and time the email was composed.', + type: 'date', + }, + 'email.reply_to.address': { + dashed_name: 'email-reply-to-address', + description: + 'The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.', + example: 'reply.here@example.com', + flat_name: 'email.reply_to.address', + ignore_above: 1024, + level: 'extended', + name: 'reply_to.address', + normalize: ['array'], + short: 'Address replies should be delivered to.', + type: 'keyword', + }, + 'email.sender.address': { + dashed_name: 'email-sender-address', + description: + 'Per RFC 5322, specifies the address responsible for the actual transmission of the message.', + flat_name: 'email.sender.address', + ignore_above: 1024, + level: 'extended', + name: 'sender.address', + normalize: [], + short: 'Address of the message sender.', + type: 'keyword', + }, + 'email.subject': { + dashed_name: 'email-subject', + description: 'A brief summary of the topic of the message.', + example: 'Please see this important message.', + flat_name: 'email.subject', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'email.subject.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'subject', + normalize: [], + short: 'The subject of the email message.', + type: 'keyword', + }, + 'email.to.address': { + dashed_name: 'email-to-address', + description: 'The email address of recipient', + example: 'user1@example.com', + flat_name: 'email.to.address', + ignore_above: 1024, + level: 'extended', + name: 'to.address', + normalize: ['array'], + short: 'Email address of recipient', + type: 'keyword', + }, + 'email.x_mailer': { + dashed_name: 'email-x-mailer', + description: + 'The name of the application that was used to draft and send the original email message.', + example: 'Spambot v2.5', + flat_name: 'email.x_mailer', + ignore_above: 1024, + level: 'extended', + name: 'x_mailer', + normalize: [], + short: 'Application that drafted email.', + type: 'keyword', + }, + }, + group: 2, + name: 'email', + nestings: ['email.attachments.file.hash'], + prefix: 'email.', + reused_here: [ + { + full: 'email.attachments.file.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + ], + short: 'Describes an email transaction.', + title: 'Email', + type: 'group', + }, + error: { + description: + 'These fields can represent errors of any kind.\nUse them for errors that happen while fetching events or in cases where the event itself contains an error.', + fields: { + 'error.code': { + dashed_name: 'error-code', + description: 'Error code describing the error.', + flat_name: 'error.code', + ignore_above: 1024, + level: 'core', + name: 'code', + normalize: [], + short: 'Error code describing the error.', + type: 'keyword', + }, + 'error.id': { + dashed_name: 'error-id', + description: 'Unique identifier for the error.', + flat_name: 'error.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier for the error.', + type: 'keyword', + }, + 'error.message': { + dashed_name: 'error-message', + description: 'Error message.', + flat_name: 'error.message', + level: 'core', + name: 'message', + normalize: [], + short: 'Error message.', + type: 'match_only_text', + }, + 'error.stack_trace': { + dashed_name: 'error-stack-trace', + description: 'The stack trace of this error in plain text.', + flat_name: 'error.stack_trace', + level: 'extended', + multi_fields: [ + { + flat_name: 'error.stack_trace.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'stack_trace', + normalize: [], + short: 'The stack trace of this error in plain text.', + type: 'wildcard', + }, + 'error.type': { + dashed_name: 'error-type', + description: 'The type of the error, for example the class name of the exception.', + example: 'java.lang.NullPointerException', + flat_name: 'error.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'The type of the error, for example the class name of the exception.', + type: 'keyword', + }, + }, + group: 2, + name: 'error', + prefix: 'error.', + short: 'Fields about errors of any kind.', + title: 'Error', + type: 'group', + }, + event: { + description: + 'The event fields are used for context information about the log or metric event itself.\nA log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events.', + fields: { + 'event.action': { + dashed_name: 'event-action', + description: + 'The action captured by the event.\nThis describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.', + example: 'user-password-change', + flat_name: 'event.action', + ignore_above: 1024, + level: 'core', + name: 'action', + normalize: [], + short: 'The action captured by the event.', + type: 'keyword', + }, + 'event.agent_id_status': { + dashed_name: 'event-agent-id-status', + description: + "Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation.\nFor example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used.\nIf no validation is performed then the field should be omitted.\nThe allowed values are:\n`verified` - The `agent.id` field value matches expected value obtained from auth metadata.\n`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata.\n`missing` - There was no `agent.id` field in the event to validate.\n`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID.", + example: 'verified', + flat_name: 'event.agent_id_status', + ignore_above: 1024, + level: 'extended', + name: 'agent_id_status', + normalize: [], + short: "Validation status of the event's agent.id field.", + type: 'keyword', + }, + 'event.category': { + allowed_values: [ + { + description: + 'Events in this category are related to the challenge and response process in which credentials are supplied and verified to allow the creation of a session. Common sources for these logs are Windows event logs and ssh logs. Visualize and analyze events in this category to look for failed logins, and other authentication-related activity.', + expected_event_types: ['start', 'end', 'info'], + name: 'authentication', + }, + { + description: + 'Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system.\nExample sources include security policy change logs, configuration auditing logging, and system integrity monitoring.', + expected_event_types: ['access', 'change', 'creation', 'deletion', 'info'], + name: 'configuration', + }, + { + description: + 'The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database activity such as accesses and changes.', + expected_event_types: ['access', 'change', 'info', 'error'], + name: 'database', + }, + { + description: + 'Events in the driver category have to do with operating system device drivers and similar software entities such as Windows drivers, kernel extensions, kernel modules, etc.\nUse events and metrics in this category to visualize and analyze driver-related activity and status on hosts.', + expected_event_types: ['change', 'end', 'info', 'start'], + name: 'driver', + }, + { + description: + 'This category is used for events relating to email messages, email attachments, and email network or protocol activity.\nEmails events can be produced by email security gateways, mail transfer agents, email cloud service providers, or mail server monitoring applications.', + expected_event_types: ['info'], + name: 'email', + }, + { + description: + 'Relating to a set of information that has been created on, or has existed on a filesystem. Use this category of events to visualize and analyze the creation, access, and deletions of files. Events in this category can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log.', + expected_event_types: ['change', 'creation', 'deletion', 'info'], + name: 'file', + }, + { + description: + 'Use this category to visualize and analyze information such as host inventory or host lifecycle events.\nMost of the events in this category can usually be observed from the outside, such as from a hypervisor or a control plane\'s point of view. Some can also be seen from within, such as "start" or "end".\nNote that this category is for information about hosts themselves; it is not meant to capture activity "happening on a host".', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'host', + }, + { + description: + 'Identity and access management (IAM) events relating to users, groups, and administration. Use this category to visualize and analyze IAM-related logs and data from active directory, LDAP, Okta, Duo, and other IAM systems.', + expected_event_types: [ + 'admin', + 'change', + 'creation', + 'deletion', + 'group', + 'info', + 'user', + ], + name: 'iam', + }, + { + description: + 'Relating to intrusion detections from IDS/IPS systems and functions, both network and host-based. Use this category to visualize and analyze intrusion detection alerts from systems such as Snort, Suricata, and Palo Alto threat detections.', + expected_event_types: ['allowed', 'denied', 'info'], + name: 'intrusion_detection', + }, + { + description: + 'Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems such as Suricata, or other sources of malware-related events such as Palo Alto Networks threat logs and Wildfire logs.', + expected_event_types: ['info'], + name: 'malware', + }, + { + description: + 'Relating to all network activity, including network connection lifecycle, network traffic, and essentially any event that includes an IP address. Many events containing decoded network protocol transactions fit into this category. Use events in this category to visualize or analyze counts of network ports, protocols, addresses, geolocation information, etc.', + expected_event_types: [ + 'access', + 'allowed', + 'connection', + 'denied', + 'end', + 'info', + 'protocol', + 'start', + ], + name: 'network', + }, + { + description: + 'Relating to software packages installed on hosts. Use this category to visualize and analyze inventory of software installed on various hosts, or to determine host vulnerability in the absence of vulnerability scan data.', + expected_event_types: ['access', 'change', 'deletion', 'info', 'installation', 'start'], + name: 'package', + }, + { + description: + 'Use this category of events to visualize and analyze process-specific information such as lifecycle events or process ancestry.', + expected_event_types: ['access', 'change', 'end', 'info', 'start'], + name: 'process', + }, + { + description: + 'Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications.', + expected_event_types: ['access', 'change', 'creation', 'deletion'], + name: 'registry', + }, + { + description: + 'The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.', + expected_event_types: ['start', 'end', 'info'], + name: 'session', + }, + { + description: + "Use this category to visualize and analyze events describing threat actors' targets, motives, or behaviors.", + expected_event_types: ['indicator'], + name: 'threat', + }, + { + description: + 'Relating to vulnerability scan results. Use this category to analyze vulnerabilities detected by Tenable, Qualys, internal scanners, and other vulnerability management sources.', + expected_event_types: ['info'], + name: 'vulnerability', + }, + { + description: + 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in this category.', + expected_event_types: ['access', 'error', 'info'], + name: 'web', + }, + ], + dashed_name: 'event-category', + description: + 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.\n`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.\nThis field is an array. This will allow proper categorization of some events that fall in multiple categories.', + example: 'authentication', + flat_name: 'event.category', + ignore_above: 1024, + level: 'core', + name: 'category', + normalize: ['array'], + short: 'Event category. The second categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.code': { + dashed_name: 'event-code', + description: + 'Identification code for this event, if one exists.\nSome event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.', + example: 4648, + flat_name: 'event.code', + ignore_above: 1024, + level: 'extended', + name: 'code', + normalize: [], + short: 'Identification code for this event.', + type: 'keyword', + }, + 'event.created': { + dashed_name: 'event-created', + description: + "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used.", + example: '2016-05-23T08:05:34.857Z', + flat_name: 'event.created', + level: 'core', + name: 'created', + normalize: [], + short: 'Time when the event was first read by an agent or by your pipeline.', + type: 'date', + }, + 'event.dataset': { + dashed_name: 'event-dataset', + description: + "Name of the dataset.\nIf an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.\nIt's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.", + example: 'apache.access', + flat_name: 'event.dataset', + ignore_above: 1024, + level: 'core', + name: 'dataset', + normalize: [], + short: 'Name of the dataset.', + type: 'keyword', + }, + 'event.duration': { + dashed_name: 'event-duration', + description: + 'Duration of the event in nanoseconds.\nIf event.start and event.end are known this value should be the difference between the end and start time.', + flat_name: 'event.duration', + format: 'duration', + input_format: 'nanoseconds', + level: 'core', + name: 'duration', + normalize: [], + output_format: 'asMilliseconds', + output_precision: 1, + short: 'Duration of the event in nanoseconds.', + type: 'long', + }, + 'event.end': { + dashed_name: 'event-end', + description: + 'event.end contains the date when the event ended or when the activity was last observed.', + flat_name: 'event.end', + level: 'extended', + name: 'end', + normalize: [], + short: + 'event.end contains the date when the event ended or when the activity was last observed.', + type: 'date', + }, + 'event.hash': { + dashed_name: 'event-hash', + description: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + example: '123456789012345678901234567890ABCD', + flat_name: 'event.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: + 'Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.', + type: 'keyword', + }, + 'event.id': { + dashed_name: 'event-id', + description: 'Unique ID to describe the event.', + example: '8a4f500d', + flat_name: 'event.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique ID to describe the event.', + type: 'keyword', + }, + 'event.ingested': { + dashed_name: 'event-ingested', + description: + "Timestamp when an event arrived in the central data store.\nThis is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.\nIn normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.", + example: '2016-05-23T08:05:35.101Z', + flat_name: 'event.ingested', + level: 'core', + name: 'ingested', + normalize: [], + short: 'Timestamp when an event arrived in the central data store.', + type: 'date', + }, + 'event.kind': { + allowed_values: [ + { + description: + 'This value indicates an event such as an alert or notable event, triggered by a detection rule executing externally to the Elastic Stack.\n`event.kind:alert` is often populated for events coming from firewalls, intrusion detection systems, endpoint detection and response systems, and so on.\nThis value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.', + name: 'alert', + }, + { + description: + 'The `enrichment` value indicates an event collected to provide additional context, often to other events.\nAn example is collecting indicators of compromise (IOCs) from a threat intelligence provider with the intent to use those values to enrich other events. The IOC events from the intelligence provider should be categorized as `event.kind:enrichment`.', + name: 'enrichment', + }, + { + description: + 'This value is the most general and most common value for this field. It is used to represent events that indicate that something happened.', + name: 'event', + }, + { + description: + 'This value is used to indicate that this event describes a numeric measurement taken at given point in time.\nExamples include CPU utilization, memory usage, or device temperature.\nMetric events are often collected on a predictable frequency, such as once every few seconds, or once a minute, but can also be used to describe ad-hoc numeric metric queries.', + name: 'metric', + }, + { + description: + "The state value is similar to metric, indicating that this event describes a measurement taken at given point in time, except that the measurement does not result in a numeric value, but rather one of a fixed set of categorical values that represent conditions or states.\nExamples include periodic events reporting Elasticsearch cluster state (green/yellow/red), the state of a TCP connection (open, closed, fin_wait, etc.), the state of a host with respect to a software vulnerability (vulnerable, not vulnerable), and the state of a system regarding compliance with a regulatory standard (compliant, not compliant).\nNote that an event that describes a change of state would not use `event.kind:state`, but instead would use 'event.kind:event' since a state change fits the more general event definition of something that happened.\nState events are often collected on a predictable frequency, such as once every few seconds, once a minute, once an hour, or once a day, but can also be used to describe ad-hoc state queries.", + name: 'state', + }, + { + description: + 'This value indicates that an error occurred during the ingestion of this event, and that event data may be missing, inconsistent, or incorrect. `event.kind:pipeline_error` is often associated with parsing errors.', + name: 'pipeline_error', + }, + { + description: + 'This value is used by Elastic solutions (e.g., Security, Observability) for alert documents that are created by rules executing within the Kibana alerting framework.\nUsage of this value is reserved, and data ingestion pipelines must not populate `event.kind` with the value "signal".', + name: 'signal', + }, + ], + dashed_name: 'event-kind', + description: + 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.\n`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.\nThe value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.', + example: 'alert', + flat_name: 'event.kind', + ignore_above: 1024, + level: 'core', + name: 'kind', + normalize: [], + short: 'The kind of the event. The highest categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.module': { + dashed_name: 'event-module', + description: + 'Name of the module this data is coming from.\nIf your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.', + example: 'apache', + flat_name: 'event.module', + ignore_above: 1024, + level: 'core', + name: 'module', + normalize: [], + short: 'Name of the module this data is coming from.', + type: 'keyword', + }, + 'event.original': { + dashed_name: 'event-original', + description: + 'Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.', + doc_values: false, + example: + 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232', + flat_name: 'event.original', + index: false, + level: 'core', + name: 'original', + normalize: [], + short: 'Raw text message of entire event.', + type: 'keyword', + }, + 'event.outcome': { + allowed_values: [ + { + description: + 'Indicates that this event describes a failed result. A common example is `event.category:file AND event.type:access AND event.outcome:failure` to indicate that a file access was attempted, but was not successful.', + name: 'failure', + }, + { + description: + 'Indicates that this event describes a successful result. A common example is `event.category:file AND event.type:create AND event.outcome:success` to indicate that a file was successfully created.', + name: 'success', + }, + { + description: + "Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated.", + name: 'unknown', + }, + ], + dashed_name: 'event-outcome', + description: + 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.\n`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.\nNote that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.\nAlso note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.\nFurther note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.', + example: 'success', + flat_name: 'event.outcome', + ignore_above: 1024, + level: 'core', + name: 'outcome', + normalize: [], + short: 'The outcome of the event. The lowest level categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.provider': { + dashed_name: 'event-provider', + description: + 'Source of the event.\nEvent transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).', + example: 'kernel', + flat_name: 'event.provider', + ignore_above: 1024, + level: 'extended', + name: 'provider', + normalize: [], + short: 'Source of the event.', + type: 'keyword', + }, + 'event.reason': { + dashed_name: 'event-reason', + description: + 'Reason why this event happened, according to the source.\nThis describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).', + example: 'Terminated an unexpected process', + flat_name: 'event.reason', + ignore_above: 1024, + level: 'extended', + name: 'reason', + normalize: [], + short: 'Reason why this event happened, according to the source', + type: 'keyword', + }, + 'event.reference': { + dashed_name: 'event-reference', + description: + 'Reference URL linking to additional information about this event.\nThis URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://system.example.com/event/#0001234', + flat_name: 'event.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Event reference URL', + type: 'keyword', + }, + 'event.risk_score': { + dashed_name: 'event-risk-score', + description: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + flat_name: 'event.risk_score', + level: 'core', + name: 'risk_score', + normalize: [], + short: + "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", + type: 'float', + }, + 'event.risk_score_norm': { + dashed_name: 'event-risk-score-norm', + description: + 'Normalized risk score or priority of the event, on a scale of 0 to 100.\nThis is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.', + flat_name: 'event.risk_score_norm', + level: 'extended', + name: 'risk_score_norm', + normalize: [], + short: 'Normalized risk score or priority of the event (0-100).', + type: 'float', + }, + 'event.sequence': { + dashed_name: 'event-sequence', + description: + 'Sequence number of the event.\nThe sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.', + flat_name: 'event.sequence', + format: 'string', + level: 'extended', + name: 'sequence', + normalize: [], + short: 'Sequence number of the event.', + type: 'long', + }, + 'event.severity': { + dashed_name: 'event-severity', + description: + "The numeric severity of the event according to your event source.\nWhat the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.\nThe Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.", + example: 7, + flat_name: 'event.severity', + format: 'string', + level: 'core', + name: 'severity', + normalize: [], + short: 'Numeric severity of the event.', + type: 'long', + }, + 'event.start': { + dashed_name: 'event-start', + description: + 'event.start contains the date when the event started or when the activity was first observed.', + flat_name: 'event.start', + level: 'extended', + name: 'start', + normalize: [], + short: + 'event.start contains the date when the event started or when the activity was first observed.', + type: 'date', + }, + 'event.timezone': { + dashed_name: 'event-timezone', + description: + 'This field should be populated when the event\'s timestamp does not include timezone information already (e.g. default Syslog timestamps). It\'s optional otherwise.\nAcceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").', + flat_name: 'event.timezone', + ignore_above: 1024, + level: 'extended', + name: 'timezone', + normalize: [], + short: 'Event time zone.', + type: 'keyword', + }, + 'event.type': { + allowed_values: [ + { + description: + 'The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include `event.category:database AND event.type:access`, or `event.category:file AND event.type:access`. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS `event.action` field.', + name: 'access', + }, + { + description: + 'The admin event type is used for the subset of events within a category that are related to admin objects. For example, administrative changes within an IAM framework that do not specifically affect a user or group (e.g., adding new applications to a federation solution or connecting discrete forests in Active Directory) would fall into this subcategory. Common example: `event.category:iam AND event.type:change AND event.type:admin`. You can further distinguish admin operations using the ECS `event.action` field.', + name: 'admin', + }, + { + description: + 'The allowed event type is used for the subset of events within a category that indicate that something was allowed. Common examples include `event.category:network AND event.type:connection AND event.type:allowed` (to indicate a network firewall event for which the firewall disposition was to allow the connection to complete) and `event.category:intrusion_detection AND event.type:allowed` (to indicate a network intrusion prevention system event for which the IPS disposition was to allow the connection to complete). You can further distinguish allowed operations using the ECS `event.action` field, populating with values of your choosing, such as "allow", "detect", or "pass".', + name: 'allowed', + }, + { + description: + 'The change event type is used for the subset of events within a category that indicate that something has changed. If semantics best describe an event as modified, then include them in this subcategory. Common examples include `event.category:process AND event.type:change`, and `event.category:file AND event.type:change`. You can further distinguish change operations using the ECS `event.action` field.', + name: 'change', + }, + { + description: + 'Used primarily with `event.category:network` this value is used for the subset of network traffic that includes sufficient information for the event to be included in flow or connection analysis. Events in this subcategory will contain at least source and destination IP addresses, source and destination TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. Events in this subcategory may contain unidirectional or bidirectional information, including summary information. Use this subcategory to visualize and analyze network connections. Flow analysis, including Netflow, IPFIX, and other flow-related events fit in this subcategory. Note that firewall events from many Next-Generation Firewall (NGFW) devices will also fit into this subcategory. A common filter for flow/connection information would be `event.category:network AND event.type:connection AND event.type:end` (to view or analyze all completed network connections, ignoring mid-flow reports). You can further distinguish connection events using the ECS `event.action` field, populating with values of your choosing, such as "timeout", or "reset".', + name: 'connection', + }, + { + description: + 'The "creation" event type is used for the subset of events within a category that indicate that something was created. A common example is `event.category:file AND event.type:creation`.', + name: 'creation', + }, + { + description: + 'The deletion event type is used for the subset of events within a category that indicate that something was deleted. A common example is `event.category:file AND event.type:deletion` to indicate that a file has been deleted.', + name: 'deletion', + }, + { + description: + 'The denied event type is used for the subset of events within a category that indicate that something was denied. Common examples include `event.category:network AND event.type:denied` (to indicate a network firewall event for which the firewall disposition was to deny the connection) and `event.category:intrusion_detection AND event.type:denied` (to indicate a network intrusion prevention system event for which the IPS disposition was to deny the connection to complete). You can further distinguish denied operations using the ECS `event.action` field, populating with values of your choosing, such as "blocked", "dropped", or "quarantined".', + name: 'denied', + }, + { + description: + 'The end event type is used for the subset of events within a category that indicate something has ended. A common example is `event.category:process AND event.type:end`.', + name: 'end', + }, + { + description: + 'The error event type is used for the subset of events within a category that indicate or describe an error. A common example is `event.category:database AND event.type:error`. Note that pipeline errors that occur during the event ingestion process should not use this `event.type` value. Instead, they should use `event.kind:pipeline_error`.', + name: 'error', + }, + { + description: + 'The group event type is used for the subset of events within a category that are related to group objects. Common example: `event.category:iam AND event.type:creation AND event.type:group`. You can further distinguish group operations using the ECS `event.action` field.', + name: 'group', + }, + { + description: + 'The indicator event type is used for the subset of events within a category that contain details about indicators of compromise (IOCs).\nA common example is `event.category:threat AND event.type:indicator`.', + name: 'indicator', + }, + { + description: + 'The info event type is used for the subset of events within a category that indicate that they are purely informational, and don\'t report a state change, or any type of action. For example, an initial run of a file integrity monitoring system (FIM), where an agent reports all files under management, would fall into the "info" subcategory. Similarly, an event containing a dump of all currently running processes (as opposed to reporting that a process started/ended) would fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection AND event.type:info`.', + name: 'info', + }, + { + description: + 'The installation event type is used for the subset of events within a category that indicate that something was installed. A common example is `event.category:package` AND `event.type:installation`.', + name: 'installation', + }, + { + description: + 'The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field.', + name: 'protocol', + }, + { + description: + 'The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process AND event.type:start`.', + name: 'start', + }, + { + description: + 'The user event type is used for the subset of events within a category that are related to user objects. Common example: `event.category:iam AND event.type:deletion AND event.type:user`. You can further distinguish user operations using the ECS `event.action` field.', + name: 'user', + }, + ], + dashed_name: 'event-type', + description: + 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.\n`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.\nThis field is an array. This will allow proper categorization of some events that fall in multiple event types.', + flat_name: 'event.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: ['array'], + short: 'Event type. The third categorization field in the hierarchy.', + type: 'keyword', + }, + 'event.url': { + dashed_name: 'event-url', + description: + 'URL linking to an external system to continue investigation of this event.\nThis URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe', + flat_name: 'event.url', + ignore_above: 1024, + level: 'extended', + name: 'url', + normalize: [], + short: 'Event investigation URL', + type: 'keyword', + }, + }, + group: 2, + name: 'event', + prefix: 'event.', + short: 'Fields breaking down the event details.', + title: 'Event', + type: 'group', + }, + faas: { + beta: 'These fields are in beta and are subject to change.', + description: + 'The user fields describe information about the function as a service (FaaS) that is relevant to the event.', + fields: { + 'faas.coldstart': { + dashed_name: 'faas-coldstart', + description: 'Boolean value indicating a cold start of a function.', + flat_name: 'faas.coldstart', + level: 'extended', + name: 'coldstart', + normalize: [], + short: 'Boolean value indicating a cold start of a function.', + type: 'boolean', + }, + 'faas.execution': { + dashed_name: 'faas-execution', + description: 'The execution ID of the current function execution.', + example: 'af9d5aa4-a685-4c5f-a22b-444f80b3cc28', + flat_name: 'faas.execution', + ignore_above: 1024, + level: 'extended', + name: 'execution', + normalize: [], + short: 'The execution ID of the current function execution.', + type: 'keyword', + }, + 'faas.id': { + dashed_name: 'faas-id', + description: + "The unique identifier of a serverless function.\nFor AWS Lambda it's the function ARN (Amazon Resource Name) without a version or alias suffix.", + example: 'arn:aws:lambda:us-west-2:123456789012:function:my-function', + flat_name: 'faas.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'The unique identifier of a serverless function.', + type: 'keyword', + }, + 'faas.name': { + dashed_name: 'faas-name', + description: 'The name of a serverless function.', + example: 'my-function', + flat_name: 'faas.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'The name of a serverless function.', + type: 'keyword', + }, + 'faas.trigger': { + dashed_name: 'faas-trigger', + description: 'Details about the function trigger.', + flat_name: 'faas.trigger', + level: 'extended', + name: 'trigger', + normalize: [], + short: 'Details about the function trigger.', + type: 'nested', + }, + 'faas.trigger.request_id': { + dashed_name: 'faas-trigger-request-id', + description: 'The ID of the trigger request , message, event, etc.', + example: 123456789, + flat_name: 'faas.trigger.request_id', + ignore_above: 1024, + level: 'extended', + name: 'trigger.request_id', + normalize: [], + short: 'The ID of the trigger request , message, event, etc.', + type: 'keyword', + }, + 'faas.trigger.type': { + dashed_name: 'faas-trigger-type', + description: 'The trigger for the function execution.', + example: 'http', + expected_values: ['http', 'pubsub', 'datasource', 'timer', 'other'], + flat_name: 'faas.trigger.type', + ignore_above: 1024, + level: 'extended', + name: 'trigger.type', + normalize: [], + short: 'The trigger for the function execution.', + type: 'keyword', + }, + 'faas.version': { + dashed_name: 'faas-version', + description: 'The version of a serverless function.', + example: '123', + flat_name: 'faas.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'The version of a serverless function.', + type: 'keyword', + }, + }, + group: 2, + name: 'faas', + prefix: 'faas.', + short: 'Fields describing functions as a service.', + title: 'FaaS', + type: 'group', + }, + file: { + description: + 'A file is defined as a set of information that has been created on, or has existed on a filesystem.\nFile objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.', + fields: { + 'file.accessed': { + dashed_name: 'file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + short: 'Last time the file was accessed.', + type: 'date', + }, + 'file.attributes': { + dashed_name: 'file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + short: 'Array of file attributes.', + type: 'keyword', + }, + 'file.code_signature.digest_algorithm': { + dashed_name: 'file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.exists': { + dashed_name: 'file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'file.code_signature.signing_id': { + dashed_name: 'file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.status': { + dashed_name: 'file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'file.code_signature.subject_name': { + dashed_name: 'file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'file.code_signature.team_id': { + dashed_name: 'file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'file.code_signature.timestamp': { + dashed_name: 'file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'file.code_signature.trusted': { + dashed_name: 'file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'file.code_signature.valid': { + dashed_name: 'file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'file.created': { + dashed_name: 'file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'file.created', + level: 'extended', + name: 'created', + normalize: [], + short: 'File creation time.', + type: 'date', + }, + 'file.ctime': { + dashed_name: 'file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'file.device': { + dashed_name: 'file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'file.directory': { + dashed_name: 'file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'file.drive_letter': { + dashed_name: 'file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'file.elf.architecture': { + dashed_name: 'file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'file.elf.byte_order': { + dashed_name: 'file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'file.elf.cpu_type': { + dashed_name: 'file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'file.elf.creation_date': { + dashed_name: 'file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'file.elf.exports': { + dashed_name: 'file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'file.elf.header.abi_version': { + dashed_name: 'file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'file.elf.header.class': { + dashed_name: 'file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.data': { + dashed_name: 'file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'file.elf.header.entrypoint': { + dashed_name: 'file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'file.elf.header.object_version': { + dashed_name: 'file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'file.elf.header.os_abi': { + dashed_name: 'file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'file.elf.header.type': { + dashed_name: 'file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'file.elf.header.version': { + dashed_name: 'file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'file.elf.imports': { + dashed_name: 'file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'file.elf.sections': { + dashed_name: 'file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'file.elf.sections.chi2': { + dashed_name: 'file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'file.elf.sections.entropy': { + dashed_name: 'file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'file.elf.sections.flags': { + dashed_name: 'file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'file.elf.sections.name': { + dashed_name: 'file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'file.elf.sections.physical_offset': { + dashed_name: 'file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'file.elf.sections.physical_size': { + dashed_name: 'file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'file.elf.sections.type': { + dashed_name: 'file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'file.elf.sections.virtual_address': { + dashed_name: 'file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'file.elf.sections.virtual_size': { + dashed_name: 'file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'file.elf.segments': { + dashed_name: 'file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'file.elf.segments.sections': { + dashed_name: 'file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'file.elf.segments.type': { + dashed_name: 'file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'file.elf.shared_libraries': { + dashed_name: 'file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'file.elf.telfhash': { + dashed_name: 'file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'file.extension': { + dashed_name: 'file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'file.fork_name': { + dashed_name: 'file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'file.gid': { + dashed_name: 'file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'file.group': { + dashed_name: 'file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'file.hash.md5': { + dashed_name: 'file-hash-md5', + description: 'MD5 hash.', + flat_name: 'file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'file.hash.sha1': { + dashed_name: 'file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'file.hash.sha256': { + dashed_name: 'file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'file.hash.sha384': { + dashed_name: 'file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'file.hash.sha512': { + dashed_name: 'file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'file.hash.ssdeep': { + dashed_name: 'file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'file.hash.tlsh': { + dashed_name: 'file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'file.inode': { + dashed_name: 'file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'file.mime_type': { + dashed_name: 'file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'file.mode': { + dashed_name: 'file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'file.mtime': { + dashed_name: 'file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + short: 'Last time the file content was modified.', + type: 'date', + }, + 'file.name': { + dashed_name: 'file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'file.owner': { + dashed_name: 'file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + short: "File owner's username.", + type: 'keyword', + }, + 'file.path': { + dashed_name: 'file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'file.pe.architecture': { + dashed_name: 'file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'file.pe.company': { + dashed_name: 'file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.description': { + dashed_name: 'file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.file_version': { + dashed_name: 'file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'file.pe.imphash': { + dashed_name: 'file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'file.pe.original_file_name': { + dashed_name: 'file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.pe.pehash': { + dashed_name: 'file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'file.pe.product': { + dashed_name: 'file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'file.size': { + dashed_name: 'file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'file.size', + level: 'extended', + name: 'size', + normalize: [], + short: 'File size in bytes.', + type: 'long', + }, + 'file.target_path': { + dashed_name: 'file-target-path', + description: 'Target path for symlinks.', + flat_name: 'file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'file.type': { + dashed_name: 'file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'file.uid': { + dashed_name: 'file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'file.x509.alternative_names': { + dashed_name: 'file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'file.x509.issuer.common_name': { + dashed_name: 'file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.country': { + dashed_name: 'file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'file.x509.issuer.distinguished_name': { + dashed_name: 'file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.locality': { + dashed_name: 'file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.issuer.organization': { + dashed_name: 'file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.organizational_unit': { + dashed_name: 'file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'file.x509.issuer.state_or_province': { + dashed_name: 'file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.not_after': { + dashed_name: 'file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'file.x509.not_before': { + dashed_name: 'file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'file.x509.public_key_algorithm': { + dashed_name: 'file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'file.x509.public_key_curve': { + dashed_name: 'file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'file.x509.public_key_exponent': { + dashed_name: 'file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'file.x509.public_key_size': { + dashed_name: 'file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'file.x509.serial_number': { + dashed_name: 'file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'file.x509.signature_algorithm': { + dashed_name: 'file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'file.x509.subject.common_name': { + dashed_name: 'file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'file.x509.subject.country': { + dashed_name: 'file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'file.x509.subject.distinguished_name': { + dashed_name: 'file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'file.x509.subject.locality': { + dashed_name: 'file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'file.x509.subject.organization': { + dashed_name: 'file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'file.x509.subject.organizational_unit': { + dashed_name: 'file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'file.x509.subject.state_or_province': { + dashed_name: 'file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'file.x509.version_number': { + dashed_name: 'file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + }, + group: 2, + name: 'file', + nestings: ['file.code_signature', 'file.elf', 'file.hash', 'file.pe', 'file.x509'], + prefix: 'file.', + reusable: { + expected: [ + { as: 'file', at: 'threat.indicator', full: 'threat.indicator.file' }, + { + as: 'file', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.file', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'file.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'file.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'file.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'file.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + { + beta: 'This field reuse is beta and subject to change.', + full: 'file.elf', + schema_name: 'elf', + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + }, + ], + short: 'Fields describing files.', + title: 'File', + type: 'group', + }, + geo: { + description: + 'Geo fields can carry data about a specific location related to an event.\nThis geolocation information can be derived from techniques such as Geo IP, or be user-supplied.', + fields: { + 'geo.city_name': { + dashed_name: 'geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + short: 'City name.', + type: 'keyword', + }, + 'geo.continent_code': { + dashed_name: 'geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + short: 'Continent code.', + type: 'keyword', + }, + 'geo.continent_name': { + dashed_name: 'geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + short: 'Name of the continent.', + type: 'keyword', + }, + 'geo.country_iso_code': { + dashed_name: 'geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + short: 'Country ISO code.', + type: 'keyword', + }, + 'geo.country_name': { + dashed_name: 'geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + short: 'Country name.', + type: 'keyword', + }, + 'geo.location': { + dashed_name: 'geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'geo.location', + level: 'core', + name: 'location', + normalize: [], + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'geo.name': { + dashed_name: 'geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'geo.postal_code': { + dashed_name: 'geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + short: 'Postal code.', + type: 'keyword', + }, + 'geo.region_iso_code': { + dashed_name: 'geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + short: 'Region ISO code.', + type: 'keyword', + }, + 'geo.region_name': { + dashed_name: 'geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + short: 'Region name.', + type: 'keyword', + }, + 'geo.timezone': { + dashed_name: 'geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + short: 'Time zone.', + type: 'keyword', + }, + }, + group: 2, + name: 'geo', + prefix: 'geo.', + reusable: { + expected: [ + { as: 'geo', at: 'client', full: 'client.geo' }, + { as: 'geo', at: 'destination', full: 'destination.geo' }, + { as: 'geo', at: 'observer', full: 'observer.geo' }, + { as: 'geo', at: 'host', full: 'host.geo' }, + { as: 'geo', at: 'server', full: 'server.geo' }, + { as: 'geo', at: 'source', full: 'source.geo' }, + { as: 'geo', at: 'threat.indicator', full: 'threat.indicator.geo' }, + { + as: 'geo', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.geo', + }, + ], + top_level: false, + }, + short: 'Fields describing a location.', + title: 'Geo', + type: 'group', + }, + group: { + description: 'The group fields are meant to represent groups that are relevant to the event.', + fields: { + 'group.domain': { + dashed_name: 'group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'group.id': { + dashed_name: 'group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'group.name': { + dashed_name: 'group-name', + description: 'Name of the group.', + flat_name: 'group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + }, + group: 2, + name: 'group', + prefix: 'group.', + reusable: { + expected: [ + { as: 'group', at: 'user', full: 'user.group' }, + { + as: 'group', + at: 'process', + full: 'process.group', + short_override: 'The effective group (egid).', + }, + { + as: 'real_group', + at: 'process', + full: 'process.real_group', + short_override: 'The real group (rgid).', + }, + { + as: 'saved_group', + at: 'process', + full: 'process.saved_group', + short_override: 'The saved group (sgid).', + }, + { + as: 'supplemental_groups', + at: 'process', + full: 'process.supplemental_groups', + normalize: ['array'], + short_override: 'An array of supplemental groups.', + }, + { + as: 'attested_groups', + at: 'process', + beta: 'Reusing the `group` fields in this location is currently considered beta.', + full: 'process.attested_groups', + normalize: ['array'], + short_override: + 'The externally attested groups based on an external source such as the Kube API.', + }, + ], + top_level: true, + }, + short: "User's group relevant to the event.", + title: 'Group', + type: 'group', + }, + hash: { + description: + 'The hash fields represent different bitwise hash algorithms and their values.\nField names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).\nNote that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).', + fields: { + 'hash.md5': { + dashed_name: 'hash-md5', + description: 'MD5 hash.', + flat_name: 'hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + short: 'MD5 hash.', + type: 'keyword', + }, + 'hash.sha1': { + dashed_name: 'hash-sha1', + description: 'SHA1 hash.', + flat_name: 'hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + short: 'SHA1 hash.', + type: 'keyword', + }, + 'hash.sha256': { + dashed_name: 'hash-sha256', + description: 'SHA256 hash.', + flat_name: 'hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + short: 'SHA256 hash.', + type: 'keyword', + }, + 'hash.sha384': { + dashed_name: 'hash-sha384', + description: 'SHA384 hash.', + flat_name: 'hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + short: 'SHA384 hash.', + type: 'keyword', + }, + 'hash.sha512': { + dashed_name: 'hash-sha512', + description: 'SHA512 hash.', + flat_name: 'hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + short: 'SHA512 hash.', + type: 'keyword', + }, + 'hash.ssdeep': { + dashed_name: 'hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'hash.tlsh': { + dashed_name: 'hash-tlsh', + description: 'TLSH hash.', + flat_name: 'hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + short: 'TLSH hash.', + type: 'keyword', + }, + }, + group: 2, + name: 'hash', + prefix: 'hash.', + reusable: { + expected: [ + { as: 'hash', at: 'file', full: 'file.hash' }, + { as: 'hash', at: 'process', full: 'process.hash' }, + { as: 'hash', at: 'dll', full: 'dll.hash' }, + { + as: 'hash', + at: 'email.attachments.file', + full: 'email.attachments.file.hash', + }, + ], + top_level: false, + }, + short: 'Hashes, usually file hashes.', + title: 'Hash', + type: 'group', + }, + host: { + description: + 'A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.', + fields: { + 'host.architecture': { + dashed_name: 'host-architecture', + description: 'Operating system architecture.', + example: 'x86_64', + flat_name: 'host.architecture', + ignore_above: 1024, + level: 'core', + name: 'architecture', + normalize: [], + short: 'Operating system architecture.', + type: 'keyword', + }, + 'host.boot.id': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-boot-id', + description: + 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.', + example: '88a1f0ed-5ae5-41ee-af6b-41921c311872', + flat_name: 'host.boot.id', + ignore_above: 1024, + level: 'extended', + name: 'boot.id', + normalize: [], + short: 'Linux boot uuid taken from /proc/sys/kernel/random/boot_id', + type: 'keyword', + }, + 'host.cpu.usage': { + dashed_name: 'host-cpu-usage', + description: + 'Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.\nScaling factor: 1000.\nFor example: For a two core host, this value should be the average of the two cores, between 0 and 1.', + flat_name: 'host.cpu.usage', + level: 'extended', + name: 'cpu.usage', + normalize: [], + scaling_factor: 1000, + short: 'Percent CPU used, between 0 and 1.', + type: 'scaled_float', + }, + 'host.disk.read.bytes': { + dashed_name: 'host-disk-read-bytes', + description: + 'The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.read.bytes', + level: 'extended', + name: 'disk.read.bytes', + normalize: [], + short: 'The number of bytes read by all disks.', + type: 'long', + }, + 'host.disk.write.bytes': { + dashed_name: 'host-disk-write-bytes', + description: + 'The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.', + flat_name: 'host.disk.write.bytes', + level: 'extended', + name: 'disk.write.bytes', + normalize: [], + short: 'The number of bytes written on all disks.', + type: 'long', + }, + 'host.domain': { + dashed_name: 'host-domain', + description: + "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.", + example: 'CONTOSO', + flat_name: 'host.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'host.geo.city_name': { + dashed_name: 'host-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'host.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'host.geo.continent_code': { + dashed_name: 'host-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'host.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'host.geo.continent_name': { + dashed_name: 'host-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'host.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'host.geo.country_iso_code': { + dashed_name: 'host-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'host.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'host.geo.country_name': { + dashed_name: 'host-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'host.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'host.geo.location': { + dashed_name: 'host-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'host.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'host.geo.name': { + dashed_name: 'host-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'host.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'host.geo.postal_code': { + dashed_name: 'host-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'host.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'host.geo.region_iso_code': { + dashed_name: 'host-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'host.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'host.geo.region_name': { + dashed_name: 'host-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'host.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'host.geo.timezone': { + dashed_name: 'host-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'host.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'host.hostname': { + dashed_name: 'host-hostname', + description: + 'Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine.', + flat_name: 'host.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the host.', + type: 'keyword', + }, + 'host.id': { + dashed_name: 'host-id', + description: + 'Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`.', + flat_name: 'host.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique host id.', + type: 'keyword', + }, + 'host.ip': { + dashed_name: 'host-ip', + description: 'Host ip addresses.', + flat_name: 'host.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'Host ip addresses.', + type: 'ip', + }, + 'host.mac': { + dashed_name: 'host-mac', + description: + 'Host MAC addresses.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'host.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'Host MAC addresses.', + type: 'keyword', + }, + 'host.name': { + dashed_name: 'host-name', + description: + 'Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.', + flat_name: 'host.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the host.', + type: 'keyword', + }, + 'host.network.egress.bytes': { + dashed_name: 'host-network-egress-bytes', + description: + 'The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.bytes', + level: 'extended', + name: 'network.egress.bytes', + normalize: [], + short: 'The number of bytes sent on all network interfaces.', + type: 'long', + }, + 'host.network.egress.packets': { + dashed_name: 'host-network-egress-packets', + description: + 'The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.egress.packets', + level: 'extended', + name: 'network.egress.packets', + normalize: [], + short: 'The number of packets sent on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.bytes': { + dashed_name: 'host-network-ingress-bytes', + description: + 'The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.bytes', + level: 'extended', + name: 'network.ingress.bytes', + normalize: [], + short: 'The number of bytes received on all network interfaces.', + type: 'long', + }, + 'host.network.ingress.packets': { + dashed_name: 'host-network-ingress-packets', + description: + 'The number of packets (gauge) received on all network interfaces by the host since the last metric collection.', + flat_name: 'host.network.ingress.packets', + level: 'extended', + name: 'network.ingress.packets', + normalize: [], + short: 'The number of packets received on all network interfaces.', + type: 'long', + }, + 'host.os.family': { + dashed_name: 'host-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'host.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'host.os.full': { + dashed_name: 'host-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'host.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'host.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'host.os.kernel': { + dashed_name: 'host-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'host.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'host.os.name': { + dashed_name: 'host-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'host.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'host.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'host.os.platform': { + dashed_name: 'host-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'host.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'host.os.type': { + dashed_name: 'host-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'host.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'host.os.version': { + dashed_name: 'host-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'host.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'host.pid_ns_ino': { + beta: 'This field is beta and subject to change.', + dashed_name: 'host-pid-ns-ino', + description: + 'This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.', + example: 256383, + flat_name: 'host.pid_ns_ino', + ignore_above: 1024, + level: 'extended', + name: 'pid_ns_ino', + normalize: [], + short: 'Pid namespace inode', + type: 'keyword', + }, + 'host.risk.calculated_level': { + dashed_name: 'host-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'host.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'host.risk.calculated_score': { + dashed_name: 'host-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'host.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'host.risk.calculated_score_norm': { + dashed_name: 'host-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'host.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'host.risk.static_level': { + dashed_name: 'host-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'host.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'host.risk.static_score': { + dashed_name: 'host-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'host.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'host.risk.static_score_norm': { + dashed_name: 'host-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'host.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'host.type': { + dashed_name: 'host-type', + description: + 'Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.', + flat_name: 'host.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'Type of host.', + type: 'keyword', + }, + 'host.uptime': { + dashed_name: 'host-uptime', + description: 'Seconds the host has been up.', + example: 1325, + flat_name: 'host.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the host has been up.', + type: 'long', + }, + }, + group: 2, + name: 'host', + nestings: ['host.geo', 'host.os', 'host.risk'], + prefix: 'host.', + reused_here: [ + { + full: 'host.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'host.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + { + full: 'host.risk', + schema_name: 'risk', + short: 'Fields for describing risk score and level.', + }, + ], + short: 'Fields describing the relevant computing instance.', + title: 'Host', + type: 'group', + }, + http: { + description: + 'Fields related to HTTP activity. Use the `url` field set to store the url of the request.', + fields: { + 'http.request.body.bytes': { + dashed_name: 'http-request-body-bytes', + description: 'Size in bytes of the request body.', + example: 887, + flat_name: 'http.request.body.bytes', + format: 'bytes', + level: 'extended', + name: 'request.body.bytes', + normalize: [], + short: 'Size in bytes of the request body.', + type: 'long', + }, + 'http.request.body.content': { + dashed_name: 'http-request-body-content', + description: 'The full HTTP request body.', + example: 'Hello world', + flat_name: 'http.request.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.request.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'request.body.content', + normalize: [], + short: 'The full HTTP request body.', + type: 'wildcard', + }, + 'http.request.bytes': { + dashed_name: 'http-request-bytes', + description: 'Total size in bytes of the request (body and headers).', + example: 1437, + flat_name: 'http.request.bytes', + format: 'bytes', + level: 'extended', + name: 'request.bytes', + normalize: [], + short: 'Total size in bytes of the request (body and headers).', + type: 'long', + }, + 'http.request.id': { + dashed_name: 'http-request-id', + description: + 'A unique identifier for each HTTP request to correlate logs between clients and servers in transactions.\nThe id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`.', + example: '123e4567-e89b-12d3-a456-426614174000', + flat_name: 'http.request.id', + ignore_above: 1024, + level: 'extended', + name: 'request.id', + normalize: [], + short: 'HTTP request ID.', + type: 'keyword', + }, + 'http.request.method': { + dashed_name: 'http-request-method', + description: + 'HTTP request method.\nThe value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.', + example: 'POST', + flat_name: 'http.request.method', + ignore_above: 1024, + level: 'extended', + name: 'request.method', + normalize: [], + short: 'HTTP request method.', + type: 'keyword', + }, + 'http.request.mime_type': { + dashed_name: 'http-request-mime-type', + description: + "Mime type of the body of the request.\nThis value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.", + example: 'image/gif', + flat_name: 'http.request.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'request.mime_type', + normalize: [], + short: 'Mime type of the body of the request.', + type: 'keyword', + }, + 'http.request.referrer': { + dashed_name: 'http-request-referrer', + description: 'Referrer for this HTTP request.', + example: 'https://blog.example.com/', + flat_name: 'http.request.referrer', + ignore_above: 1024, + level: 'extended', + name: 'request.referrer', + normalize: [], + short: 'Referrer for this HTTP request.', + type: 'keyword', + }, + 'http.response.body.bytes': { + dashed_name: 'http-response-body-bytes', + description: 'Size in bytes of the response body.', + example: 887, + flat_name: 'http.response.body.bytes', + format: 'bytes', + level: 'extended', + name: 'response.body.bytes', + normalize: [], + short: 'Size in bytes of the response body.', + type: 'long', + }, + 'http.response.body.content': { + dashed_name: 'http-response-body-content', + description: 'The full HTTP response body.', + example: 'Hello world', + flat_name: 'http.response.body.content', + level: 'extended', + multi_fields: [ + { + flat_name: 'http.response.body.content.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'response.body.content', + normalize: [], + short: 'The full HTTP response body.', + type: 'wildcard', + }, + 'http.response.bytes': { + dashed_name: 'http-response-bytes', + description: 'Total size in bytes of the response (body and headers).', + example: 1437, + flat_name: 'http.response.bytes', + format: 'bytes', + level: 'extended', + name: 'response.bytes', + normalize: [], + short: 'Total size in bytes of the response (body and headers).', + type: 'long', + }, + 'http.response.mime_type': { + dashed_name: 'http-response-mime-type', + description: + "Mime type of the body of the response.\nThis value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.", + example: 'image/gif', + flat_name: 'http.response.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'response.mime_type', + normalize: [], + short: 'Mime type of the body of the response.', + type: 'keyword', + }, + 'http.response.status_code': { + dashed_name: 'http-response-status-code', + description: 'HTTP response status code.', + example: 404, + flat_name: 'http.response.status_code', + format: 'string', + level: 'extended', + name: 'response.status_code', + normalize: [], + short: 'HTTP response status code.', + type: 'long', + }, + 'http.version': { + dashed_name: 'http-version', + description: 'HTTP version.', + example: 1.1, + flat_name: 'http.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'HTTP version.', + type: 'keyword', + }, + }, + group: 2, + name: 'http', + prefix: 'http.', + short: 'Fields describing an HTTP request.', + title: 'HTTP', + type: 'group', + }, + interface: { + description: + 'The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.', + fields: { + 'interface.alias': { + dashed_name: 'interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + short: 'Interface alias', + type: 'keyword', + }, + 'interface.id': { + dashed_name: 'interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Interface ID', + type: 'keyword', + }, + 'interface.name': { + dashed_name: 'interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Interface name', + type: 'keyword', + }, + }, + group: 2, + name: 'interface', + prefix: 'interface.', + reusable: { + expected: [ + { + as: 'interface', + at: 'observer.ingress', + full: 'observer.ingress.interface', + }, + { + as: 'interface', + at: 'observer.egress', + full: 'observer.egress.interface', + }, + ], + top_level: false, + }, + short: 'Fields to describe observer interface information.', + title: 'Interface', + type: 'group', + }, + log: { + description: + "Details about the event's logging mechanism or logging transport.\nThe log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`.\nThe details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields.", + fields: { + 'log.file.path': { + dashed_name: 'log-file-path', + description: + "Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.\nIf the event wasn't read from a log file, do not populate this field.", + example: '/var/log/fun-times.log', + flat_name: 'log.file.path', + ignore_above: 1024, + level: 'extended', + name: 'file.path', + normalize: [], + short: 'Full path to the log file this event came from.', + type: 'keyword', + }, + 'log.level': { + dashed_name: 'log-level', + description: + "Original log level of the log event.\nIf the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).\nSome examples are `warn`, `err`, `i`, `informational`.", + example: 'error', + flat_name: 'log.level', + ignore_above: 1024, + level: 'core', + name: 'level', + normalize: [], + short: 'Log level of the log event.', + type: 'keyword', + }, + 'log.logger': { + dashed_name: 'log-logger', + description: + 'The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.', + example: 'org.elasticsearch.bootstrap.Bootstrap', + flat_name: 'log.logger', + ignore_above: 1024, + level: 'core', + name: 'logger', + normalize: [], + short: 'Name of the logger.', + type: 'keyword', + }, + 'log.origin.file.line': { + dashed_name: 'log-origin-file-line', + description: + 'The line number of the file containing the source code which originated the log event.', + example: 42, + flat_name: 'log.origin.file.line', + level: 'extended', + name: 'origin.file.line', + normalize: [], + short: 'The line number of the file which originated the log event.', + type: 'long', + }, + 'log.origin.file.name': { + dashed_name: 'log-origin-file-name', + description: + 'The name of the file containing the source code which originated the log event.\nNote that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.', + example: 'Bootstrap.java', + flat_name: 'log.origin.file.name', + ignore_above: 1024, + level: 'extended', + name: 'origin.file.name', + normalize: [], + short: 'The code file which originated the log event.', + type: 'keyword', + }, + 'log.origin.function': { + dashed_name: 'log-origin-function', + description: 'The name of the function or method which originated the log event.', + example: 'init', + flat_name: 'log.origin.function', + ignore_above: 1024, + level: 'extended', + name: 'origin.function', + normalize: [], + short: 'The function which originated the log event.', + type: 'keyword', + }, + 'log.syslog': { + dashed_name: 'log-syslog', + description: + 'The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.', + flat_name: 'log.syslog', + level: 'extended', + name: 'syslog', + normalize: [], + short: 'Syslog metadata', + type: 'object', + }, + 'log.syslog.appname': { + dashed_name: 'log-syslog-appname', + description: 'The device or application that originated the Syslog message, if available.', + example: 'sshd', + flat_name: 'log.syslog.appname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.appname', + normalize: [], + short: 'The device or application that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.facility.code': { + dashed_name: 'log-syslog-facility-code', + description: + 'The Syslog numeric facility of the log event, if available.\nAccording to RFCs 5424 and 3164, this value should be an integer between 0 and 23.', + example: 23, + flat_name: 'log.syslog.facility.code', + format: 'string', + level: 'extended', + name: 'syslog.facility.code', + normalize: [], + short: 'Syslog numeric facility of the event.', + type: 'long', + }, + 'log.syslog.facility.name': { + dashed_name: 'log-syslog-facility-name', + description: 'The Syslog text-based facility of the log event, if available.', + example: 'local7', + flat_name: 'log.syslog.facility.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.facility.name', + normalize: [], + short: 'Syslog text-based facility of the event.', + type: 'keyword', + }, + 'log.syslog.hostname': { + dashed_name: 'log-syslog-hostname', + description: + 'The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.', + example: 'example-host', + flat_name: 'log.syslog.hostname', + ignore_above: 1024, + level: 'extended', + name: 'syslog.hostname', + normalize: [], + short: 'The host that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.msgid': { + dashed_name: 'log-syslog-msgid', + description: + 'An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages.', + example: 'ID47', + flat_name: 'log.syslog.msgid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.msgid', + normalize: [], + short: 'An identifier for the type of Syslog message.', + type: 'keyword', + }, + 'log.syslog.priority': { + dashed_name: 'log-syslog-priority', + description: + 'Syslog numeric priority of the event, if available.\nAccording to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.', + example: 135, + flat_name: 'log.syslog.priority', + format: 'string', + level: 'extended', + name: 'syslog.priority', + normalize: [], + short: 'Syslog priority of the event.', + type: 'long', + }, + 'log.syslog.procid': { + dashed_name: 'log-syslog-procid', + description: 'The process name or ID that originated the Syslog message, if available.', + example: 12345, + flat_name: 'log.syslog.procid', + ignore_above: 1024, + level: 'extended', + name: 'syslog.procid', + normalize: [], + short: 'The process name or ID that originated the Syslog message.', + type: 'keyword', + }, + 'log.syslog.severity.code': { + dashed_name: 'log-syslog-severity-code', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.", + example: 3, + flat_name: 'log.syslog.severity.code', + level: 'extended', + name: 'syslog.severity.code', + normalize: [], + short: 'Syslog numeric severity of the event.', + type: 'long', + }, + 'log.syslog.severity.name': { + dashed_name: 'log-syslog-severity-name', + description: + "The Syslog numeric severity of the log event, if available.\nIf the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.", + example: 'Error', + flat_name: 'log.syslog.severity.name', + ignore_above: 1024, + level: 'extended', + name: 'syslog.severity.name', + normalize: [], + short: 'Syslog text-based severity of the event.', + type: 'keyword', + }, + 'log.syslog.structured_data': { + dashed_name: 'log-syslog-structured-data', + description: + 'Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3.', + flat_name: 'log.syslog.structured_data', + level: 'extended', + name: 'syslog.structured_data', + normalize: [], + short: 'Structured data expressed in RFC 5424 messages.', + type: 'flattened', + }, + 'log.syslog.version': { + dashed_name: 'log-syslog-version', + description: + 'The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.', + example: 1, + flat_name: 'log.syslog.version', + ignore_above: 1024, + level: 'extended', + name: 'syslog.version', + normalize: [], + short: 'Syslog protocol version.', + type: 'keyword', + }, + }, + group: 2, + name: 'log', + prefix: 'log.', + short: "Details about the event's logging mechanism.", + title: 'Log', + type: 'group', + }, + network: { + description: + 'The network is defined as the communication path over which a host or network event happens.\nThe network.* fields should be populated with details about the network activity associated with an event.', + fields: { + 'network.application': { + dashed_name: 'network-application', + description: + "When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.\nFor example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.\nThe field value must be normalized to lowercase for querying.", + example: 'aim', + flat_name: 'network.application', + ignore_above: 1024, + level: 'extended', + name: 'application', + normalize: [], + short: 'Application level protocol name.', + type: 'keyword', + }, + 'network.bytes': { + dashed_name: 'network-bytes', + description: + 'Total bytes transferred in both directions.\nIf `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.', + example: 368, + flat_name: 'network.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Total bytes transferred in both directions.', + type: 'long', + }, + 'network.community_id': { + dashed_name: 'network-community-id', + description: + 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.\nLearn more at https://github.com/corelight/community-id-spec.', + example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=', + flat_name: 'network.community_id', + ignore_above: 1024, + level: 'extended', + name: 'community_id', + normalize: [], + short: 'A hash of source and destination IPs and ports.', + type: 'keyword', + }, + 'network.direction': { + dashed_name: 'network-direction', + description: + 'Direction of the network traffic.\nWhen mapping events from a host-based monitoring context, populate this field from the host\'s point of view, using the values "ingress" or "egress".\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".\nNote that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.', + example: 'inbound', + expected_values: [ + 'ingress', + 'egress', + 'inbound', + 'outbound', + 'internal', + 'external', + 'unknown', + ], + flat_name: 'network.direction', + ignore_above: 1024, + level: 'core', + name: 'direction', + normalize: [], + short: 'Direction of the network traffic.', + type: 'keyword', + }, + 'network.forwarded_ip': { + dashed_name: 'network-forwarded-ip', + description: 'Host IP address when the source IP address is the proxy.', + example: '192.1.1.2', + flat_name: 'network.forwarded_ip', + level: 'core', + name: 'forwarded_ip', + normalize: [], + short: 'Host IP address when the source IP address is the proxy.', + type: 'ip', + }, + 'network.iana_number': { + dashed_name: 'network-iana-number', + description: + 'IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.', + example: 6, + flat_name: 'network.iana_number', + ignore_above: 1024, + level: 'extended', + name: 'iana_number', + normalize: [], + short: 'IANA Protocol Number.', + type: 'keyword', + }, + 'network.inner': { + dashed_name: 'network-inner', + description: + 'Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)', + flat_name: 'network.inner', + level: 'extended', + name: 'inner', + normalize: [], + short: 'Inner VLAN tag information', + type: 'object', + }, + 'network.inner.vlan.id': { + dashed_name: 'network-inner-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.inner.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.inner.vlan.name': { + dashed_name: 'network-inner-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.inner.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'network.name': { + dashed_name: 'network-name', + description: 'Name given by operators to sections of their network.', + example: 'Guest Wifi', + flat_name: 'network.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name given by operators to sections of their network.', + type: 'keyword', + }, + 'network.packets': { + dashed_name: 'network-packets', + description: + 'Total packets transferred in both directions.\nIf `source.packets` and `destination.packets` are known, `network.packets` is their sum.', + example: 24, + flat_name: 'network.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Total packets transferred in both directions.', + type: 'long', + }, + 'network.protocol': { + dashed_name: 'network-protocol', + description: + 'In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.\nThe field value must be normalized to lowercase for querying.', + example: 'http', + flat_name: 'network.protocol', + ignore_above: 1024, + level: 'core', + name: 'protocol', + normalize: [], + short: 'Application protocol name.', + type: 'keyword', + }, + 'network.transport': { + dashed_name: 'network-transport', + description: + 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)\nThe field value must be normalized to lowercase for querying.', + example: 'tcp', + flat_name: 'network.transport', + ignore_above: 1024, + level: 'core', + name: 'transport', + normalize: [], + short: 'Protocol Name corresponding to the field `iana_number`.', + type: 'keyword', + }, + 'network.type': { + dashed_name: 'network-type', + description: + 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc\nThe field value must be normalized to lowercase for querying.', + example: 'ipv4', + flat_name: 'network.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc', + type: 'keyword', + }, + 'network.vlan.id': { + dashed_name: 'network-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'network.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'network.vlan.name': { + dashed_name: 'network-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'network.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + }, + group: 2, + name: 'network', + nestings: ['network.inner.vlan', 'network.vlan'], + prefix: 'network.', + reused_here: [ + { + full: 'network.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + { + full: 'network.inner.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + ], + short: 'Fields describing the communication path over which the event happened.', + title: 'Network', + type: 'group', + }, + observer: { + description: + 'An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.\nThis could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.', + fields: { + 'observer.egress': { + dashed_name: 'observer-egress', + description: + 'Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.egress', + level: 'extended', + name: 'egress', + normalize: [], + short: 'Object field for egress information', + type: 'object', + }, + 'observer.egress.interface.alias': { + dashed_name: 'observer-egress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.egress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.egress.interface.id': { + dashed_name: 'observer-egress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.egress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.egress.interface.name': { + dashed_name: 'observer-egress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.egress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.egress.vlan.id': { + dashed_name: 'observer-egress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.egress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.vlan.name': { + dashed_name: 'observer-egress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.egress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.egress.zone': { + dashed_name: 'observer-egress-zone', + description: + 'Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.', + example: 'Public_Internet', + flat_name: 'observer.egress.zone', + ignore_above: 1024, + level: 'extended', + name: 'egress.zone', + normalize: [], + short: 'Observer Egress zone', + type: 'keyword', + }, + 'observer.geo.city_name': { + dashed_name: 'observer-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'observer.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'observer.geo.continent_code': { + dashed_name: 'observer-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'observer.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'observer.geo.continent_name': { + dashed_name: 'observer-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'observer.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'observer.geo.country_iso_code': { + dashed_name: 'observer-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'observer.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'observer.geo.country_name': { + dashed_name: 'observer-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'observer.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'observer.geo.location': { + dashed_name: 'observer-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'observer.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'observer.geo.name': { + dashed_name: 'observer-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'observer.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'observer.geo.postal_code': { + dashed_name: 'observer-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'observer.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'observer.geo.region_iso_code': { + dashed_name: 'observer-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'observer.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'observer.geo.region_name': { + dashed_name: 'observer-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'observer.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'observer.geo.timezone': { + dashed_name: 'observer-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'observer.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'observer.hostname': { + dashed_name: 'observer-hostname', + description: 'Hostname of the observer.', + flat_name: 'observer.hostname', + ignore_above: 1024, + level: 'core', + name: 'hostname', + normalize: [], + short: 'Hostname of the observer.', + type: 'keyword', + }, + 'observer.ingress': { + dashed_name: 'observer-ingress', + description: + 'Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.', + flat_name: 'observer.ingress', + level: 'extended', + name: 'ingress', + normalize: [], + short: 'Object field for ingress information', + type: 'object', + }, + 'observer.ingress.interface.alias': { + dashed_name: 'observer-ingress-interface-alias', + description: + 'Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.', + example: 'outside', + flat_name: 'observer.ingress.interface.alias', + ignore_above: 1024, + level: 'extended', + name: 'alias', + normalize: [], + original_fieldset: 'interface', + short: 'Interface alias', + type: 'keyword', + }, + 'observer.ingress.interface.id': { + dashed_name: 'observer-ingress-interface-id', + description: 'Interface ID as reported by an observer (typically SNMP interface ID).', + example: 10, + flat_name: 'observer.ingress.interface.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'interface', + short: 'Interface ID', + type: 'keyword', + }, + 'observer.ingress.interface.name': { + dashed_name: 'observer-ingress-interface-name', + description: 'Interface name as reported by the system.', + example: 'eth0', + flat_name: 'observer.ingress.interface.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'interface', + short: 'Interface name', + type: 'keyword', + }, + 'observer.ingress.vlan.id': { + dashed_name: 'observer-ingress-vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'observer.ingress.vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'vlan', + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.vlan.name': { + dashed_name: 'observer-ingress-vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'observer.ingress.vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'vlan', + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + 'observer.ingress.zone': { + dashed_name: 'observer-ingress-zone', + description: + 'Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.', + example: 'DMZ', + flat_name: 'observer.ingress.zone', + ignore_above: 1024, + level: 'extended', + name: 'ingress.zone', + normalize: [], + short: 'Observer ingress zone', + type: 'keyword', + }, + 'observer.ip': { + dashed_name: 'observer-ip', + description: 'IP addresses of the observer.', + flat_name: 'observer.ip', + level: 'core', + name: 'ip', + normalize: ['array'], + short: 'IP addresses of the observer.', + type: 'ip', + }, + 'observer.mac': { + dashed_name: 'observer-mac', + description: + 'MAC addresses of the observer.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]', + flat_name: 'observer.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: ['array'], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC addresses of the observer.', + type: 'keyword', + }, + 'observer.name': { + dashed_name: 'observer-name', + description: + 'Custom name of the observer.\nThis is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.\nIf no custom name is needed, the field can be left empty.', + example: '1_proxySG', + flat_name: 'observer.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Custom name of the observer.', + type: 'keyword', + }, + 'observer.os.family': { + dashed_name: 'observer-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'observer.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'observer.os.full': { + dashed_name: 'observer-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'observer.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'observer.os.kernel': { + dashed_name: 'observer-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'observer.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'observer.os.name': { + dashed_name: 'observer-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'observer.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'observer.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'observer.os.platform': { + dashed_name: 'observer-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'observer.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'observer.os.type': { + dashed_name: 'observer-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'observer.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'observer.os.version': { + dashed_name: 'observer-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'observer.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'observer.product': { + dashed_name: 'observer-product', + description: 'The product name of the observer.', + example: 's200', + flat_name: 'observer.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + short: 'The product name of the observer.', + type: 'keyword', + }, + 'observer.serial_number': { + dashed_name: 'observer-serial-number', + description: 'Observer serial number.', + flat_name: 'observer.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + short: 'Observer serial number.', + type: 'keyword', + }, + 'observer.type': { + dashed_name: 'observer-type', + description: + 'The type of the observer the data is coming from.\nThere is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.', + example: 'firewall', + flat_name: 'observer.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the observer the data is coming from.', + type: 'keyword', + }, + 'observer.vendor': { + dashed_name: 'observer-vendor', + description: 'Vendor name of the observer.', + example: 'Symantec', + flat_name: 'observer.vendor', + ignore_above: 1024, + level: 'core', + name: 'vendor', + normalize: [], + short: 'Vendor name of the observer.', + type: 'keyword', + }, + 'observer.version': { + dashed_name: 'observer-version', + description: 'Observer version.', + flat_name: 'observer.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Observer version.', + type: 'keyword', + }, + }, + group: 2, + name: 'observer', + nestings: [ + 'observer.egress.interface', + 'observer.egress.vlan', + 'observer.geo', + 'observer.ingress.interface', + 'observer.ingress.vlan', + 'observer.os', + ], + prefix: 'observer.', + reused_here: [ + { + full: 'observer.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'observer.ingress.interface', + schema_name: 'interface', + short: 'Fields to describe observer interface information.', + }, + { + full: 'observer.egress.interface', + schema_name: 'interface', + short: 'Fields to describe observer interface information.', + }, + { + full: 'observer.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + { + full: 'observer.ingress.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + { + full: 'observer.egress.vlan', + schema_name: 'vlan', + short: 'Fields to describe observed VLAN information.', + }, + ], + short: 'Fields describing an entity observing the event from outside the host.', + title: 'Observer', + type: 'group', + }, + orchestrator: { + description: + 'Fields that describe the resources which container orchestrators manage or act upon.', + fields: { + 'orchestrator.api_version': { + dashed_name: 'orchestrator-api-version', + description: 'API version being used to carry out the action', + example: 'v1beta1', + flat_name: 'orchestrator.api_version', + ignore_above: 1024, + level: 'extended', + name: 'api_version', + normalize: [], + short: 'API version being used to carry out the action', + type: 'keyword', + }, + 'orchestrator.cluster.id': { + dashed_name: 'orchestrator-cluster-id', + description: 'Unique ID of the cluster.', + flat_name: 'orchestrator.cluster.id', + ignore_above: 1024, + level: 'extended', + name: 'cluster.id', + normalize: [], + short: 'Unique ID of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.name': { + dashed_name: 'orchestrator-cluster-name', + description: 'Name of the cluster.', + flat_name: 'orchestrator.cluster.name', + ignore_above: 1024, + level: 'extended', + name: 'cluster.name', + normalize: [], + short: 'Name of the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.url': { + dashed_name: 'orchestrator-cluster-url', + description: 'URL of the API used to manage the cluster.', + flat_name: 'orchestrator.cluster.url', + ignore_above: 1024, + level: 'extended', + name: 'cluster.url', + normalize: [], + short: 'URL of the API used to manage the cluster.', + type: 'keyword', + }, + 'orchestrator.cluster.version': { + dashed_name: 'orchestrator-cluster-version', + description: 'The version of the cluster.', + flat_name: 'orchestrator.cluster.version', + ignore_above: 1024, + level: 'extended', + name: 'cluster.version', + normalize: [], + short: 'The version of the cluster.', + type: 'keyword', + }, + 'orchestrator.namespace': { + dashed_name: 'orchestrator-namespace', + description: 'Namespace in which the action is taking place.', + example: 'kube-system', + flat_name: 'orchestrator.namespace', + ignore_above: 1024, + level: 'extended', + name: 'namespace', + normalize: [], + short: 'Namespace in which the action is taking place.', + type: 'keyword', + }, + 'orchestrator.organization': { + dashed_name: 'orchestrator-organization', + description: 'Organization affected by the event (for multi-tenant orchestrator setups).', + example: 'elastic', + flat_name: 'orchestrator.organization', + ignore_above: 1024, + level: 'extended', + name: 'organization', + normalize: [], + short: 'Organization affected by the event (for multi-tenant orchestrator setups).', + type: 'keyword', + }, + 'orchestrator.resource.id': { + dashed_name: 'orchestrator-resource-id', + description: 'Unique ID of the resource being acted upon.', + flat_name: 'orchestrator.resource.id', + ignore_above: 1024, + level: 'extended', + name: 'resource.id', + normalize: [], + short: 'Unique ID of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.ip': { + dashed_name: 'orchestrator-resource-ip', + description: + 'IP address assigned to the resource associated with the event being observed. In the case of a Kubernetes Pod, this array would contain only one element: the IP of the Pod (as opposed to the Node on which the Pod is running).', + flat_name: 'orchestrator.resource.ip', + level: 'extended', + name: 'resource.ip', + normalize: ['array'], + short: 'IP address assigned to the resource associated with the event being observed.', + type: 'ip', + }, + 'orchestrator.resource.name': { + dashed_name: 'orchestrator-resource-name', + description: 'Name of the resource being acted upon.', + example: 'test-pod-cdcws', + flat_name: 'orchestrator.resource.name', + ignore_above: 1024, + level: 'extended', + name: 'resource.name', + normalize: [], + short: 'Name of the resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.resource.parent.type': { + dashed_name: 'orchestrator-resource-parent-type', + description: + 'Type or kind of the parent resource associated with the event being observed. In Kubernetes, this will be the name of a built-in workload resource (e.g., Deployment, StatefulSet, DaemonSet).', + example: 'DaemonSet', + flat_name: 'orchestrator.resource.parent.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.parent.type', + normalize: [], + short: 'Type or kind of the parent resource associated with the event being observed.', + type: 'keyword', + }, + 'orchestrator.resource.type': { + dashed_name: 'orchestrator-resource-type', + description: 'Type of resource being acted upon.', + example: 'service', + flat_name: 'orchestrator.resource.type', + ignore_above: 1024, + level: 'extended', + name: 'resource.type', + normalize: [], + short: 'Type of resource being acted upon.', + type: 'keyword', + }, + 'orchestrator.type': { + dashed_name: 'orchestrator-type', + description: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + example: 'kubernetes', + flat_name: 'orchestrator.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).', + type: 'keyword', + }, + }, + group: 2, + name: 'orchestrator', + prefix: 'orchestrator.', + short: 'Fields relevant to container orchestrators.', + title: 'Orchestrator', + type: 'group', + }, + organization: { + description: + 'The organization fields enrich data with information about the company or entity the data is associated with.\nThese fields help you arrange or filter data stored in an index by one or multiple organizations.', + fields: { + 'organization.id': { + dashed_name: 'organization-id', + description: 'Unique identifier for the organization.', + flat_name: 'organization.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Unique identifier for the organization.', + type: 'keyword', + }, + 'organization.name': { + dashed_name: 'organization-name', + description: 'Organization name.', + flat_name: 'organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Organization name.', + type: 'keyword', + }, + }, + group: 2, + name: 'organization', + prefix: 'organization.', + short: 'Fields describing the organization or company the event is associated with.', + title: 'Organization', + type: 'group', + }, + os: { + description: 'The OS fields contain information about the operating system.', + fields: { + 'os.family': { + dashed_name: 'os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'os.full': { + dashed_name: 'os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'os.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'os.kernel': { + dashed_name: 'os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'os.name': { + dashed_name: 'os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [{ flat_name: 'os.name.text', name: 'text', type: 'match_only_text' }], + name: 'name', + normalize: [], + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'os.platform': { + dashed_name: 'os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'os.type': { + dashed_name: 'os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'os.version': { + dashed_name: 'os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + }, + group: 2, + name: 'os', + prefix: 'os.', + reusable: { + expected: [ + { as: 'os', at: 'observer', full: 'observer.os' }, + { as: 'os', at: 'host', full: 'host.os' }, + { as: 'os', at: 'user_agent', full: 'user_agent.os' }, + ], + top_level: false, + }, + short: 'OS fields contain information about the operating system.', + title: 'Operating System', + type: 'group', + }, + package: { + description: + 'These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.', + fields: { + 'package.architecture': { + dashed_name: 'package-architecture', + description: 'Package architecture.', + example: 'x86_64', + flat_name: 'package.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'Package architecture.', + type: 'keyword', + }, + 'package.build_version': { + dashed_name: 'package-build-version', + description: + 'Additional information about the build version of the installed package.\nFor example use the commit SHA of a non-released package.', + example: '36f4f7e89dd61b0988b12ee000b98966867710cd', + flat_name: 'package.build_version', + ignore_above: 1024, + level: 'extended', + name: 'build_version', + normalize: [], + short: 'Build version information', + type: 'keyword', + }, + 'package.checksum': { + dashed_name: 'package-checksum', + description: 'Checksum of the installed package for verification.', + example: '68b329da9893e34099c7d8ad5cb9c940', + flat_name: 'package.checksum', + ignore_above: 1024, + level: 'extended', + name: 'checksum', + normalize: [], + short: 'Checksum of the installed package for verification.', + type: 'keyword', + }, + 'package.description': { + dashed_name: 'package-description', + description: 'Description of the package.', + example: 'Open source programming language to build simple/reliable/efficient software.', + flat_name: 'package.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Description of the package.', + type: 'keyword', + }, + 'package.install_scope': { + dashed_name: 'package-install-scope', + description: 'Indicating how the package was installed, e.g. user-local, global.', + example: 'global', + flat_name: 'package.install_scope', + ignore_above: 1024, + level: 'extended', + name: 'install_scope', + normalize: [], + short: 'Indicating how the package was installed, e.g. user-local, global.', + type: 'keyword', + }, + 'package.installed': { + dashed_name: 'package-installed', + description: 'Time when package was installed.', + flat_name: 'package.installed', + level: 'extended', + name: 'installed', + normalize: [], + short: 'Time when package was installed.', + type: 'date', + }, + 'package.license': { + dashed_name: 'package-license', + description: + 'License under which the package was released.\nUse a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/).', + example: 'Apache License 2.0', + flat_name: 'package.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Package license', + type: 'keyword', + }, + 'package.name': { + dashed_name: 'package-name', + description: 'Package name', + example: 'go', + flat_name: 'package.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Package name', + type: 'keyword', + }, + 'package.path': { + dashed_name: 'package-path', + description: 'Path where the package is installed.', + example: '/usr/local/Cellar/go/1.12.9/', + flat_name: 'package.path', + ignore_above: 1024, + level: 'extended', + name: 'path', + normalize: [], + short: 'Path where the package is installed.', + type: 'keyword', + }, + 'package.reference': { + dashed_name: 'package-reference', + description: 'Home page or reference URL of the software in this package, if available.', + example: 'https://golang.org', + flat_name: 'package.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Package home page or reference URL', + type: 'keyword', + }, + 'package.size': { + dashed_name: 'package-size', + description: 'Package size in bytes.', + example: 62231, + flat_name: 'package.size', + format: 'string', + level: 'extended', + name: 'size', + normalize: [], + short: 'Package size in bytes.', + type: 'long', + }, + 'package.type': { + dashed_name: 'package-type', + description: + 'Type of package.\nThis should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.', + example: 'rpm', + flat_name: 'package.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + short: 'Package type', + type: 'keyword', + }, + 'package.version': { + dashed_name: 'package-version', + description: 'Package version', + example: '1.12.9', + flat_name: 'package.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Package version', + type: 'keyword', + }, + }, + group: 2, + name: 'package', + prefix: 'package.', + short: 'These fields contain information about an installed software package.', + title: 'Package', + type: 'group', + }, + pe: { + description: 'These fields contain Windows Portable Executable (PE) metadata.', + fields: { + 'pe.architecture': { + dashed_name: 'pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'pe.company': { + dashed_name: 'pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.description': { + dashed_name: 'pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.file_version': { + dashed_name: 'pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + short: 'Process name.', + type: 'keyword', + }, + 'pe.imphash': { + dashed_name: 'pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'pe.original_file_name': { + dashed_name: 'pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'pe.pehash': { + dashed_name: 'pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'pe.product': { + dashed_name: 'pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + }, + group: 2, + name: 'pe', + prefix: 'pe.', + reusable: { + expected: [ + { as: 'pe', at: 'file', full: 'file.pe' }, + { as: 'pe', at: 'dll', full: 'dll.pe' }, + { as: 'pe', at: 'process', full: 'process.pe' }, + ], + top_level: false, + }, + short: 'These fields contain Windows Portable Executable (PE) metadata.', + title: 'PE Header', + type: 'group', + }, + process: { + description: + 'These fields contain information about a process.\nThese fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.', + fields: { + 'process.args': { + dashed_name: 'process-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.args_count': { + dashed_name: 'process-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.code_signature.digest_algorithm': { + dashed_name: 'process-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.exists': { + dashed_name: 'process-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.code_signature.signing_id': { + dashed_name: 'process-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.status': { + dashed_name: 'process-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.code_signature.subject_name': { + dashed_name: 'process-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.code_signature.team_id': { + dashed_name: 'process-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.code_signature.timestamp': { + dashed_name: 'process-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.code_signature.trusted': { + dashed_name: 'process-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.code_signature.valid': { + dashed_name: 'process-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.command_line': { + dashed_name: 'process-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.elf.architecture': { + dashed_name: 'process-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.elf.byte_order': { + dashed_name: 'process-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.elf.cpu_type': { + dashed_name: 'process-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.elf.creation_date': { + dashed_name: 'process-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.elf.exports': { + dashed_name: 'process-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.elf.header.abi_version': { + dashed_name: 'process-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.elf.header.class': { + dashed_name: 'process-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.data': { + dashed_name: 'process-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.elf.header.entrypoint': { + dashed_name: 'process-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.elf.header.object_version': { + dashed_name: 'process-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.elf.header.os_abi': { + dashed_name: 'process-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.elf.header.type': { + dashed_name: 'process-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.elf.header.version': { + dashed_name: 'process-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.elf.imports': { + dashed_name: 'process-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.elf.sections': { + dashed_name: 'process-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.elf.sections.chi2': { + dashed_name: 'process-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.elf.sections.entropy': { + dashed_name: 'process-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.elf.sections.flags': { + dashed_name: 'process-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.elf.sections.name': { + dashed_name: 'process-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.elf.sections.physical_offset': { + dashed_name: 'process-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.elf.sections.physical_size': { + dashed_name: 'process-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.elf.sections.type': { + dashed_name: 'process-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.elf.sections.virtual_address': { + dashed_name: 'process-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.elf.sections.virtual_size': { + dashed_name: 'process-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.elf.segments': { + dashed_name: 'process-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.elf.segments.sections': { + dashed_name: 'process-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.elf.segments.type': { + dashed_name: 'process-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.elf.shared_libraries': { + dashed_name: 'process-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.elf.telfhash': { + dashed_name: 'process-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.end': { + dashed_name: 'process-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.end', + level: 'extended', + name: 'end', + normalize: [], + short: 'The time the process ended.', + type: 'date', + }, + 'process.entity_id': { + dashed_name: 'process-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.args': { + dashed_name: 'process-entry-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.entry_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.entry_leader.args_count': { + dashed_name: 'process-entry-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.entry_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.entry_leader.attested_groups.name': { + dashed_name: 'process-entry-leader-attested-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.attested_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.id': { + dashed_name: 'process-entry-leader-attested-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.attested_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.attested_user.name': { + dashed_name: 'process-entry-leader-attested-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.attested_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.attested_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.command_line': { + dashed_name: 'process-entry-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.entry_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.entry_leader.entity_id': { + dashed_name: 'process-entry-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.entry_meta.source.ip': { + dashed_name: 'process-entry-leader-entry-meta-source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'process.entry_leader.entry_meta.source.ip', + level: 'core', + name: 'ip', + normalize: [], + original_fieldset: 'source', + short: 'IP address of the source.', + type: 'ip', + }, + 'process.entry_leader.entry_meta.type': { + dashed_name: 'process-entry-leader-entry-meta-type', + description: + 'The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console\nNote: This field is only set on process.session_leader.', + flat_name: 'process.entry_leader.entry_meta.type', + ignore_above: 1024, + level: 'extended', + name: 'entry_meta.type', + normalize: [], + original_fieldset: 'process', + short: 'The entry type for the entry session leader.', + type: 'keyword', + }, + 'process.entry_leader.executable': { + dashed_name: 'process-entry-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.entry_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.entry_leader.group.id': { + dashed_name: 'process-entry-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.group.name': { + dashed_name: 'process-entry-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.interactive': { + dashed_name: 'process-entry-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.entry_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.entry_leader.name': { + dashed_name: 'process-entry-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.entry_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.entry_leader.parent.entity_id': { + dashed_name: 'process-entry-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.pid': { + dashed_name: 'process-entry-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.entity_id': { + dashed_name: 'process-entry-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.entry_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.entry_leader.parent.session_leader.pid': { + dashed_name: 'process-entry-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.parent.session_leader.start': { + dashed_name: 'process-entry-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.parent.start': { + dashed_name: 'process-entry-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.pid': { + dashed_name: 'process-entry-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.entry_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.entry_leader.real_group.id': { + dashed_name: 'process-entry-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.real_group.name': { + dashed_name: 'process-entry-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.real_user.id': { + dashed_name: 'process-entry-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.real_user.name': { + dashed_name: 'process-entry-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.same_as_process': { + dashed_name: 'process-entry-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.entry_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.entry_leader.saved_group.id': { + dashed_name: 'process-entry-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.saved_group.name': { + dashed_name: 'process-entry-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.id': { + dashed_name: 'process-entry-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.saved_user.name': { + dashed_name: 'process-entry-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.start': { + dashed_name: 'process-entry-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.entry_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.entry_leader.supplemental_groups.id': { + dashed_name: 'process-entry-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.entry_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.entry_leader.supplemental_groups.name': { + dashed_name: 'process-entry-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.entry_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.entry_leader.tty': { + dashed_name: 'process-entry-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.entry_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.entry_leader.tty.char_device.major': { + dashed_name: 'process-entry-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.entry_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.entry_leader.tty.char_device.minor': { + dashed_name: 'process-entry-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.entry_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.entry_leader.user.id': { + dashed_name: 'process-entry-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.entry_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.entry_leader.user.name': { + dashed_name: 'process-entry-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.entry_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.entry_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.entry_leader.working_directory': { + dashed_name: 'process-entry-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.entry_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.entry_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.env_vars': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-env-vars', + description: + 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.\nMay be filtered to protect sensitive information.', + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]', + flat_name: 'process.env_vars', + ignore_above: 1024, + level: 'extended', + name: 'env_vars', + normalize: ['array'], + short: 'Array of environment variable bindings.', + type: 'keyword', + }, + 'process.executable': { + dashed_name: 'process-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.exit_code': { + dashed_name: 'process-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + short: 'The exit code of the process.', + type: 'long', + }, + 'process.group_leader.args': { + dashed_name: 'process-group-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.group_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.group_leader.args_count': { + dashed_name: 'process-group-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.group_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.group_leader.command_line': { + dashed_name: 'process-group-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.group_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.group_leader.entity_id': { + dashed_name: 'process-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.group_leader.executable': { + dashed_name: 'process-group-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.group_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.group_leader.group.id': { + dashed_name: 'process-group-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.group.name': { + dashed_name: 'process-group-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.interactive': { + dashed_name: 'process-group-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.group_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.group_leader.name': { + dashed_name: 'process-group-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.group_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.group_leader.pid': { + dashed_name: 'process-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.group_leader.real_group.id': { + dashed_name: 'process-group-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.real_group.name': { + dashed_name: 'process-group-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.real_user.id': { + dashed_name: 'process-group-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.real_user.name': { + dashed_name: 'process-group-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.same_as_process': { + dashed_name: 'process-group-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.group_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.group_leader.saved_group.id': { + dashed_name: 'process-group-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.saved_group.name': { + dashed_name: 'process-group-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.saved_user.id': { + dashed_name: 'process-group-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.saved_user.name': { + dashed_name: 'process-group-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.start': { + dashed_name: 'process-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.group_leader.supplemental_groups.id': { + dashed_name: 'process-group-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.group_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.group_leader.supplemental_groups.name': { + dashed_name: 'process-group-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.group_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.group_leader.tty': { + dashed_name: 'process-group-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.group_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.group_leader.tty.char_device.major': { + dashed_name: 'process-group-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.group_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.group_leader.tty.char_device.minor': { + dashed_name: 'process-group-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.group_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.group_leader.user.id': { + dashed_name: 'process-group-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.group_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.group_leader.user.name': { + dashed_name: 'process-group-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.group_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.group_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.group_leader.working_directory': { + dashed_name: 'process-group-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.group_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.group_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.hash.md5': { + dashed_name: 'process-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.hash.sha1': { + dashed_name: 'process-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.hash.sha256': { + dashed_name: 'process-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.hash.sha384': { + dashed_name: 'process-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.hash.sha512': { + dashed_name: 'process-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.hash.ssdeep': { + dashed_name: 'process-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.hash.tlsh': { + dashed_name: 'process-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.interactive': { + dashed_name: 'process-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.io': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io', + description: + 'A chunk of input or output (IO) from a single process.\nThis field only appears on the top level process object, which is the process that wrote the output or read the input.', + flat_name: 'process.io', + level: 'extended', + name: 'io', + normalize: [], + short: 'A chunk of input or output (IO) from a single process.', + type: 'object', + }, + 'process.io.bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped', + description: + 'An array of byte offsets and lengths denoting where IO data has been skipped.', + flat_name: 'process.io.bytes_skipped', + level: 'extended', + name: 'io.bytes_skipped', + normalize: ['array'], + short: 'An array of byte offsets and lengths denoting where IO data has been skipped.', + type: 'object', + }, + 'process.io.bytes_skipped.length': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-length', + description: 'The length of bytes skipped.', + flat_name: 'process.io.bytes_skipped.length', + level: 'extended', + name: 'io.bytes_skipped.length', + normalize: [], + short: 'The length of bytes skipped.', + type: 'long', + }, + 'process.io.bytes_skipped.offset': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-bytes-skipped-offset', + description: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + flat_name: 'process.io.bytes_skipped.offset', + level: 'extended', + name: 'io.bytes_skipped.offset', + normalize: [], + short: + "The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.", + type: 'long', + }, + 'process.io.max_bytes_per_process_exceeded': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-max-bytes-per-process-exceeded', + description: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + flat_name: 'process.io.max_bytes_per_process_exceeded', + level: 'extended', + name: 'io.max_bytes_per_process_exceeded', + normalize: [], + short: + 'If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.', + type: 'boolean', + }, + 'process.io.text': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-text', + description: + 'A chunk of output or input sanitized to UTF-8.\nBest efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.', + flat_name: 'process.io.text', + level: 'extended', + name: 'io.text', + normalize: [], + short: 'A chunk of output or input sanitized to UTF-8.', + type: 'wildcard', + }, + 'process.io.total_bytes_captured': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-captured', + description: 'The total number of bytes captured in this event.', + flat_name: 'process.io.total_bytes_captured', + level: 'extended', + name: 'io.total_bytes_captured', + normalize: [], + short: 'The total number of bytes captured in this event.', + type: 'long', + }, + 'process.io.total_bytes_skipped': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-total-bytes-skipped', + description: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero', + flat_name: 'process.io.total_bytes_skipped', + level: 'extended', + name: 'io.total_bytes_skipped', + normalize: [], + short: + 'The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.', + type: 'long', + }, + 'process.io.type': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-io-type', + description: + "The type of object on which the IO action (read or write) was taken.\nCurrently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.", + flat_name: 'process.io.type', + ignore_above: 1024, + level: 'extended', + name: 'io.type', + normalize: [], + short: 'The type of object on which the IO action (read or write) was taken.', + type: 'keyword', + }, + 'process.name': { + dashed_name: 'process-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.args': { + dashed_name: 'process-parent-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.parent.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.parent.args_count': { + dashed_name: 'process-parent-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.parent.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.parent.code_signature.digest_algorithm': { + dashed_name: 'process-parent-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'process.parent.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.exists': { + dashed_name: 'process-parent-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'process.parent.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'process.parent.code_signature.signing_id': { + dashed_name: 'process-parent-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'process.parent.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.status': { + dashed_name: 'process-parent-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'process.parent.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'process.parent.code_signature.subject_name': { + dashed_name: 'process-parent-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'process.parent.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'process.parent.code_signature.team_id': { + dashed_name: 'process-parent-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'process.parent.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'process.parent.code_signature.timestamp': { + dashed_name: 'process-parent-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'process.parent.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'process.parent.code_signature.trusted': { + dashed_name: 'process-parent-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'process.parent.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'process.parent.code_signature.valid': { + dashed_name: 'process-parent-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'process.parent.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'process.parent.command_line': { + dashed_name: 'process-parent-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.parent.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.parent.elf.architecture': { + dashed_name: 'process-parent-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'process.parent.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.byte_order': { + dashed_name: 'process-parent-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'process.parent.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'process.parent.elf.cpu_type': { + dashed_name: 'process-parent-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'process.parent.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.creation_date': { + dashed_name: 'process-parent-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'process.parent.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'process.parent.elf.exports': { + dashed_name: 'process-parent-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'process.parent.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.header.abi_version': { + dashed_name: 'process-parent-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'process.parent.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'process.parent.elf.header.class': { + dashed_name: 'process-parent-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'process.parent.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.data': { + dashed_name: 'process-parent-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'process.parent.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.header.entrypoint': { + dashed_name: 'process-parent-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'process.parent.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'process.parent.elf.header.object_version': { + dashed_name: 'process-parent-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'process.parent.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'process.parent.elf.header.os_abi': { + dashed_name: 'process-parent-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'process.parent.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'process.parent.elf.header.type': { + dashed_name: 'process-parent-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'process.parent.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'process.parent.elf.header.version': { + dashed_name: 'process-parent-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'process.parent.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'process.parent.elf.imports': { + dashed_name: 'process-parent-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'process.parent.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'process.parent.elf.sections': { + dashed_name: 'process-parent-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'process.parent.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'process.parent.elf.sections.chi2': { + dashed_name: 'process-parent-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'process.parent.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'process.parent.elf.sections.entropy': { + dashed_name: 'process-parent-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'process.parent.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'process.parent.elf.sections.flags': { + dashed_name: 'process-parent-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'process.parent.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'process.parent.elf.sections.name': { + dashed_name: 'process-parent-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'process.parent.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_offset': { + dashed_name: 'process-parent-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'process.parent.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'process.parent.elf.sections.physical_size': { + dashed_name: 'process-parent-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'process.parent.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'process.parent.elf.sections.type': { + dashed_name: 'process-parent-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'process.parent.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'process.parent.elf.sections.virtual_address': { + dashed_name: 'process-parent-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'process.parent.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'process.parent.elf.sections.virtual_size': { + dashed_name: 'process-parent-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'process.parent.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'process.parent.elf.segments': { + dashed_name: 'process-parent-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'process.parent.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'process.parent.elf.segments.sections': { + dashed_name: 'process-parent-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'process.parent.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'process.parent.elf.segments.type': { + dashed_name: 'process-parent-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'process.parent.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'process.parent.elf.shared_libraries': { + dashed_name: 'process-parent-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'process.parent.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'process.parent.elf.telfhash': { + dashed_name: 'process-parent-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'process.parent.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'process.parent.end': { + dashed_name: 'process-parent-end', + description: 'The time the process ended.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.end', + level: 'extended', + name: 'end', + normalize: [], + original_fieldset: 'process', + short: 'The time the process ended.', + type: 'date', + }, + 'process.parent.entity_id': { + dashed_name: 'process-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.executable': { + dashed_name: 'process-parent-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.parent.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.parent.exit_code': { + dashed_name: 'process-parent-exit-code', + description: + 'The exit code of the process, if this is a termination event.\nThe field should be absent if there is no exit code for the event (e.g. process start).', + example: 137, + flat_name: 'process.parent.exit_code', + level: 'extended', + name: 'exit_code', + normalize: [], + original_fieldset: 'process', + short: 'The exit code of the process.', + type: 'long', + }, + 'process.parent.group.id': { + dashed_name: 'process-parent-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.group.name': { + dashed_name: 'process-parent-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.group_leader.entity_id': { + dashed_name: 'process-parent-group-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.parent.group_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.parent.group_leader.pid': { + dashed_name: 'process-parent-group-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.group_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.group_leader.start': { + dashed_name: 'process-parent-group-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.group_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.hash.md5': { + dashed_name: 'process-parent-hash-md5', + description: 'MD5 hash.', + flat_name: 'process.parent.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha1': { + dashed_name: 'process-parent-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'process.parent.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha256': { + dashed_name: 'process-parent-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'process.parent.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha384': { + dashed_name: 'process-parent-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'process.parent.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'process.parent.hash.sha512': { + dashed_name: 'process-parent-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'process.parent.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'process.parent.hash.ssdeep': { + dashed_name: 'process-parent-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'process.parent.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'process.parent.hash.tlsh': { + dashed_name: 'process-parent-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'process.parent.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'process.parent.interactive': { + dashed_name: 'process-parent-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.parent.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.parent.name': { + dashed_name: 'process-parent-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.parent.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.architecture': { + dashed_name: 'process-parent-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.parent.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.parent.pe.company': { + dashed_name: 'process-parent-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.parent.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.description': { + dashed_name: 'process-parent-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.parent.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.file_version': { + dashed_name: 'process-parent-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.parent.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.parent.pe.imphash': { + dashed_name: 'process-parent-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.parent.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.parent.pe.original_file_name': { + dashed_name: 'process-parent-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.parent.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pe.pehash': { + dashed_name: 'process-parent-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.parent.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.parent.pe.product': { + dashed_name: 'process-parent-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.parent.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.parent.pgid': { + dashed_name: 'process-parent-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.parent.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + original_fieldset: 'process', + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.parent.pid': { + dashed_name: 'process-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.parent.real_group.id': { + dashed_name: 'process-parent-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.real_group.name': { + dashed_name: 'process-parent-real-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.real_user.id': { + dashed_name: 'process-parent-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.real_user.name': { + dashed_name: 'process-parent-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.saved_group.id': { + dashed_name: 'process-parent-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.saved_group.name': { + dashed_name: 'process-parent-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.parent.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.saved_user.id': { + dashed_name: 'process-parent-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.saved_user.name': { + dashed_name: 'process-parent-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.start': { + dashed_name: 'process-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.parent.supplemental_groups.id': { + dashed_name: 'process-parent-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.parent.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.parent.supplemental_groups.name': { + dashed_name: 'process-parent-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.parent.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.parent.thread.id': { + dashed_name: 'process-parent-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.parent.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + original_fieldset: 'process', + short: 'Thread ID.', + type: 'long', + }, + 'process.parent.thread.name': { + dashed_name: 'process-parent-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.parent.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + original_fieldset: 'process', + short: 'Thread name.', + type: 'keyword', + }, + 'process.parent.title': { + dashed_name: 'process-parent-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.parent.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + original_fieldset: 'process', + short: 'Process title.', + type: 'keyword', + }, + 'process.parent.tty': { + dashed_name: 'process-parent-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.parent.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.parent.tty.char_device.major': { + dashed_name: 'process-parent-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.parent.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.parent.tty.char_device.minor': { + dashed_name: 'process-parent-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.parent.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.parent.uptime': { + dashed_name: 'process-parent-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.parent.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + original_fieldset: 'process', + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.parent.user.id': { + dashed_name: 'process-parent-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.parent.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.parent.user.name': { + dashed_name: 'process-parent-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.parent.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.parent.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.parent.working_directory': { + dashed_name: 'process-parent-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.parent.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.parent.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.pe.architecture': { + dashed_name: 'process-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'process.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'process.pe.company': { + dashed_name: 'process-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'process.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.description': { + dashed_name: 'process-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'process.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.file_version': { + dashed_name: 'process-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'process.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'process.pe.imphash': { + dashed_name: 'process-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'process.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'process.pe.original_file_name': { + dashed_name: 'process-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'process.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pe.pehash': { + dashed_name: 'process-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'process.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'process.pe.product': { + dashed_name: 'process-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'process.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'process.pgid': { + dashed_name: 'process-pgid', + description: + 'Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.\nIdentifier of the group of processes the process belongs to.', + flat_name: 'process.pgid', + format: 'string', + level: 'extended', + name: 'pgid', + normalize: [], + short: 'Deprecated identifier of the group of processes the process belongs to.', + type: 'long', + }, + 'process.pid': { + dashed_name: 'process-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + short: 'Process id.', + type: 'long', + }, + 'process.previous.args': { + dashed_name: 'process-previous-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.previous.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.previous.args_count': { + dashed_name: 'process-previous-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.previous.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.previous.executable': { + dashed_name: 'process-previous-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.previous.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.previous.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.real_group.id': { + dashed_name: 'process-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.real_group.name': { + dashed_name: 'process-real-group-name', + description: 'Name of the group.', + flat_name: 'process.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.real_user.id': { + dashed_name: 'process-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.real_user.name': { + dashed_name: 'process-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.saved_group.id': { + dashed_name: 'process-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.saved_group.name': { + dashed_name: 'process-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.saved_user.id': { + dashed_name: 'process-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.saved_user.name': { + dashed_name: 'process-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.args': { + dashed_name: 'process-session-leader-args', + description: + 'Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', + flat_name: 'process.session_leader.args', + ignore_above: 1024, + level: 'extended', + name: 'args', + normalize: ['array'], + original_fieldset: 'process', + short: 'Array of process arguments.', + type: 'keyword', + }, + 'process.session_leader.args_count': { + dashed_name: 'process-session-leader-args-count', + description: + 'Length of the process.args array.\nThis field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.', + example: 4, + flat_name: 'process.session_leader.args_count', + level: 'extended', + name: 'args_count', + normalize: [], + original_fieldset: 'process', + short: 'Length of the process.args array.', + type: 'long', + }, + 'process.session_leader.command_line': { + dashed_name: 'process-session-leader-command-line', + description: + 'Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.', + example: '/usr/bin/ssh -l user 10.0.0.16', + flat_name: 'process.session_leader.command_line', + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.command_line.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'command_line', + normalize: [], + original_fieldset: 'process', + short: 'Full command line that started the process.', + type: 'wildcard', + }, + 'process.session_leader.entity_id': { + dashed_name: 'process-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.executable': { + dashed_name: 'process-session-leader-executable', + description: 'Absolute path to the process executable.', + example: '/usr/bin/ssh', + flat_name: 'process.session_leader.executable', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.executable.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'executable', + normalize: [], + original_fieldset: 'process', + short: 'Absolute path to the process executable.', + type: 'keyword', + }, + 'process.session_leader.group.id': { + dashed_name: 'process-session-leader-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.group.name': { + dashed_name: 'process-session-leader-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.interactive': { + dashed_name: 'process-session-leader-interactive', + description: + 'Whether the process is connected to an interactive shell.\nProcess interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.\nNote: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.', + example: true, + flat_name: 'process.session_leader.interactive', + level: 'extended', + name: 'interactive', + normalize: [], + original_fieldset: 'process', + short: 'Whether the process is connected to an interactive shell.', + type: 'boolean', + }, + 'process.session_leader.name': { + dashed_name: 'process-session-leader-name', + description: 'Process name.\nSometimes called program name or similar.', + example: 'ssh', + flat_name: 'process.session_leader.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'process', + short: 'Process name.', + type: 'keyword', + }, + 'process.session_leader.parent.entity_id': { + dashed_name: 'process-session-leader-parent-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.pid': { + dashed_name: 'process-session-leader-parent-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.entity_id': { + dashed_name: 'process-session-leader-parent-session-leader-entity-id', + description: + 'Unique identifier for the process.\nThe implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.\nConstructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.', + example: 'c2c455d9f99375d', + flat_name: 'process.session_leader.parent.session_leader.entity_id', + ignore_above: 1024, + level: 'extended', + name: 'entity_id', + normalize: [], + original_fieldset: 'process', + short: 'Unique identifier for the process.', + type: 'keyword', + }, + 'process.session_leader.parent.session_leader.pid': { + dashed_name: 'process-session-leader-parent-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.parent.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.parent.session_leader.start': { + dashed_name: 'process-session-leader-parent-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.parent.start': { + dashed_name: 'process-session-leader-parent-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.parent.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.pid': { + dashed_name: 'process-session-leader-pid', + description: 'Process id.', + example: 4242, + flat_name: 'process.session_leader.pid', + format: 'string', + level: 'core', + name: 'pid', + normalize: [], + original_fieldset: 'process', + short: 'Process id.', + type: 'long', + }, + 'process.session_leader.real_group.id': { + dashed_name: 'process-session-leader-real-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.real_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.real_group.name': { + dashed_name: 'process-session-leader-real-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.real_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.real_user.id': { + dashed_name: 'process-session-leader-real-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.real_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.real_user.name': { + dashed_name: 'process-session-leader-real-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.real_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.real_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.same_as_process': { + dashed_name: 'process-session-leader-same-as-process', + description: + "This boolean is used to identify if a leader process is the same as the top level process.\nFor example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.\nThis field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)\nInstead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`\nNote: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.", + example: true, + flat_name: 'process.session_leader.same_as_process', + level: 'extended', + name: 'same_as_process', + normalize: [], + original_fieldset: 'process', + short: + 'This boolean is used to identify if a leader process is the same as the top level process.', + type: 'boolean', + }, + 'process.session_leader.saved_group.id': { + dashed_name: 'process-session-leader-saved-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.saved_group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.saved_group.name': { + dashed_name: 'process-session-leader-saved-group-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.saved_group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.saved_user.id': { + dashed_name: 'process-session-leader-saved-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.saved_user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.saved_user.name': { + dashed_name: 'process-session-leader-saved-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.saved_user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.saved_user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.start': { + dashed_name: 'process-session-leader-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.session_leader.start', + level: 'extended', + name: 'start', + normalize: [], + original_fieldset: 'process', + short: 'The time the process started.', + type: 'date', + }, + 'process.session_leader.supplemental_groups.id': { + dashed_name: 'process-session-leader-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.session_leader.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.session_leader.supplemental_groups.name': { + dashed_name: 'process-session-leader-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.session_leader.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.session_leader.tty': { + dashed_name: 'process-session-leader-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.session_leader.tty', + level: 'extended', + name: 'tty', + normalize: [], + original_fieldset: 'process', + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.session_leader.tty.char_device.major': { + dashed_name: 'process-session-leader-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.session_leader.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.session_leader.tty.char_device.minor': { + dashed_name: 'process-session-leader-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.session_leader.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + original_fieldset: 'process', + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.session_leader.user.id': { + dashed_name: 'process-session-leader-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.session_leader.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.session_leader.user.name': { + dashed_name: 'process-session-leader-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.session_leader.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.session_leader.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.session_leader.working_directory': { + dashed_name: 'process-session-leader-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.session_leader.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.session_leader.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + original_fieldset: 'process', + short: 'The working directory of the process.', + type: 'keyword', + }, + 'process.start': { + dashed_name: 'process-start', + description: 'The time the process started.', + example: '2016-05-23T08:05:34.853Z', + flat_name: 'process.start', + level: 'extended', + name: 'start', + normalize: [], + short: 'The time the process started.', + type: 'date', + }, + 'process.supplemental_groups.id': { + dashed_name: 'process-supplemental-groups-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'process.supplemental_groups.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'process.supplemental_groups.name': { + dashed_name: 'process-supplemental-groups-name', + description: 'Name of the group.', + flat_name: 'process.supplemental_groups.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'process.thread.id': { + dashed_name: 'process-thread-id', + description: 'Thread ID.', + example: 4242, + flat_name: 'process.thread.id', + format: 'string', + level: 'extended', + name: 'thread.id', + normalize: [], + short: 'Thread ID.', + type: 'long', + }, + 'process.thread.name': { + dashed_name: 'process-thread-name', + description: 'Thread name.', + example: 'thread-0', + flat_name: 'process.thread.name', + ignore_above: 1024, + level: 'extended', + name: 'thread.name', + normalize: [], + short: 'Thread name.', + type: 'keyword', + }, + 'process.title': { + dashed_name: 'process-title', + description: + 'Process title.\nThe proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.', + flat_name: 'process.title', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.title.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'title', + normalize: [], + short: 'Process title.', + type: 'keyword', + }, + 'process.tty': { + dashed_name: 'process-tty', + description: + 'Information about the controlling TTY device. If set, the process belongs to an interactive session.', + flat_name: 'process.tty', + level: 'extended', + name: 'tty', + normalize: [], + short: 'Information about the controlling TTY device.', + type: 'object', + }, + 'process.tty.char_device.major': { + dashed_name: 'process-tty-char-device-major', + description: + 'The major number identifies the driver associated with the device. The character device\'s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.', + example: 4, + flat_name: 'process.tty.char_device.major', + level: 'extended', + name: 'tty.char_device.major', + normalize: [], + short: "The TTY character device's major number.", + type: 'long', + }, + 'process.tty.char_device.minor': { + dashed_name: 'process-tty-char-device-minor', + description: + 'The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.', + example: 1, + flat_name: 'process.tty.char_device.minor', + level: 'extended', + name: 'tty.char_device.minor', + normalize: [], + short: "The TTY character device's minor number.", + type: 'long', + }, + 'process.tty.columns': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-columns', + description: + "The number of character columns per line. e.g terminal width\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 80, + flat_name: 'process.tty.columns', + level: 'extended', + name: 'tty.columns', + normalize: [], + short: 'The number of character columns per line. e.g terminal width', + type: 'long', + }, + 'process.tty.rows': { + beta: 'This field is beta and subject to change.', + dashed_name: 'process-tty-rows', + description: + "The number of character rows in the terminal. e.g terminal height\nTerminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'", + example: 24, + flat_name: 'process.tty.rows', + level: 'extended', + name: 'tty.rows', + normalize: [], + short: 'The number of character rows in the terminal. e.g terminal height', + type: 'long', + }, + 'process.uptime': { + dashed_name: 'process-uptime', + description: 'Seconds the process has been up.', + example: 1325, + flat_name: 'process.uptime', + level: 'extended', + name: 'uptime', + normalize: [], + short: 'Seconds the process has been up.', + type: 'long', + }, + 'process.user.id': { + dashed_name: 'process-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'process.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'process.user.name': { + dashed_name: 'process-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'process.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'process.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'process.working_directory': { + dashed_name: 'process-working-directory', + description: 'The working directory of the process.', + example: '/home/alice', + flat_name: 'process.working_directory', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'process.working_directory.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'working_directory', + normalize: [], + short: 'The working directory of the process.', + type: 'keyword', + }, + }, + group: 2, + name: 'process', + nestings: [ + 'process.attested_groups', + 'process.attested_user', + 'process.code_signature', + 'process.elf', + 'process.entry_leader', + 'process.entry_leader.parent', + 'process.entry_leader.parent.session_leader', + 'process.entry_meta.source', + 'process.group', + 'process.group_leader', + 'process.hash', + 'process.parent', + 'process.parent.group_leader', + 'process.pe', + 'process.previous', + 'process.real_group', + 'process.real_user', + 'process.saved_group', + 'process.saved_user', + 'process.session_leader', + 'process.session_leader.parent', + 'process.session_leader.parent.session_leader', + 'process.supplemental_groups', + 'process.user', + ], + prefix: 'process.', + reusable: { + expected: [ + { + as: 'parent', + at: 'process', + full: 'process.parent', + short_override: 'Information about the parent process.', + }, + { + as: 'entry_leader', + at: 'process', + full: 'process.entry_leader', + short_override: + 'First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.', + }, + { + as: 'session_leader', + at: 'process', + full: 'process.session_leader', + short_override: + 'Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux', + }, + { + as: 'group_leader', + at: 'process', + full: 'process.group_leader', + short_override: + 'Information about the process group leader. In some cases this may be the same as the top level process.', + }, + { + as: 'group_leader', + at: 'process.parent', + full: 'process.parent.group_leader', + short_override: + "Information about the parent's process group leader. Only pid, start and entity_id fields are set.", + }, + { + as: 'parent', + at: 'process.entry_leader', + full: 'process.entry_leader.parent', + short_override: + "Information about the entry leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + as: 'parent', + at: 'process.session_leader', + full: 'process.session_leader.parent', + short_override: + "Information about the session leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + as: 'session_leader', + at: 'process.entry_leader.parent', + full: 'process.entry_leader.parent.session_leader', + short_override: + 'Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.', + }, + { + as: 'session_leader', + at: 'process.session_leader.parent', + full: 'process.session_leader.parent.session_leader', + short_override: + 'Information about the parent session of the session leader. Only pid, start and entity_id fields are set.', + }, + { + as: 'previous', + at: 'process', + full: 'process.previous', + normalize: ['array'], + short_override: + 'An array of previous executions for the process, including the initial fork. Only executable and args are set.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'process.group', + schema_name: 'group', + short: 'The effective group (egid).', + }, + { + full: 'process.real_group', + schema_name: 'group', + short: 'The real group (rgid).', + }, + { + full: 'process.saved_group', + schema_name: 'group', + short: 'The saved group (sgid).', + }, + { + full: 'process.supplemental_groups', + normalize: ['array'], + schema_name: 'group', + short: 'An array of supplemental groups.', + }, + { + beta: 'Reusing the `group` fields in this location is currently considered beta.', + full: 'process.attested_groups', + normalize: ['array'], + schema_name: 'group', + short: 'The externally attested groups based on an external source such as the Kube API.', + }, + { + full: 'process.hash', + schema_name: 'hash', + short: 'Hashes, usually file hashes.', + }, + { + full: 'process.pe', + schema_name: 'pe', + short: 'These fields contain Windows Portable Executable (PE) metadata.', + }, + { + full: 'process.code_signature', + schema_name: 'code_signature', + short: 'These fields contain information about binary code signatures.', + }, + { + beta: 'This field reuse is beta and subject to change.', + full: 'process.elf', + schema_name: 'elf', + short: 'These fields contain Linux Executable Linkable Format (ELF) metadata.', + }, + { + full: 'process.entry_meta.source', + schema_name: 'source', + short: 'Remote client information such as ip, port and geo location.', + }, + { + full: 'process.user', + schema_name: 'user', + short: 'The effective user (euid).', + }, + { + full: 'process.saved_user', + schema_name: 'user', + short: 'The saved user (suid).', + }, + { + full: 'process.real_user', + schema_name: 'user', + short: 'The real user (ruid). Identifies the real owner of the process.', + }, + { + beta: 'Reusing the `user` fields in this location is currently considered beta.', + full: 'process.attested_user', + schema_name: 'user', + short: 'The externally attested user based on an external source such as the Kube API.', + }, + { + full: 'process.parent', + schema_name: 'process', + short: 'Information about the parent process.', + }, + { + full: 'process.entry_leader', + schema_name: 'process', + short: + 'First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.', + }, + { + full: 'process.session_leader', + schema_name: 'process', + short: + 'Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux', + }, + { + full: 'process.group_leader', + schema_name: 'process', + short: + 'Information about the process group leader. In some cases this may be the same as the top level process.', + }, + { + full: 'process.parent.group_leader', + schema_name: 'process', + short: + "Information about the parent's process group leader. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.entry_leader.parent', + schema_name: 'process', + short: + "Information about the entry leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.session_leader.parent', + schema_name: 'process', + short: + "Information about the session leader's parent process. Only pid, start and entity_id fields are set.", + }, + { + full: 'process.entry_leader.parent.session_leader', + schema_name: 'process', + short: + 'Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.', + }, + { + full: 'process.session_leader.parent.session_leader', + schema_name: 'process', + short: + 'Information about the parent session of the session leader. Only pid, start and entity_id fields are set.', + }, + { + full: 'process.previous', + normalize: ['array'], + schema_name: 'process', + short: + 'An array of previous executions for the process, including the initial fork. Only executable and args are set.', + }, + ], + short: 'These fields contain information about a process.', + title: 'Process', + type: 'group', + }, + registry: { + description: 'Fields related to Windows Registry operations.', + fields: { + 'registry.data.bytes': { + dashed_name: 'registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'registry.data.strings': { + dashed_name: 'registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'registry.data.type': { + dashed_name: 'registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'registry.hive': { + dashed_name: 'registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'registry.key': { + dashed_name: 'registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'registry.path': { + dashed_name: 'registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'registry.value': { + dashed_name: 'registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + short: 'Name of the value written.', + type: 'keyword', + }, + }, + group: 2, + name: 'registry', + prefix: 'registry.', + reusable: { + expected: [ + { + as: 'registry', + at: 'threat.indicator', + full: 'threat.indicator.registry', + }, + { + as: 'registry', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.registry', + }, + ], + top_level: true, + }, + short: 'Fields related to Windows Registry operations.', + title: 'Registry', + type: 'group', + }, + related: { + description: + 'This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.', + fields: { + 'related.hash': { + dashed_name: 'related-hash', + description: + "All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).", + flat_name: 'related.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: ['array'], + short: 'All the hashes seen on your event.', + type: 'keyword', + }, + 'related.hosts': { + dashed_name: 'related-hosts', + description: + 'All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.', + flat_name: 'related.hosts', + ignore_above: 1024, + level: 'extended', + name: 'hosts', + normalize: ['array'], + short: 'All the host identifiers seen on your event.', + type: 'keyword', + }, + 'related.ip': { + dashed_name: 'related-ip', + description: 'All of the IPs seen on your event.', + flat_name: 'related.ip', + level: 'extended', + name: 'ip', + normalize: ['array'], + short: 'All of the IPs seen on your event.', + type: 'ip', + }, + 'related.user': { + dashed_name: 'related-user', + description: 'All the user names or other user identifiers seen on the event.', + flat_name: 'related.user', + ignore_above: 1024, + level: 'extended', + name: 'user', + normalize: ['array'], + short: 'All the user names or other user identifiers seen on the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'related', + prefix: 'related.', + short: 'Fields meant to facilitate pivoting around a piece of data.', + title: 'Related', + type: 'group', + }, + risk: { + beta: 'These fields are in beta and are subject to change.', + description: + 'Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk.', + fields: { + 'risk.calculated_level': { + dashed_name: 'risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'risk.calculated_score': { + dashed_name: 'risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'risk.calculated_score_norm': { + dashed_name: 'risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'risk.static_level': { + dashed_name: 'risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'risk.static_score': { + dashed_name: 'risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'risk.static_score_norm': { + dashed_name: 'risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + }, + group: 2, + name: 'risk', + prefix: 'risk.', + reusable: { + expected: [ + { as: 'risk', at: 'host', full: 'host.risk' }, + { as: 'risk', at: 'user', full: 'user.risk' }, + ], + top_level: false, + }, + short: 'Fields for describing risk score and level.', + title: 'Risk information', + type: 'group', + }, + rule: { + description: + 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.\nExamples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.', + fields: { + 'rule.author': { + dashed_name: 'rule-author', + description: + 'Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.', + example: '["Star-Lord"]', + flat_name: 'rule.author', + ignore_above: 1024, + level: 'extended', + name: 'author', + normalize: ['array'], + short: 'Rule author', + type: 'keyword', + }, + 'rule.category': { + dashed_name: 'rule-category', + description: + 'A categorization value keyword used by the entity using the rule for detection of this event.', + example: 'Attempted Information Leak', + flat_name: 'rule.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: [], + short: 'Rule category', + type: 'keyword', + }, + 'rule.description': { + dashed_name: 'rule-description', + description: 'The description of the rule generating the event.', + example: 'Block requests to public DNS over HTTPS / TLS protocols', + flat_name: 'rule.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + short: 'Rule description', + type: 'keyword', + }, + 'rule.id': { + dashed_name: 'rule-id', + description: + 'A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.', + example: 101, + flat_name: 'rule.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'Rule ID', + type: 'keyword', + }, + 'rule.license': { + dashed_name: 'rule-license', + description: + 'Name of the license under which the rule used to generate this event is made available.', + example: 'Apache 2.0', + flat_name: 'rule.license', + ignore_above: 1024, + level: 'extended', + name: 'license', + normalize: [], + short: 'Rule license', + type: 'keyword', + }, + 'rule.name': { + dashed_name: 'rule-name', + description: 'The name of the rule or signature generating the event.', + example: 'BLOCK_DNS_over_TLS', + flat_name: 'rule.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Rule name', + type: 'keyword', + }, + 'rule.reference': { + dashed_name: 'rule-reference', + description: + "Reference URL to additional information about the rule used to generate this event.\nThe URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.", + example: 'https://en.wikipedia.org/wiki/DNS_over_TLS', + flat_name: 'rule.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Rule reference URL', + type: 'keyword', + }, + 'rule.ruleset': { + dashed_name: 'rule-ruleset', + description: + 'Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.', + example: 'Standard_Protocol_Filters', + flat_name: 'rule.ruleset', + ignore_above: 1024, + level: 'extended', + name: 'ruleset', + normalize: [], + short: 'Rule ruleset', + type: 'keyword', + }, + 'rule.uuid': { + dashed_name: 'rule-uuid', + description: + 'A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.', + example: 1100110011, + flat_name: 'rule.uuid', + ignore_above: 1024, + level: 'extended', + name: 'uuid', + normalize: [], + short: 'Rule UUID', + type: 'keyword', + }, + 'rule.version': { + dashed_name: 'rule-version', + description: 'The version / revision of the rule being used for analysis.', + example: 1.1, + flat_name: 'rule.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Rule version', + type: 'keyword', + }, + }, + group: 2, + name: 'rule', + prefix: 'rule.', + short: 'Fields to capture details about rules used to generate alerts or other notable events.', + title: 'Rule', + type: 'group', + }, + server: { + description: + 'A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.\nFor TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.\nClient / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.', + fields: { + 'server.address': { + dashed_name: 'server-address', + description: + 'Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'server.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Server network address.', + type: 'keyword', + }, + 'server.as.number': { + dashed_name: 'server-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'server.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'server.as.organization.name': { + dashed_name: 'server-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'server.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'server.bytes': { + dashed_name: 'server-bytes', + description: 'Bytes sent from the server to the client.', + example: 184, + flat_name: 'server.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the server to the client.', + type: 'long', + }, + 'server.domain': { + dashed_name: 'server-domain', + description: + 'The domain name of the server system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'server.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the server.', + type: 'keyword', + }, + 'server.geo.city_name': { + dashed_name: 'server-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'server.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'server.geo.continent_code': { + dashed_name: 'server-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'server.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'server.geo.continent_name': { + dashed_name: 'server-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'server.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'server.geo.country_iso_code': { + dashed_name: 'server-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'server.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'server.geo.country_name': { + dashed_name: 'server-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'server.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'server.geo.location': { + dashed_name: 'server-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'server.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'server.geo.name': { + dashed_name: 'server-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'server.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'server.geo.postal_code': { + dashed_name: 'server-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'server.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'server.geo.region_iso_code': { + dashed_name: 'server-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'server.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'server.geo.region_name': { + dashed_name: 'server-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'server.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'server.geo.timezone': { + dashed_name: 'server-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'server.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'server.ip': { + dashed_name: 'server-ip', + description: 'IP address of the server (IPv4 or IPv6).', + flat_name: 'server.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the server.', + type: 'ip', + }, + 'server.mac': { + dashed_name: 'server-mac', + description: + 'MAC address of the server.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'server.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the server.', + type: 'keyword', + }, + 'server.nat.ip': { + dashed_name: 'server-nat-ip', + description: + 'Translated ip of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Server NAT ip', + type: 'ip', + }, + 'server.nat.port': { + dashed_name: 'server-nat-port', + description: + 'Translated port of destination based NAT sessions (e.g. internet to private DMZ)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'server.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Server NAT port', + type: 'long', + }, + 'server.packets': { + dashed_name: 'server-packets', + description: 'Packets sent from the server to the client.', + example: 12, + flat_name: 'server.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the server to the client.', + type: 'long', + }, + 'server.port': { + dashed_name: 'server-port', + description: 'Port of the server.', + flat_name: 'server.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the server.', + type: 'long', + }, + 'server.registered_domain': { + dashed_name: 'server-registered-domain', + description: + 'The highest registered server domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'server.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered server domain, stripped of the subdomain.', + type: 'keyword', + }, + 'server.subdomain': { + dashed_name: 'server-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'server.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'server.top_level_domain': { + dashed_name: 'server-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'server.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'server.user.domain': { + dashed_name: 'server-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'server.user.email': { + dashed_name: 'server-user-email', + description: 'User email address.', + flat_name: 'server.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'server.user.full_name': { + dashed_name: 'server-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'server.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'server.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'server.user.group.domain': { + dashed_name: 'server-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'server.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'server.user.group.id': { + dashed_name: 'server-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'server.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'server.user.group.name': { + dashed_name: 'server-user-group-name', + description: 'Name of the group.', + flat_name: 'server.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'server.user.hash': { + dashed_name: 'server-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'server.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'server.user.id': { + dashed_name: 'server-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'server.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'server.user.name': { + dashed_name: 'server-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'server.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'server.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'server.user.roles': { + dashed_name: 'server-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'server.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'server', + nestings: ['server.as', 'server.geo', 'server.user'], + prefix: 'server.', + reused_here: [ + { + full: 'server.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'server.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'server.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the server side of a network connection, used with client.', + title: 'Server', + type: 'group', + }, + service: { + description: + 'The service fields describe the service for or from which the data was collected.\nThese fields help you find and correlate logs for a specific service and version.', + fields: { + 'service.address': { + dashed_name: 'service-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Address of this service.', + type: 'keyword', + }, + 'service.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.ephemeral_id': { + dashed_name: 'service-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.id': { + dashed_name: 'service-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.name': { + dashed_name: 'service-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + short: 'Name of the service.', + type: 'keyword', + }, + 'service.node.name': { + dashed_name: 'service-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.node.role': { + dashed_name: 'service-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.node.roles': { + dashed_name: 'service-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.address': { + dashed_name: 'service-origin-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.origin.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.origin.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-origin-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.origin.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.origin.ephemeral_id': { + dashed_name: 'service-origin-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.origin.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.origin.id': { + dashed_name: 'service-origin-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.origin.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.origin.name': { + dashed_name: 'service-origin-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.origin.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.origin.node.name': { + dashed_name: 'service-origin-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.origin.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.origin.node.role': { + dashed_name: 'service-origin-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.origin.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.origin.node.roles': { + dashed_name: 'service-origin-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.origin.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.origin.state': { + dashed_name: 'service-origin-state', + description: 'Current state of the service.', + flat_name: 'service.origin.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.origin.type': { + dashed_name: 'service-origin-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.origin.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.origin.version': { + dashed_name: 'service-origin-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.origin.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.state': { + dashed_name: 'service-state', + description: 'Current state of the service.', + flat_name: 'service.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.address': { + dashed_name: 'service-target-address', + description: + 'Address where data about this service was collected from.\nThis should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets).', + example: '172.26.0.2:5432', + flat_name: 'service.target.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + original_fieldset: 'service', + short: 'Address of this service.', + type: 'keyword', + }, + 'service.target.environment': { + beta: 'This field is beta and subject to change.', + dashed_name: 'service-target-environment', + description: + 'Identifies the environment where the service is running.\nIf the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment.', + example: 'production', + flat_name: 'service.target.environment', + ignore_above: 1024, + level: 'extended', + name: 'environment', + normalize: [], + original_fieldset: 'service', + short: 'Environment of the service.', + type: 'keyword', + }, + 'service.target.ephemeral_id': { + dashed_name: 'service-target-ephemeral-id', + description: + 'Ephemeral identifier of this service (if one exists).\nThis id normally changes across restarts, but `service.id` does not.', + example: '8a4f500f', + flat_name: 'service.target.ephemeral_id', + ignore_above: 1024, + level: 'extended', + name: 'ephemeral_id', + normalize: [], + original_fieldset: 'service', + short: 'Ephemeral identifier of this service.', + type: 'keyword', + }, + 'service.target.id': { + dashed_name: 'service-target-id', + description: + 'Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.\nThis id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.\nNote that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.', + example: 'd37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6', + flat_name: 'service.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'service', + short: 'Unique identifier of the running service.', + type: 'keyword', + }, + 'service.target.name': { + dashed_name: 'service-target-name', + description: + 'Name of the service data is collected from.\nThe name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.\nIn the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.', + example: 'elasticsearch-metrics', + flat_name: 'service.target.name', + ignore_above: 1024, + level: 'core', + name: 'name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service.', + type: 'keyword', + }, + 'service.target.node.name': { + dashed_name: 'service-target-node-name', + description: + "Name of a service node.\nThis allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service.\nIn the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set.", + example: 'instance-0000000016', + flat_name: 'service.target.node.name', + ignore_above: 1024, + level: 'extended', + name: 'node.name', + normalize: [], + original_fieldset: 'service', + short: 'Name of the service node.', + type: 'keyword', + }, + 'service.target.node.role': { + dashed_name: 'service-target-node-role', + description: + 'Deprecated for removal in next major version release. This field will be superseded by `node.roles`.\nRole of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data`.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: 'background_tasks', + flat_name: 'service.target.node.role', + ignore_above: 1024, + level: 'extended', + name: 'node.role', + normalize: [], + original_fieldset: 'service', + short: 'Deprecated role (singular) of the service node.', + type: 'keyword', + }, + 'service.target.node.roles': { + dashed_name: 'service-target-node-roles', + description: + 'Roles of a service node.\nThis allows for distinction between different running roles of the same service.\nIn the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both.\nIn the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both.\nOther services could use this to distinguish between a `web` and `worker` role running as part of the service.', + example: '["ui", "background_tasks"]', + flat_name: 'service.target.node.roles', + ignore_above: 1024, + level: 'extended', + name: 'node.roles', + normalize: ['array'], + original_fieldset: 'service', + short: 'Roles of the service node.', + type: 'keyword', + }, + 'service.target.state': { + dashed_name: 'service-target-state', + description: 'Current state of the service.', + flat_name: 'service.target.state', + ignore_above: 1024, + level: 'core', + name: 'state', + normalize: [], + original_fieldset: 'service', + short: 'Current state of the service.', + type: 'keyword', + }, + 'service.target.type': { + dashed_name: 'service-target-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.target.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + original_fieldset: 'service', + short: 'The type of the service.', + type: 'keyword', + }, + 'service.target.version': { + dashed_name: 'service-target-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.target.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + original_fieldset: 'service', + short: 'Version of the service.', + type: 'keyword', + }, + 'service.type': { + dashed_name: 'service-type', + description: + 'The type of the service data is collected from.\nThe type can be used to group and correlate logs and metrics from one service type.\nExample: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.', + example: 'elasticsearch', + flat_name: 'service.type', + ignore_above: 1024, + level: 'core', + name: 'type', + normalize: [], + short: 'The type of the service.', + type: 'keyword', + }, + 'service.version': { + dashed_name: 'service-version', + description: + 'Version of the service the data was collected from.\nThis allows to look at a data set only for a specific version of a service.', + example: '3.2.4', + flat_name: 'service.version', + ignore_above: 1024, + level: 'core', + name: 'version', + normalize: [], + short: 'Version of the service.', + type: 'keyword', + }, + }, + footnote: + 'The service fields may be self-nested under service.origin.* and service.target.* to describe origin or target services in the context of incoming or outgoing requests, respectively. However, the fieldsets service.origin.* and service.target.* must not be confused with the root service fieldset that is used to describe the actual service under observation. The fieldset service.origin.* may only be used in the context of incoming requests or events to describe the originating service of the request. The fieldset service.target.* may only be used in the context of outgoing requests or events to describe the target service of the request.', + group: 2, + name: 'service', + nestings: ['service.origin', 'service.target'], + prefix: 'service.', + reusable: { + expected: [ + { + as: 'origin', + at: 'service', + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.origin', + short_override: 'Describes the origin service in case of an incoming request or event.', + }, + { + as: 'target', + at: 'service', + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.target', + short_override: 'Describes the target service in case of an outgoing request or event.', + }, + ], + top_level: true, + }, + reused_here: [ + { + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.origin', + schema_name: 'service', + short: 'Describes the origin service in case of an incoming request or event.', + }, + { + beta: 'Reusing the `service` fields in this location is currently considered beta.', + full: 'service.target', + schema_name: 'service', + short: 'Describes the target service in case of an outgoing request or event.', + }, + ], + short: 'Fields describing the service for or from which the data was collected.', + title: 'Service', + type: 'group', + }, + source: { + description: + 'Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction.\nSource fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated.', + fields: { + 'source.address': { + dashed_name: 'source-address', + description: + 'Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.\nThen it should be duplicated to `.ip` or `.domain`, depending on which one it is.', + flat_name: 'source.address', + ignore_above: 1024, + level: 'extended', + name: 'address', + normalize: [], + short: 'Source network address.', + type: 'keyword', + }, + 'source.as.number': { + dashed_name: 'source-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'source.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'source.as.organization.name': { + dashed_name: 'source-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'source.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'source.bytes': { + dashed_name: 'source-bytes', + description: 'Bytes sent from the source to the destination.', + example: 184, + flat_name: 'source.bytes', + format: 'bytes', + level: 'core', + name: 'bytes', + normalize: [], + short: 'Bytes sent from the source to the destination.', + type: 'long', + }, + 'source.domain': { + dashed_name: 'source-domain', + description: + 'The domain name of the source system.\nThis value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.', + example: 'foo.example.com', + flat_name: 'source.domain', + ignore_above: 1024, + level: 'core', + name: 'domain', + normalize: [], + short: 'The domain name of the source.', + type: 'keyword', + }, + 'source.geo.city_name': { + dashed_name: 'source-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'source.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'source.geo.continent_code': { + dashed_name: 'source-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'source.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'source.geo.continent_name': { + dashed_name: 'source-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'source.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'source.geo.country_iso_code': { + dashed_name: 'source-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'source.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'source.geo.country_name': { + dashed_name: 'source-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'source.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'source.geo.location': { + dashed_name: 'source-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'source.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'source.geo.name': { + dashed_name: 'source-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'source.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'source.geo.postal_code': { + dashed_name: 'source-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'source.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'source.geo.region_iso_code': { + dashed_name: 'source-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'source.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'source.geo.region_name': { + dashed_name: 'source-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'source.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'source.geo.timezone': { + dashed_name: 'source-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'source.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'source.ip': { + dashed_name: 'source-ip', + description: 'IP address of the source (IPv4 or IPv6).', + flat_name: 'source.ip', + level: 'core', + name: 'ip', + normalize: [], + short: 'IP address of the source.', + type: 'ip', + }, + 'source.mac': { + dashed_name: 'source-mac', + description: + 'MAC address of the source.\nThe notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.', + example: '00-00-5E-00-53-23', + flat_name: 'source.mac', + ignore_above: 1024, + level: 'core', + name: 'mac', + normalize: [], + pattern: '^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$', + short: 'MAC address of the source.', + type: 'keyword', + }, + 'source.nat.ip': { + dashed_name: 'source-nat-ip', + description: + 'Translated ip of source based NAT sessions (e.g. internal client to internet)\nTypically connections traversing load balancers, firewalls, or routers.', + flat_name: 'source.nat.ip', + level: 'extended', + name: 'nat.ip', + normalize: [], + short: 'Source NAT ip', + type: 'ip', + }, + 'source.nat.port': { + dashed_name: 'source-nat-port', + description: + 'Translated port of source based NAT sessions. (e.g. internal client to internet)\nTypically used with load balancers, firewalls, or routers.', + flat_name: 'source.nat.port', + format: 'string', + level: 'extended', + name: 'nat.port', + normalize: [], + short: 'Source NAT port', + type: 'long', + }, + 'source.packets': { + dashed_name: 'source-packets', + description: 'Packets sent from the source to the destination.', + example: 12, + flat_name: 'source.packets', + level: 'core', + name: 'packets', + normalize: [], + short: 'Packets sent from the source to the destination.', + type: 'long', + }, + 'source.port': { + dashed_name: 'source-port', + description: 'Port of the source.', + flat_name: 'source.port', + format: 'string', + level: 'core', + name: 'port', + normalize: [], + short: 'Port of the source.', + type: 'long', + }, + 'source.registered_domain': { + dashed_name: 'source-registered-domain', + description: + 'The highest registered source domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'source.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered source domain, stripped of the subdomain.', + type: 'keyword', + }, + 'source.subdomain': { + dashed_name: 'source-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'source.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'source.top_level_domain': { + dashed_name: 'source-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'source.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'source.user.domain': { + dashed_name: 'source-user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'source.user.email': { + dashed_name: 'source-user-email', + description: 'User email address.', + flat_name: 'source.user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'source.user.full_name': { + dashed_name: 'source-user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'source.user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'source.user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'source.user.group.domain': { + dashed_name: 'source-user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'source.user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'source.user.group.id': { + dashed_name: 'source-user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'source.user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'source.user.group.name': { + dashed_name: 'source-user-group-name', + description: 'Name of the group.', + flat_name: 'source.user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'source.user.hash': { + dashed_name: 'source-user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'source.user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'source.user.id': { + dashed_name: 'source-user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'source.user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'source.user.name': { + dashed_name: 'source-user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'source.user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'source.user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'source.user.roles': { + dashed_name: 'source-user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'source.user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'source', + nestings: ['source.as', 'source.geo', 'source.user'], + prefix: 'source.', + reusable: { + expected: [ + { + as: 'source', + at: 'process.entry_meta', + full: 'process.entry_meta.source', + short_override: 'Remote client information such as ip, port and geo location.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'source.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'source.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'source.user', + schema_name: 'user', + short: 'Fields to describe the user relevant to the event.', + }, + ], + short: 'Fields about the source side of a network connection, used with destination.', + title: 'Source', + type: 'group', + }, + threat: { + description: + 'Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.\nThese fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").', + fields: { + 'threat.enrichments': { + dashed_name: 'threat-enrichments', + description: + 'A list of associated indicators objects enriching the event, and the context of that association/enrichment.', + flat_name: 'threat.enrichments', + level: 'extended', + name: 'enrichments', + normalize: ['array'], + short: 'List of objects containing indicators enriching the event.', + type: 'nested', + }, + 'threat.enrichments.indicator': { + dashed_name: 'threat-enrichments-indicator', + description: 'Object containing associated indicators enriching the event.', + flat_name: 'threat.enrichments.indicator', + level: 'extended', + name: 'enrichments.indicator', + normalize: [], + short: 'Object containing indicators enriching the event.', + type: 'object', + }, + 'threat.enrichments.indicator.as.number': { + dashed_name: 'threat-enrichments-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.enrichments.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.enrichments.indicator.as.organization.name': { + dashed_name: 'threat-enrichments-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.enrichments.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.confidence': { + dashed_name: 'threat-enrichments-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.enrichments.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.enrichments.indicator.description': { + dashed_name: 'threat-enrichments-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.enrichments.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.enrichments.indicator.email.address': { + dashed_name: 'threat-enrichments-indicator-email-address', + description: + 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.enrichments.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.accessed': { + dashed_name: 'threat-enrichments-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.enrichments.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.attributes': { + dashed_name: 'threat-enrichments-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.enrichments.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.enrichments.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.exists': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.enrichments.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.status': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.enrichments.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.team_id': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.enrichments.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.enrichments.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.code_signature.trusted': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.code_signature.valid': { + dashed_name: 'threat-enrichments-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.enrichments.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.enrichments.indicator.file.created': { + dashed_name: 'threat-enrichments-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.enrichments.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.enrichments.indicator.file.ctime': { + dashed_name: 'threat-enrichments-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.enrichments.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.enrichments.indicator.file.device': { + dashed_name: 'threat-enrichments-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.enrichments.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.directory': { + dashed_name: 'threat-enrichments-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.enrichments.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.drive_letter': { + dashed_name: 'threat-enrichments-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.enrichments.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.architecture': { + dashed_name: 'threat-enrichments-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.enrichments.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.byte_order': { + dashed_name: 'threat-enrichments-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.enrichments.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.cpu_type': { + dashed_name: 'threat-enrichments-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.enrichments.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.creation_date': { + dashed_name: 'threat-enrichments-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.enrichments.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.enrichments.indicator.file.elf.exports': { + dashed_name: 'threat-enrichments-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.enrichments.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.class': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.data': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.header.object_version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.enrichments.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.enrichments.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.header.version': { + dashed_name: 'threat-enrichments-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.enrichments.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.imports': { + dashed_name: 'threat-enrichments-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.enrichments.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.enrichments.indicator.file.elf.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.flags': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.name': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-enrichments-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.enrichments.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.enrichments.indicator.file.elf.segments': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.enrichments.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.enrichments.indicator.file.elf.segments.sections': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.segments.type': { + dashed_name: 'threat-enrichments-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.enrichments.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-enrichments-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.enrichments.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.elf.telfhash': { + dashed_name: 'threat-enrichments-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.enrichments.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.extension': { + dashed_name: 'threat-enrichments-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.fork_name': { + dashed_name: 'threat-enrichments-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.enrichments.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.gid': { + dashed_name: 'threat-enrichments-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.group': { + dashed_name: 'threat-enrichments-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.md5': { + dashed_name: 'threat-enrichments-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha1': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha256': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha384': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.sha512': { + dashed_name: 'threat-enrichments-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.enrichments.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.ssdeep': { + dashed_name: 'threat-enrichments-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.enrichments.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.hash.tlsh': { + dashed_name: 'threat-enrichments-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.enrichments.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.inode': { + dashed_name: 'threat-enrichments-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.enrichments.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mime_type': { + dashed_name: 'threat-enrichments-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.enrichments.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mode': { + dashed_name: 'threat-enrichments-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.enrichments.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.mtime': { + dashed_name: 'threat-enrichments-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.enrichments.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.enrichments.indicator.file.name': { + dashed_name: 'threat-enrichments-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.enrichments.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.owner': { + dashed_name: 'threat-enrichments-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.enrichments.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.enrichments.indicator.file.path': { + dashed_name: 'threat-enrichments-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.enrichments.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.architecture': { + dashed_name: 'threat-enrichments-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.enrichments.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.company': { + dashed_name: 'threat-enrichments-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.enrichments.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.description': { + dashed_name: 'threat-enrichments-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.enrichments.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.file_version': { + dashed_name: 'threat-enrichments-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.enrichments.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.imphash': { + dashed_name: 'threat-enrichments-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.enrichments.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.original_file_name': { + dashed_name: 'threat-enrichments-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.enrichments.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.pehash': { + dashed_name: 'threat-enrichments-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.enrichments.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.pe.product': { + dashed_name: 'threat-enrichments-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.enrichments.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.size': { + dashed_name: 'threat-enrichments-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.enrichments.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.enrichments.indicator.file.target_path': { + dashed_name: 'threat-enrichments-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.enrichments.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.type': { + dashed_name: 'threat-enrichments-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.enrichments.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.uid': { + dashed_name: 'threat-enrichments-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.enrichments.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.file.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.file.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.indicator.first_seen': { + dashed_name: 'threat-enrichments-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.first_seen', + level: 'extended', + name: 'enrichments.indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.enrichments.indicator.geo.city_name': { + dashed_name: 'threat-enrichments-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.enrichments.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_code': { + dashed_name: 'threat-enrichments-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.enrichments.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.continent_name': { + dashed_name: 'threat-enrichments-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.enrichments.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.enrichments.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.country_name': { + dashed_name: 'threat-enrichments-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.enrichments.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.location': { + dashed_name: 'threat-enrichments-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.enrichments.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.enrichments.indicator.geo.name': { + dashed_name: 'threat-enrichments-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.enrichments.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.postal_code': { + dashed_name: 'threat-enrichments-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.enrichments.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_iso_code': { + dashed_name: 'threat-enrichments-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.enrichments.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.region_name': { + dashed_name: 'threat-enrichments-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.enrichments.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.enrichments.indicator.geo.timezone': { + dashed_name: 'threat-enrichments-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.enrichments.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.enrichments.indicator.ip': { + dashed_name: 'threat-enrichments-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.enrichments.indicator.ip', + level: 'extended', + name: 'enrichments.indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.enrichments.indicator.last_seen': { + dashed_name: 'threat-enrichments-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.last_seen', + level: 'extended', + name: 'enrichments.indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.enrichments.indicator.marking.tlp.version': { + dashed_name: 'threat-enrichments-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.enrichments.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + 'threat.enrichments.indicator.modified_at': { + dashed_name: 'threat-enrichments-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.enrichments.indicator.modified_at', + level: 'extended', + name: 'enrichments.indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.enrichments.indicator.port': { + dashed_name: 'threat-enrichments-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.enrichments.indicator.port', + level: 'extended', + name: 'enrichments.indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.enrichments.indicator.provider': { + dashed_name: 'threat-enrichments-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.enrichments.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.enrichments.indicator.reference': { + dashed_name: 'threat-enrichments-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.enrichments.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.bytes': { + dashed_name: 'threat-enrichments-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.enrichments.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.data.strings': { + dashed_name: 'threat-enrichments-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.enrichments.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.registry.data.type': { + dashed_name: 'threat-enrichments-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.enrichments.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.hive': { + dashed_name: 'threat-enrichments-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.enrichments.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.key': { + dashed_name: 'threat-enrichments-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.enrichments.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.path': { + dashed_name: 'threat-enrichments-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.enrichments.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.enrichments.indicator.registry.value': { + dashed_name: 'threat-enrichments-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.enrichments.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.enrichments.indicator.scanner_stats': { + dashed_name: 'threat-enrichments-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.enrichments.indicator.scanner_stats', + level: 'extended', + name: 'enrichments.indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.enrichments.indicator.sightings': { + dashed_name: 'threat-enrichments-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.enrichments.indicator.sightings', + level: 'extended', + name: 'enrichments.indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.enrichments.indicator.type': { + dashed_name: 'threat-enrichments-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.enrichments.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.domain': { + dashed_name: 'threat-enrichments-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.enrichments.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.extension': { + dashed_name: 'threat-enrichments-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.enrichments.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.fragment': { + dashed_name: 'threat-enrichments-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.enrichments.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.full': { + dashed_name: 'threat-enrichments-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.enrichments.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.original': { + dashed_name: 'threat-enrichments-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.enrichments.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.enrichments.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.password': { + dashed_name: 'threat-enrichments-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.enrichments.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.path': { + dashed_name: 'threat-enrichments-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.enrichments.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.enrichments.indicator.url.port': { + dashed_name: 'threat-enrichments-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.enrichments.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.enrichments.indicator.url.query': { + dashed_name: 'threat-enrichments-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.enrichments.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.registered_domain': { + dashed_name: 'threat-enrichments-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.enrichments.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.scheme': { + dashed_name: 'threat-enrichments-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.enrichments.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.subdomain': { + dashed_name: 'threat-enrichments-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.enrichments.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.top_level_domain': { + dashed_name: 'threat-enrichments-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.enrichments.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.enrichments.indicator.url.username': { + dashed_name: 'threat-enrichments-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.enrichments.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.alternative_names': { + dashed_name: 'threat-enrichments-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.enrichments.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.country': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.enrichments.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.locality': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.enrichments.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organization': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.enrichments.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.enrichments.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.not_after': { + dashed_name: 'threat-enrichments-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.enrichments.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.not_before': { + dashed_name: 'threat-enrichments-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.enrichments.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.enrichments.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.enrichments.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_curve': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.enrichments.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.public_key_exponent': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.enrichments.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.public_key_size': { + dashed_name: 'threat-enrichments-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.enrichments.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.enrichments.indicator.x509.serial_number': { + dashed_name: 'threat-enrichments-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.enrichments.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.signature_algorithm': { + dashed_name: 'threat-enrichments-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.enrichments.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.common_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.country': { + dashed_name: 'threat-enrichments-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.enrichments.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-enrichments-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.enrichments.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.locality': { + dashed_name: 'threat-enrichments-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.enrichments.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organization': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.enrichments.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-enrichments-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.enrichments.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-enrichments-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.enrichments.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.enrichments.indicator.x509.version_number': { + dashed_name: 'threat-enrichments-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.enrichments.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.enrichments.matched.atomic': { + dashed_name: 'threat-enrichments-matched-atomic', + description: + 'Identifies the atomic indicator value that matched a local environment endpoint or network event.', + example: 'bad-domain.com', + flat_name: 'threat.enrichments.matched.atomic', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.atomic', + normalize: [], + short: 'Matched indicator value', + type: 'keyword', + }, + 'threat.enrichments.matched.field': { + dashed_name: 'threat-enrichments-matched-field', + description: + 'Identifies the field of the atomic indicator that matched a local environment endpoint or network event.', + example: 'file.hash.sha256', + flat_name: 'threat.enrichments.matched.field', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.field', + normalize: [], + short: 'Matched indicator field', + type: 'keyword', + }, + 'threat.enrichments.matched.id': { + dashed_name: 'threat-enrichments-matched-id', + description: 'Identifies the _id of the indicator document enriching the event.', + example: 'ff93aee5-86a1-4a61-b0e6-0cdc313d01b5', + flat_name: 'threat.enrichments.matched.id', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.id', + normalize: [], + short: 'Matched indicator identifier', + type: 'keyword', + }, + 'threat.enrichments.matched.index': { + dashed_name: 'threat-enrichments-matched-index', + description: 'Identifies the _index of the indicator document enriching the event.', + example: 'filebeat-8.0.0-2021.05.23-000011', + flat_name: 'threat.enrichments.matched.index', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.index', + normalize: [], + short: 'Matched indicator index', + type: 'keyword', + }, + 'threat.enrichments.matched.occurred': { + dashed_name: 'threat-enrichments-matched-occurred', + description: 'Indicates when the indicator match was generated', + example: '2021-10-05T17:00:58.326Z', + flat_name: 'threat.enrichments.matched.occurred', + level: 'extended', + name: 'enrichments.matched.occurred', + normalize: [], + short: 'Date of match', + type: 'date', + }, + 'threat.enrichments.matched.type': { + dashed_name: 'threat-enrichments-matched-type', + description: + 'Identifies the type of match that caused the event to be enriched with the given indicator', + example: 'indicator_match_rule', + flat_name: 'threat.enrichments.matched.type', + ignore_above: 1024, + level: 'extended', + name: 'enrichments.matched.type', + normalize: [], + short: 'Type of indicator match', + type: 'keyword', + }, + 'threat.feed.dashboard_id': { + dashed_name: 'threat-feed-dashboard-id', + description: + 'The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.', + example: '5ba16340-72e6-11eb-a3e3-b3cc7c78a70f', + flat_name: 'threat.feed.dashboard_id', + ignore_above: 1024, + level: 'extended', + name: 'feed.dashboard_id', + normalize: [], + short: 'Feed dashboard ID.', + type: 'keyword', + }, + 'threat.feed.description': { + dashed_name: 'threat-feed-description', + description: 'Description of the threat feed in a UI friendly format.', + example: 'Threat feed from the AlienVault Open Threat eXchange network.', + flat_name: 'threat.feed.description', + ignore_above: 1024, + level: 'extended', + name: 'feed.description', + normalize: [], + short: 'Description of the threat feed.', + type: 'keyword', + }, + 'threat.feed.name': { + dashed_name: 'threat-feed-name', + description: 'The name of the threat feed in UI friendly format.', + example: 'AlienVault OTX', + flat_name: 'threat.feed.name', + ignore_above: 1024, + level: 'extended', + name: 'feed.name', + normalize: [], + short: 'Name of the threat feed.', + type: 'keyword', + }, + 'threat.feed.reference': { + dashed_name: 'threat-feed-reference', + description: 'Reference information for the threat feed in a UI friendly format.', + example: 'https://otx.alienvault.com', + flat_name: 'threat.feed.reference', + ignore_above: 1024, + level: 'extended', + name: 'feed.reference', + normalize: [], + short: 'Reference for the threat feed.', + type: 'keyword', + }, + 'threat.framework': { + dashed_name: 'threat-framework', + description: + 'Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.', + example: 'MITRE ATT&CK', + flat_name: 'threat.framework', + ignore_above: 1024, + level: 'extended', + name: 'framework', + normalize: [], + short: 'Threat classification framework.', + type: 'keyword', + }, + 'threat.group.alias': { + dashed_name: 'threat-group-alias', + description: + 'The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group alias(es).', + example: '[ "Magecart Group 6" ]', + flat_name: 'threat.group.alias', + ignore_above: 1024, + level: 'extended', + name: 'group.alias', + normalize: ['array'], + short: 'Alias of the group.', + type: 'keyword', + }, + 'threat.group.id': { + dashed_name: 'threat-group-id', + description: + 'The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group id.', + example: 'G0037', + flat_name: 'threat.group.id', + ignore_above: 1024, + level: 'extended', + name: 'group.id', + normalize: [], + short: 'ID of the group.', + type: 'keyword', + }, + 'threat.group.name': { + dashed_name: 'threat-group-name', + description: + 'The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group name.', + example: 'FIN6', + flat_name: 'threat.group.name', + ignore_above: 1024, + level: 'extended', + name: 'group.name', + normalize: [], + short: 'Name of the group.', + type: 'keyword', + }, + 'threat.group.reference': { + dashed_name: 'threat-group-reference', + description: + 'The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® group reference URL.', + example: 'https://attack.mitre.org/groups/G0037/', + flat_name: 'threat.group.reference', + ignore_above: 1024, + level: 'extended', + name: 'group.reference', + normalize: [], + short: 'Reference URL of the group.', + type: 'keyword', + }, + 'threat.indicator.as.number': { + dashed_name: 'threat-indicator-as-number', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + flat_name: 'threat.indicator.as.number', + level: 'extended', + name: 'number', + normalize: [], + original_fieldset: 'as', + short: 'Unique number allocated to the autonomous system.', + type: 'long', + }, + 'threat.indicator.as.organization.name': { + dashed_name: 'threat-indicator-as-organization-name', + description: 'Organization name.', + example: 'Google LLC', + flat_name: 'threat.indicator.as.organization.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.as.organization.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'organization.name', + normalize: [], + original_fieldset: 'as', + short: 'Organization name.', + type: 'keyword', + }, + 'threat.indicator.confidence': { + dashed_name: 'threat-indicator-confidence', + description: + 'Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.', + example: 'Medium', + expected_values: ['Not Specified', 'None', 'Low', 'Medium', 'High'], + flat_name: 'threat.indicator.confidence', + ignore_above: 1024, + level: 'extended', + name: 'indicator.confidence', + normalize: [], + short: 'Indicator confidence rating', + type: 'keyword', + }, + 'threat.indicator.description': { + dashed_name: 'threat-indicator-description', + description: 'Describes the type of action conducted by the threat.', + example: 'IP x.x.x.x was observed delivering the Angler EK.', + flat_name: 'threat.indicator.description', + ignore_above: 1024, + level: 'extended', + name: 'indicator.description', + normalize: [], + short: 'Indicator description', + type: 'keyword', + }, + 'threat.indicator.email.address': { + dashed_name: 'threat-indicator-email-address', + description: + 'Identifies a threat indicator as an email address (irrespective of direction).', + example: 'phish@example.com', + flat_name: 'threat.indicator.email.address', + ignore_above: 1024, + level: 'extended', + name: 'indicator.email.address', + normalize: [], + short: 'Indicator email address', + type: 'keyword', + }, + 'threat.indicator.file.accessed': { + dashed_name: 'threat-indicator-file-accessed', + description: + 'Last time the file was accessed.\nNote that not all filesystems keep track of access time.', + flat_name: 'threat.indicator.file.accessed', + level: 'extended', + name: 'accessed', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file was accessed.', + type: 'date', + }, + 'threat.indicator.file.attributes': { + dashed_name: 'threat-indicator-file-attributes', + description: + "Array of file attributes.\nAttributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.", + example: '["readonly", "system"]', + flat_name: 'threat.indicator.file.attributes', + ignore_above: 1024, + level: 'extended', + name: 'attributes', + normalize: ['array'], + original_fieldset: 'file', + short: 'Array of file attributes.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.digest_algorithm': { + dashed_name: 'threat-indicator-file-code-signature-digest-algorithm', + description: + 'The hashing algorithm used to sign the process.\nThis value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.', + example: 'sha256', + flat_name: 'threat.indicator.file.code_signature.digest_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'digest_algorithm', + normalize: [], + original_fieldset: 'code_signature', + short: 'Hashing algorithm used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.exists': { + dashed_name: 'threat-indicator-file-code-signature-exists', + description: 'Boolean to capture if a signature is present.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.exists', + level: 'core', + name: 'exists', + normalize: [], + original_fieldset: 'code_signature', + short: 'Boolean to capture if a signature is present.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.signing_id': { + dashed_name: 'threat-indicator-file-code-signature-signing-id', + description: + 'The identifier used to sign the process.\nThis is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.', + example: 'com.apple.xpc.proxy', + flat_name: 'threat.indicator.file.code_signature.signing_id', + ignore_above: 1024, + level: 'extended', + name: 'signing_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.status': { + dashed_name: 'threat-indicator-file-code-signature-status', + description: + 'Additional information about the certificate status.\nThis is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.', + example: 'ERROR_UNTRUSTED_ROOT', + flat_name: 'threat.indicator.file.code_signature.status', + ignore_above: 1024, + level: 'extended', + name: 'status', + normalize: [], + original_fieldset: 'code_signature', + short: 'Additional information about the certificate status.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.subject_name': { + dashed_name: 'threat-indicator-file-code-signature-subject-name', + description: 'Subject name of the code signer', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.code_signature.subject_name', + ignore_above: 1024, + level: 'core', + name: 'subject_name', + normalize: [], + original_fieldset: 'code_signature', + short: 'Subject name of the code signer', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.team_id': { + dashed_name: 'threat-indicator-file-code-signature-team-id', + description: + 'The team identifier used to sign the process.\nThis is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.', + example: 'EQHXZ8M8AV', + flat_name: 'threat.indicator.file.code_signature.team_id', + ignore_above: 1024, + level: 'extended', + name: 'team_id', + normalize: [], + original_fieldset: 'code_signature', + short: 'The team identifier used to sign the process.', + type: 'keyword', + }, + 'threat.indicator.file.code_signature.timestamp': { + dashed_name: 'threat-indicator-file-code-signature-timestamp', + description: 'Date and time when the code signature was generated and signed.', + example: '2021-01-01T12:10:30Z', + flat_name: 'threat.indicator.file.code_signature.timestamp', + level: 'extended', + name: 'timestamp', + normalize: [], + original_fieldset: 'code_signature', + short: 'When the signature was generated and signed.', + type: 'date', + }, + 'threat.indicator.file.code_signature.trusted': { + dashed_name: 'threat-indicator-file-code-signature-trusted', + description: + 'Stores the trust status of the certificate chain.\nValidating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.trusted', + level: 'extended', + name: 'trusted', + normalize: [], + original_fieldset: 'code_signature', + short: 'Stores the trust status of the certificate chain.', + type: 'boolean', + }, + 'threat.indicator.file.code_signature.valid': { + dashed_name: 'threat-indicator-file-code-signature-valid', + description: + 'Boolean to capture if the digital signature is verified against the binary content.\nLeave unpopulated if a certificate was unchecked.', + example: 'true', + flat_name: 'threat.indicator.file.code_signature.valid', + level: 'extended', + name: 'valid', + normalize: [], + original_fieldset: 'code_signature', + short: + 'Boolean to capture if the digital signature is verified against the binary content.', + type: 'boolean', + }, + 'threat.indicator.file.created': { + dashed_name: 'threat-indicator-file-created', + description: 'File creation time.\nNote that not all filesystems store the creation time.', + flat_name: 'threat.indicator.file.created', + level: 'extended', + name: 'created', + normalize: [], + original_fieldset: 'file', + short: 'File creation time.', + type: 'date', + }, + 'threat.indicator.file.ctime': { + dashed_name: 'threat-indicator-file-ctime', + description: + 'Last time the file attributes or metadata changed.\nNote that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.', + flat_name: 'threat.indicator.file.ctime', + level: 'extended', + name: 'ctime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file attributes or metadata changed.', + type: 'date', + }, + 'threat.indicator.file.device': { + dashed_name: 'threat-indicator-file-device', + description: 'Device that is the source of the file.', + example: 'sda', + flat_name: 'threat.indicator.file.device', + ignore_above: 1024, + level: 'extended', + name: 'device', + normalize: [], + original_fieldset: 'file', + short: 'Device that is the source of the file.', + type: 'keyword', + }, + 'threat.indicator.file.directory': { + dashed_name: 'threat-indicator-file-directory', + description: + 'Directory where the file is located. It should include the drive letter, when appropriate.', + example: '/home/alice', + flat_name: 'threat.indicator.file.directory', + ignore_above: 1024, + level: 'extended', + name: 'directory', + normalize: [], + original_fieldset: 'file', + short: 'Directory where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.drive_letter': { + dashed_name: 'threat-indicator-file-drive-letter', + description: + 'Drive letter where the file is located. This field is only relevant on Windows.\nThe value should be uppercase, and not include the colon.', + example: 'C', + flat_name: 'threat.indicator.file.drive_letter', + ignore_above: 1, + level: 'extended', + name: 'drive_letter', + normalize: [], + original_fieldset: 'file', + short: 'Drive letter where the file is located.', + type: 'keyword', + }, + 'threat.indicator.file.elf.architecture': { + dashed_name: 'threat-indicator-file-elf-architecture', + description: 'Machine architecture of the ELF file.', + example: 'x86-64', + flat_name: 'threat.indicator.file.elf.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'elf', + short: 'Machine architecture of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.byte_order': { + dashed_name: 'threat-indicator-file-elf-byte-order', + description: 'Byte sequence of ELF file.', + example: 'Little Endian', + flat_name: 'threat.indicator.file.elf.byte_order', + ignore_above: 1024, + level: 'extended', + name: 'byte_order', + normalize: [], + original_fieldset: 'elf', + short: 'Byte sequence of ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.cpu_type': { + dashed_name: 'threat-indicator-file-elf-cpu-type', + description: 'CPU type of the ELF file.', + example: 'Intel', + flat_name: 'threat.indicator.file.elf.cpu_type', + ignore_above: 1024, + level: 'extended', + name: 'cpu_type', + normalize: [], + original_fieldset: 'elf', + short: 'CPU type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.creation_date': { + dashed_name: 'threat-indicator-file-elf-creation-date', + description: + "Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.", + flat_name: 'threat.indicator.file.elf.creation_date', + level: 'extended', + name: 'creation_date', + normalize: [], + original_fieldset: 'elf', + short: 'Build or compile date.', + type: 'date', + }, + 'threat.indicator.file.elf.exports': { + dashed_name: 'threat-indicator-file-elf-exports', + description: 'List of exported element names and types.', + flat_name: 'threat.indicator.file.elf.exports', + level: 'extended', + name: 'exports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of exported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.header.abi_version': { + dashed_name: 'threat-indicator-file-elf-header-abi-version', + description: 'Version of the ELF Application Binary Interface (ABI).', + flat_name: 'threat.indicator.file.elf.header.abi_version', + ignore_above: 1024, + level: 'extended', + name: 'header.abi_version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF Application Binary Interface (ABI).', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.class': { + dashed_name: 'threat-indicator-file-elf-header-class', + description: 'Header class of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.class', + ignore_above: 1024, + level: 'extended', + name: 'header.class', + normalize: [], + original_fieldset: 'elf', + short: 'Header class of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.data': { + dashed_name: 'threat-indicator-file-elf-header-data', + description: 'Data table of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.data', + ignore_above: 1024, + level: 'extended', + name: 'header.data', + normalize: [], + original_fieldset: 'elf', + short: 'Data table of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.entrypoint': { + dashed_name: 'threat-indicator-file-elf-header-entrypoint', + description: 'Header entrypoint of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.entrypoint', + format: 'string', + level: 'extended', + name: 'header.entrypoint', + normalize: [], + original_fieldset: 'elf', + short: 'Header entrypoint of the ELF file.', + type: 'long', + }, + 'threat.indicator.file.elf.header.object_version': { + dashed_name: 'threat-indicator-file-elf-header-object-version', + description: '"0x1" for original ELF files.', + flat_name: 'threat.indicator.file.elf.header.object_version', + ignore_above: 1024, + level: 'extended', + name: 'header.object_version', + normalize: [], + original_fieldset: 'elf', + short: '"0x1" for original ELF files.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.os_abi': { + dashed_name: 'threat-indicator-file-elf-header-os-abi', + description: 'Application Binary Interface (ABI) of the Linux OS.', + flat_name: 'threat.indicator.file.elf.header.os_abi', + ignore_above: 1024, + level: 'extended', + name: 'header.os_abi', + normalize: [], + original_fieldset: 'elf', + short: 'Application Binary Interface (ABI) of the Linux OS.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.type': { + dashed_name: 'threat-indicator-file-elf-header-type', + description: 'Header type of the ELF file.', + flat_name: 'threat.indicator.file.elf.header.type', + ignore_above: 1024, + level: 'extended', + name: 'header.type', + normalize: [], + original_fieldset: 'elf', + short: 'Header type of the ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.elf.header.version': { + dashed_name: 'threat-indicator-file-elf-header-version', + description: 'Version of the ELF header.', + flat_name: 'threat.indicator.file.elf.header.version', + ignore_above: 1024, + level: 'extended', + name: 'header.version', + normalize: [], + original_fieldset: 'elf', + short: 'Version of the ELF header.', + type: 'keyword', + }, + 'threat.indicator.file.elf.imports': { + dashed_name: 'threat-indicator-file-elf-imports', + description: 'List of imported element names and types.', + flat_name: 'threat.indicator.file.elf.imports', + level: 'extended', + name: 'imports', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of imported element names and types.', + type: 'flattened', + }, + 'threat.indicator.file.elf.sections': { + dashed_name: 'threat-indicator-file-elf-sections', + description: + 'An array containing an object for each section of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.', + flat_name: 'threat.indicator.file.elf.sections', + level: 'extended', + name: 'sections', + normalize: ['array'], + original_fieldset: 'elf', + short: 'Section information of the ELF file.', + type: 'nested', + }, + 'threat.indicator.file.elf.sections.chi2': { + dashed_name: 'threat-indicator-file-elf-sections-chi2', + description: 'Chi-square probability distribution of the section.', + flat_name: 'threat.indicator.file.elf.sections.chi2', + format: 'number', + level: 'extended', + name: 'sections.chi2', + normalize: [], + original_fieldset: 'elf', + short: 'Chi-square probability distribution of the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.entropy': { + dashed_name: 'threat-indicator-file-elf-sections-entropy', + description: 'Shannon entropy calculation from the section.', + flat_name: 'threat.indicator.file.elf.sections.entropy', + format: 'number', + level: 'extended', + name: 'sections.entropy', + normalize: [], + original_fieldset: 'elf', + short: 'Shannon entropy calculation from the section.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.flags': { + dashed_name: 'threat-indicator-file-elf-sections-flags', + description: 'ELF Section List flags.', + flat_name: 'threat.indicator.file.elf.sections.flags', + ignore_above: 1024, + level: 'extended', + name: 'sections.flags', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List flags.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.name': { + dashed_name: 'threat-indicator-file-elf-sections-name', + description: 'ELF Section List name.', + flat_name: 'threat.indicator.file.elf.sections.name', + ignore_above: 1024, + level: 'extended', + name: 'sections.name', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List name.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_offset': { + dashed_name: 'threat-indicator-file-elf-sections-physical-offset', + description: 'ELF Section List offset.', + flat_name: 'threat.indicator.file.elf.sections.physical_offset', + ignore_above: 1024, + level: 'extended', + name: 'sections.physical_offset', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List offset.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.physical_size': { + dashed_name: 'threat-indicator-file-elf-sections-physical-size', + description: 'ELF Section List physical size.', + flat_name: 'threat.indicator.file.elf.sections.physical_size', + format: 'bytes', + level: 'extended', + name: 'sections.physical_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List physical size.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.type': { + dashed_name: 'threat-indicator-file-elf-sections-type', + description: 'ELF Section List type.', + flat_name: 'threat.indicator.file.elf.sections.type', + ignore_above: 1024, + level: 'extended', + name: 'sections.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.sections.virtual_address': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-address', + description: 'ELF Section List virtual address.', + flat_name: 'threat.indicator.file.elf.sections.virtual_address', + format: 'string', + level: 'extended', + name: 'sections.virtual_address', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual address.', + type: 'long', + }, + 'threat.indicator.file.elf.sections.virtual_size': { + dashed_name: 'threat-indicator-file-elf-sections-virtual-size', + description: 'ELF Section List virtual size.', + flat_name: 'threat.indicator.file.elf.sections.virtual_size', + format: 'string', + level: 'extended', + name: 'sections.virtual_size', + normalize: [], + original_fieldset: 'elf', + short: 'ELF Section List virtual size.', + type: 'long', + }, + 'threat.indicator.file.elf.segments': { + dashed_name: 'threat-indicator-file-elf-segments', + description: + 'An array containing an object for each segment of the ELF file.\nThe keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.', + flat_name: 'threat.indicator.file.elf.segments', + level: 'extended', + name: 'segments', + normalize: ['array'], + original_fieldset: 'elf', + short: 'ELF object segment list.', + type: 'nested', + }, + 'threat.indicator.file.elf.segments.sections': { + dashed_name: 'threat-indicator-file-elf-segments-sections', + description: 'ELF object segment sections.', + flat_name: 'threat.indicator.file.elf.segments.sections', + ignore_above: 1024, + level: 'extended', + name: 'segments.sections', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment sections.', + type: 'keyword', + }, + 'threat.indicator.file.elf.segments.type': { + dashed_name: 'threat-indicator-file-elf-segments-type', + description: 'ELF object segment type.', + flat_name: 'threat.indicator.file.elf.segments.type', + ignore_above: 1024, + level: 'extended', + name: 'segments.type', + normalize: [], + original_fieldset: 'elf', + short: 'ELF object segment type.', + type: 'keyword', + }, + 'threat.indicator.file.elf.shared_libraries': { + dashed_name: 'threat-indicator-file-elf-shared-libraries', + description: 'List of shared libraries used by this ELF object.', + flat_name: 'threat.indicator.file.elf.shared_libraries', + ignore_above: 1024, + level: 'extended', + name: 'shared_libraries', + normalize: ['array'], + original_fieldset: 'elf', + short: 'List of shared libraries used by this ELF object.', + type: 'keyword', + }, + 'threat.indicator.file.elf.telfhash': { + dashed_name: 'threat-indicator-file-elf-telfhash', + description: 'telfhash symbol hash for ELF file.', + flat_name: 'threat.indicator.file.elf.telfhash', + ignore_above: 1024, + level: 'extended', + name: 'telfhash', + normalize: [], + original_fieldset: 'elf', + short: 'telfhash hash for ELF file.', + type: 'keyword', + }, + 'threat.indicator.file.extension': { + dashed_name: 'threat-indicator-file-extension', + description: + 'File extension, excluding the leading dot.\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.file.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'file', + short: 'File extension, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.file.fork_name': { + dashed_name: 'threat-indicator-file-fork-name', + description: + 'A fork is additional data associated with a filesystem object.\nOn Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.\nOn NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\\path\\to\\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.', + example: 'Zone.Identifer', + flat_name: 'threat.indicator.file.fork_name', + ignore_above: 1024, + level: 'extended', + name: 'fork_name', + normalize: [], + original_fieldset: 'file', + short: 'A fork is additional data associated with a filesystem object.', + type: 'keyword', + }, + 'threat.indicator.file.gid': { + dashed_name: 'threat-indicator-file-gid', + description: 'Primary group ID (GID) of the file.', + example: '1001', + flat_name: 'threat.indicator.file.gid', + ignore_above: 1024, + level: 'extended', + name: 'gid', + normalize: [], + original_fieldset: 'file', + short: 'Primary group ID (GID) of the file.', + type: 'keyword', + }, + 'threat.indicator.file.group': { + dashed_name: 'threat-indicator-file-group', + description: 'Primary group name of the file.', + example: 'alice', + flat_name: 'threat.indicator.file.group', + ignore_above: 1024, + level: 'extended', + name: 'group', + normalize: [], + original_fieldset: 'file', + short: 'Primary group name of the file.', + type: 'keyword', + }, + 'threat.indicator.file.hash.md5': { + dashed_name: 'threat-indicator-file-hash-md5', + description: 'MD5 hash.', + flat_name: 'threat.indicator.file.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'md5', + normalize: [], + original_fieldset: 'hash', + short: 'MD5 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha1': { + dashed_name: 'threat-indicator-file-hash-sha1', + description: 'SHA1 hash.', + flat_name: 'threat.indicator.file.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'sha1', + normalize: [], + original_fieldset: 'hash', + short: 'SHA1 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha256': { + dashed_name: 'threat-indicator-file-hash-sha256', + description: 'SHA256 hash.', + flat_name: 'threat.indicator.file.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'sha256', + normalize: [], + original_fieldset: 'hash', + short: 'SHA256 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha384': { + dashed_name: 'threat-indicator-file-hash-sha384', + description: 'SHA384 hash.', + flat_name: 'threat.indicator.file.hash.sha384', + ignore_above: 1024, + level: 'extended', + name: 'sha384', + normalize: [], + original_fieldset: 'hash', + short: 'SHA384 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.sha512': { + dashed_name: 'threat-indicator-file-hash-sha512', + description: 'SHA512 hash.', + flat_name: 'threat.indicator.file.hash.sha512', + ignore_above: 1024, + level: 'extended', + name: 'sha512', + normalize: [], + original_fieldset: 'hash', + short: 'SHA512 hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.ssdeep': { + dashed_name: 'threat-indicator-file-hash-ssdeep', + description: 'SSDEEP hash.', + flat_name: 'threat.indicator.file.hash.ssdeep', + ignore_above: 1024, + level: 'extended', + name: 'ssdeep', + normalize: [], + original_fieldset: 'hash', + short: 'SSDEEP hash.', + type: 'keyword', + }, + 'threat.indicator.file.hash.tlsh': { + dashed_name: 'threat-indicator-file-hash-tlsh', + description: 'TLSH hash.', + flat_name: 'threat.indicator.file.hash.tlsh', + ignore_above: 1024, + level: 'extended', + name: 'tlsh', + normalize: [], + original_fieldset: 'hash', + short: 'TLSH hash.', + type: 'keyword', + }, + 'threat.indicator.file.inode': { + dashed_name: 'threat-indicator-file-inode', + description: 'Inode representing the file in the filesystem.', + example: '256383', + flat_name: 'threat.indicator.file.inode', + ignore_above: 1024, + level: 'extended', + name: 'inode', + normalize: [], + original_fieldset: 'file', + short: 'Inode representing the file in the filesystem.', + type: 'keyword', + }, + 'threat.indicator.file.mime_type': { + dashed_name: 'threat-indicator-file-mime-type', + description: + 'MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.', + flat_name: 'threat.indicator.file.mime_type', + ignore_above: 1024, + level: 'extended', + name: 'mime_type', + normalize: [], + original_fieldset: 'file', + short: 'Media type of file, document, or arrangement of bytes.', + type: 'keyword', + }, + 'threat.indicator.file.mode': { + dashed_name: 'threat-indicator-file-mode', + description: 'Mode of the file in octal representation.', + example: '0640', + flat_name: 'threat.indicator.file.mode', + ignore_above: 1024, + level: 'extended', + name: 'mode', + normalize: [], + original_fieldset: 'file', + short: 'Mode of the file in octal representation.', + type: 'keyword', + }, + 'threat.indicator.file.mtime': { + dashed_name: 'threat-indicator-file-mtime', + description: 'Last time the file content was modified.', + flat_name: 'threat.indicator.file.mtime', + level: 'extended', + name: 'mtime', + normalize: [], + original_fieldset: 'file', + short: 'Last time the file content was modified.', + type: 'date', + }, + 'threat.indicator.file.name': { + dashed_name: 'threat-indicator-file-name', + description: 'Name of the file including the extension, without the directory.', + example: 'example.png', + flat_name: 'threat.indicator.file.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'file', + short: 'Name of the file including the extension, without the directory.', + type: 'keyword', + }, + 'threat.indicator.file.owner': { + dashed_name: 'threat-indicator-file-owner', + description: "File owner's username.", + example: 'alice', + flat_name: 'threat.indicator.file.owner', + ignore_above: 1024, + level: 'extended', + name: 'owner', + normalize: [], + original_fieldset: 'file', + short: "File owner's username.", + type: 'keyword', + }, + 'threat.indicator.file.path': { + dashed_name: 'threat-indicator-file-path', + description: + 'Full path to the file, including the file name. It should include the drive letter, when appropriate.', + example: '/home/alice/example.png', + flat_name: 'threat.indicator.file.path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'path', + normalize: [], + original_fieldset: 'file', + short: 'Full path to the file, including the file name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.architecture': { + dashed_name: 'threat-indicator-file-pe-architecture', + description: 'CPU architecture target for the file.', + example: 'x64', + flat_name: 'threat.indicator.file.pe.architecture', + ignore_above: 1024, + level: 'extended', + name: 'architecture', + normalize: [], + original_fieldset: 'pe', + short: 'CPU architecture target for the file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.company': { + dashed_name: 'threat-indicator-file-pe-company', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + flat_name: 'threat.indicator.file.pe.company', + ignore_above: 1024, + level: 'extended', + name: 'company', + normalize: [], + original_fieldset: 'pe', + short: 'Internal company name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.description': { + dashed_name: 'threat-indicator-file-pe-description', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + flat_name: 'threat.indicator.file.pe.description', + ignore_above: 1024, + level: 'extended', + name: 'description', + normalize: [], + original_fieldset: 'pe', + short: 'Internal description of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.file_version': { + dashed_name: 'threat-indicator-file-pe-file-version', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + flat_name: 'threat.indicator.file.pe.file_version', + ignore_above: 1024, + level: 'extended', + name: 'file_version', + normalize: [], + original_fieldset: 'pe', + short: 'Process name.', + type: 'keyword', + }, + 'threat.indicator.file.pe.imphash': { + dashed_name: 'threat-indicator-file-pe-imphash', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.\nLearn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + flat_name: 'threat.indicator.file.pe.imphash', + ignore_above: 1024, + level: 'extended', + name: 'imphash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the imports in a PE file.', + type: 'keyword', + }, + 'threat.indicator.file.pe.original_file_name': { + dashed_name: 'threat-indicator-file-pe-original-file-name', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + flat_name: 'threat.indicator.file.pe.original_file_name', + ignore_above: 1024, + level: 'extended', + name: 'original_file_name', + normalize: [], + original_fieldset: 'pe', + short: 'Internal name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.pe.pehash': { + dashed_name: 'threat-indicator-file-pe-pehash', + description: + 'A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value.\nLearn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.', + example: '73ff189b63cd6be375a7ff25179a38d347651975', + flat_name: 'threat.indicator.file.pe.pehash', + ignore_above: 1024, + level: 'extended', + name: 'pehash', + normalize: [], + original_fieldset: 'pe', + short: 'A hash of the PE header and data from one or more PE sections.', + type: 'keyword', + }, + 'threat.indicator.file.pe.product': { + dashed_name: 'threat-indicator-file-pe-product', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + flat_name: 'threat.indicator.file.pe.product', + ignore_above: 1024, + level: 'extended', + name: 'product', + normalize: [], + original_fieldset: 'pe', + short: 'Internal product name of the file, provided at compile-time.', + type: 'keyword', + }, + 'threat.indicator.file.size': { + dashed_name: 'threat-indicator-file-size', + description: 'File size in bytes.\nOnly relevant when `file.type` is "file".', + example: 16384, + flat_name: 'threat.indicator.file.size', + level: 'extended', + name: 'size', + normalize: [], + original_fieldset: 'file', + short: 'File size in bytes.', + type: 'long', + }, + 'threat.indicator.file.target_path': { + dashed_name: 'threat-indicator-file-target-path', + description: 'Target path for symlinks.', + flat_name: 'threat.indicator.file.target_path', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.file.target_path.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'target_path', + normalize: [], + original_fieldset: 'file', + short: 'Target path for symlinks.', + type: 'keyword', + }, + 'threat.indicator.file.type': { + dashed_name: 'threat-indicator-file-type', + description: 'File type (file, dir, or symlink).', + example: 'file', + flat_name: 'threat.indicator.file.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'file', + short: 'File type (file, dir, or symlink).', + type: 'keyword', + }, + 'threat.indicator.file.uid': { + dashed_name: 'threat-indicator-file-uid', + description: 'The user ID (UID) or security identifier (SID) of the file owner.', + example: '1001', + flat_name: 'threat.indicator.file.uid', + ignore_above: 1024, + level: 'extended', + name: 'uid', + normalize: [], + original_fieldset: 'file', + short: 'The user ID (UID) or security identifier (SID) of the file owner.', + type: 'keyword', + }, + 'threat.indicator.file.x509.alternative_names': { + dashed_name: 'threat-indicator-file-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.file.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.common_name': { + dashed_name: 'threat-indicator-file-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.country': { + dashed_name: 'threat-indicator-file-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.file.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.file.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.locality': { + dashed_name: 'threat-indicator-file-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.file.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organization': { + dashed_name: 'threat-indicator-file-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.file.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.file.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-file-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.not_after': { + dashed_name: 'threat-indicator-file-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.file.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.not_before': { + dashed_name: 'threat-indicator-file-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.file.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.file.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-file-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.file.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_curve': { + dashed_name: 'threat-indicator-file-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.file.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.file.x509.public_key_exponent': { + dashed_name: 'threat-indicator-file-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.file.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.file.x509.public_key_size': { + dashed_name: 'threat-indicator-file-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.file.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.file.x509.serial_number': { + dashed_name: 'threat-indicator-file-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.file.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.file.x509.signature_algorithm': { + dashed_name: 'threat-indicator-file-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.file.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.common_name': { + dashed_name: 'threat-indicator-file-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.country': { + dashed_name: 'threat-indicator-file-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.file.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-file-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.file.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.locality': { + dashed_name: 'threat-indicator-file-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.file.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organization': { + dashed_name: 'threat-indicator-file-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.file.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-file-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.file.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.file.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-file-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.file.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.file.x509.version_number': { + dashed_name: 'threat-indicator-file-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.file.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.indicator.first_seen': { + dashed_name: 'threat-indicator-first-seen', + description: + 'The date and time when intelligence source first reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.first_seen', + level: 'extended', + name: 'indicator.first_seen', + normalize: [], + short: 'Date/time indicator was first reported.', + type: 'date', + }, + 'threat.indicator.geo.city_name': { + dashed_name: 'threat-indicator-geo-city-name', + description: 'City name.', + example: 'Montreal', + flat_name: 'threat.indicator.geo.city_name', + ignore_above: 1024, + level: 'core', + name: 'city_name', + normalize: [], + original_fieldset: 'geo', + short: 'City name.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_code': { + dashed_name: 'threat-indicator-geo-continent-code', + description: "Two-letter code representing continent's name.", + example: 'NA', + flat_name: 'threat.indicator.geo.continent_code', + ignore_above: 1024, + level: 'core', + name: 'continent_code', + normalize: [], + original_fieldset: 'geo', + short: 'Continent code.', + type: 'keyword', + }, + 'threat.indicator.geo.continent_name': { + dashed_name: 'threat-indicator-geo-continent-name', + description: 'Name of the continent.', + example: 'North America', + flat_name: 'threat.indicator.geo.continent_name', + ignore_above: 1024, + level: 'core', + name: 'continent_name', + normalize: [], + original_fieldset: 'geo', + short: 'Name of the continent.', + type: 'keyword', + }, + 'threat.indicator.geo.country_iso_code': { + dashed_name: 'threat-indicator-geo-country-iso-code', + description: 'Country ISO code.', + example: 'CA', + flat_name: 'threat.indicator.geo.country_iso_code', + ignore_above: 1024, + level: 'core', + name: 'country_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Country ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.country_name': { + dashed_name: 'threat-indicator-geo-country-name', + description: 'Country name.', + example: 'Canada', + flat_name: 'threat.indicator.geo.country_name', + ignore_above: 1024, + level: 'core', + name: 'country_name', + normalize: [], + original_fieldset: 'geo', + short: 'Country name.', + type: 'keyword', + }, + 'threat.indicator.geo.location': { + dashed_name: 'threat-indicator-geo-location', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + flat_name: 'threat.indicator.geo.location', + level: 'core', + name: 'location', + normalize: [], + original_fieldset: 'geo', + short: 'Longitude and latitude.', + type: 'geo_point', + }, + 'threat.indicator.geo.name': { + dashed_name: 'threat-indicator-geo-name', + description: + 'User-defined description of a location, at the level of granularity they care about.\nCould be the name of their data centers, the floor number, if this describes a local physical entity, city names.\nNot typically used in automated geolocation.', + example: 'boston-dc', + flat_name: 'threat.indicator.geo.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'geo', + short: 'User-defined description of a location.', + type: 'keyword', + }, + 'threat.indicator.geo.postal_code': { + dashed_name: 'threat-indicator-geo-postal-code', + description: + 'Postal code associated with the location.\nValues appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.', + example: 94040, + flat_name: 'threat.indicator.geo.postal_code', + ignore_above: 1024, + level: 'core', + name: 'postal_code', + normalize: [], + original_fieldset: 'geo', + short: 'Postal code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_iso_code': { + dashed_name: 'threat-indicator-geo-region-iso-code', + description: 'Region ISO code.', + example: 'CA-QC', + flat_name: 'threat.indicator.geo.region_iso_code', + ignore_above: 1024, + level: 'core', + name: 'region_iso_code', + normalize: [], + original_fieldset: 'geo', + short: 'Region ISO code.', + type: 'keyword', + }, + 'threat.indicator.geo.region_name': { + dashed_name: 'threat-indicator-geo-region-name', + description: 'Region name.', + example: 'Quebec', + flat_name: 'threat.indicator.geo.region_name', + ignore_above: 1024, + level: 'core', + name: 'region_name', + normalize: [], + original_fieldset: 'geo', + short: 'Region name.', + type: 'keyword', + }, + 'threat.indicator.geo.timezone': { + dashed_name: 'threat-indicator-geo-timezone', + description: 'The time zone of the location, such as IANA time zone name.', + example: 'America/Argentina/Buenos_Aires', + flat_name: 'threat.indicator.geo.timezone', + ignore_above: 1024, + level: 'core', + name: 'timezone', + normalize: [], + original_fieldset: 'geo', + short: 'Time zone.', + type: 'keyword', + }, + 'threat.indicator.ip': { + dashed_name: 'threat-indicator-ip', + description: 'Identifies a threat indicator as an IP address (irrespective of direction).', + example: '1.2.3.4', + flat_name: 'threat.indicator.ip', + level: 'extended', + name: 'indicator.ip', + normalize: [], + short: 'Indicator IP address', + type: 'ip', + }, + 'threat.indicator.last_seen': { + dashed_name: 'threat-indicator-last-seen', + description: + 'The date and time when intelligence source last reported sighting this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.last_seen', + level: 'extended', + name: 'indicator.last_seen', + normalize: [], + short: 'Date/time indicator was last reported.', + type: 'date', + }, + 'threat.indicator.marking.tlp': { + dashed_name: 'threat-indicator-marking-tlp', + description: 'Traffic Light Protocol sharing markings.', + example: 'CLEAR', + expected_values: ['WHITE', 'CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED'], + flat_name: 'threat.indicator.marking.tlp', + ignore_above: 1024, + level: 'extended', + name: 'indicator.marking.tlp', + normalize: [], + short: 'Indicator TLP marking', + type: 'keyword', + }, + 'threat.indicator.modified_at': { + dashed_name: 'threat-indicator-modified-at', + description: + 'The date and time when intelligence source last modified information for this indicator.', + example: '2020-11-05T17:25:47.000Z', + flat_name: 'threat.indicator.modified_at', + level: 'extended', + name: 'indicator.modified_at', + normalize: [], + short: 'Date/time indicator was last updated.', + type: 'date', + }, + 'threat.indicator.port': { + dashed_name: 'threat-indicator-port', + description: 'Identifies a threat indicator as a port number (irrespective of direction).', + example: 443, + flat_name: 'threat.indicator.port', + level: 'extended', + name: 'indicator.port', + normalize: [], + short: 'Indicator port', + type: 'long', + }, + 'threat.indicator.provider': { + dashed_name: 'threat-indicator-provider', + description: "The name of the indicator's provider.", + example: 'lrz_urlhaus', + flat_name: 'threat.indicator.provider', + ignore_above: 1024, + level: 'extended', + name: 'indicator.provider', + normalize: [], + short: 'Indicator provider', + type: 'keyword', + }, + 'threat.indicator.reference': { + dashed_name: 'threat-indicator-reference', + description: 'Reference URL linking to additional information about this indicator.', + example: 'https://system.example.com/indicator/0001234', + flat_name: 'threat.indicator.reference', + ignore_above: 1024, + level: 'extended', + name: 'indicator.reference', + normalize: [], + short: 'Indicator reference URL', + type: 'keyword', + }, + 'threat.indicator.registry.data.bytes': { + dashed_name: 'threat-indicator-registry-data-bytes', + description: + 'Original bytes written with base64 encoding.\nFor Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.', + example: 'ZQBuAC0AVQBTAAAAZQBuAAAAAAA=', + flat_name: 'threat.indicator.registry.data.bytes', + ignore_above: 1024, + level: 'extended', + name: 'data.bytes', + normalize: [], + original_fieldset: 'registry', + short: 'Original bytes written with base64 encoding.', + type: 'keyword', + }, + 'threat.indicator.registry.data.strings': { + dashed_name: 'threat-indicator-registry-data-strings', + description: + 'Content when writing string types.\nPopulated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + flat_name: 'threat.indicator.registry.data.strings', + level: 'core', + name: 'data.strings', + normalize: ['array'], + original_fieldset: 'registry', + short: 'List of strings representing what was written to the registry.', + type: 'wildcard', + }, + 'threat.indicator.registry.data.type': { + dashed_name: 'threat-indicator-registry-data-type', + description: 'Standard registry type for encoding contents', + example: 'REG_SZ', + flat_name: 'threat.indicator.registry.data.type', + ignore_above: 1024, + level: 'core', + name: 'data.type', + normalize: [], + original_fieldset: 'registry', + short: 'Standard registry type for encoding contents', + type: 'keyword', + }, + 'threat.indicator.registry.hive': { + dashed_name: 'threat-indicator-registry-hive', + description: 'Abbreviated name for the hive.', + example: 'HKLM', + flat_name: 'threat.indicator.registry.hive', + ignore_above: 1024, + level: 'core', + name: 'hive', + normalize: [], + original_fieldset: 'registry', + short: 'Abbreviated name for the hive.', + type: 'keyword', + }, + 'threat.indicator.registry.key': { + dashed_name: 'threat-indicator-registry-key', + description: 'Hive-relative path of keys.', + example: + 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe', + flat_name: 'threat.indicator.registry.key', + ignore_above: 1024, + level: 'core', + name: 'key', + normalize: [], + original_fieldset: 'registry', + short: 'Hive-relative path of keys.', + type: 'keyword', + }, + 'threat.indicator.registry.path': { + dashed_name: 'threat-indicator-registry-path', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + flat_name: 'threat.indicator.registry.path', + ignore_above: 1024, + level: 'core', + name: 'path', + normalize: [], + original_fieldset: 'registry', + short: 'Full path, including hive, key and value', + type: 'keyword', + }, + 'threat.indicator.registry.value': { + dashed_name: 'threat-indicator-registry-value', + description: 'Name of the value written.', + example: 'Debugger', + flat_name: 'threat.indicator.registry.value', + ignore_above: 1024, + level: 'core', + name: 'value', + normalize: [], + original_fieldset: 'registry', + short: 'Name of the value written.', + type: 'keyword', + }, + 'threat.indicator.scanner_stats': { + dashed_name: 'threat-indicator-scanner-stats', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL.', + example: 4, + flat_name: 'threat.indicator.scanner_stats', + level: 'extended', + name: 'indicator.scanner_stats', + normalize: [], + short: 'Scanner statistics', + type: 'long', + }, + 'threat.indicator.sightings': { + dashed_name: 'threat-indicator-sightings', + description: 'Number of times this indicator was observed conducting threat activity.', + example: 20, + flat_name: 'threat.indicator.sightings', + level: 'extended', + name: 'indicator.sightings', + normalize: [], + short: 'Number of times indicator observed', + type: 'long', + }, + 'threat.indicator.type': { + dashed_name: 'threat-indicator-type', + description: 'Type of indicator as represented by Cyber Observable in STIX 2.0.', + example: 'ipv4-addr', + expected_values: [ + 'autonomous-system', + 'artifact', + 'directory', + 'domain-name', + 'email-addr', + 'file', + 'ipv4-addr', + 'ipv6-addr', + 'mac-addr', + 'mutex', + 'port', + 'process', + 'software', + 'url', + 'user-account', + 'windows-registry-key', + 'x509-certificate', + ], + flat_name: 'threat.indicator.type', + ignore_above: 1024, + level: 'extended', + name: 'indicator.type', + normalize: [], + short: 'Type of indicator', + type: 'keyword', + }, + 'threat.indicator.url.domain': { + dashed_name: 'threat-indicator-url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'threat.indicator.url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'url', + short: 'Domain of the url.', + type: 'keyword', + }, + 'threat.indicator.url.extension': { + dashed_name: 'threat-indicator-url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'threat.indicator.url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + original_fieldset: 'url', + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'threat.indicator.url.fragment': { + dashed_name: 'threat-indicator-url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'threat.indicator.url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + original_fieldset: 'url', + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'threat.indicator.url.full': { + dashed_name: 'threat-indicator-url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'threat.indicator.url.full', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'url', + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'threat.indicator.url.original': { + dashed_name: 'threat-indicator-url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'threat.indicator.url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.indicator.url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + original_fieldset: 'url', + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'threat.indicator.url.password': { + dashed_name: 'threat-indicator-url-password', + description: 'Password of the request.', + flat_name: 'threat.indicator.url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + original_fieldset: 'url', + short: 'Password of the request.', + type: 'keyword', + }, + 'threat.indicator.url.path': { + dashed_name: 'threat-indicator-url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'threat.indicator.url.path', + level: 'extended', + name: 'path', + normalize: [], + original_fieldset: 'url', + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'threat.indicator.url.port': { + dashed_name: 'threat-indicator-url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'threat.indicator.url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + original_fieldset: 'url', + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'threat.indicator.url.query': { + dashed_name: 'threat-indicator-url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'threat.indicator.url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + original_fieldset: 'url', + short: 'Query string of the request.', + type: 'keyword', + }, + 'threat.indicator.url.registered_domain': { + dashed_name: 'threat-indicator-url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'threat.indicator.url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + original_fieldset: 'url', + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'threat.indicator.url.scheme': { + dashed_name: 'threat-indicator-url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'threat.indicator.url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + original_fieldset: 'url', + short: 'Scheme of the url.', + type: 'keyword', + }, + 'threat.indicator.url.subdomain': { + dashed_name: 'threat-indicator-url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'threat.indicator.url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + original_fieldset: 'url', + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'threat.indicator.url.top_level_domain': { + dashed_name: 'threat-indicator-url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'threat.indicator.url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + original_fieldset: 'url', + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'threat.indicator.url.username': { + dashed_name: 'threat-indicator-url-username', + description: 'Username of the request.', + flat_name: 'threat.indicator.url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + original_fieldset: 'url', + short: 'Username of the request.', + type: 'keyword', + }, + 'threat.indicator.x509.alternative_names': { + dashed_name: 'threat-indicator-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'threat.indicator.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.common_name': { + dashed_name: 'threat-indicator-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.country': { + dashed_name: 'threat-indicator-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'threat.indicator.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.distinguished_name': { + dashed_name: 'threat-indicator-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'threat.indicator.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.locality': { + dashed_name: 'threat-indicator-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'threat.indicator.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organization': { + dashed_name: 'threat-indicator-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'threat.indicator.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.organizational_unit': { + dashed_name: 'threat-indicator-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'threat.indicator.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.issuer.state_or_province': { + dashed_name: 'threat-indicator-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.not_after': { + dashed_name: 'threat-indicator-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'threat.indicator.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'threat.indicator.x509.not_before': { + dashed_name: 'threat-indicator-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'threat.indicator.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'threat.indicator.x509.public_key_algorithm': { + dashed_name: 'threat-indicator-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'threat.indicator.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_curve': { + dashed_name: 'threat-indicator-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'threat.indicator.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'threat.indicator.x509.public_key_exponent': { + dashed_name: 'threat-indicator-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'threat.indicator.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'threat.indicator.x509.public_key_size': { + dashed_name: 'threat-indicator-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'threat.indicator.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'threat.indicator.x509.serial_number': { + dashed_name: 'threat-indicator-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'threat.indicator.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'threat.indicator.x509.signature_algorithm': { + dashed_name: 'threat-indicator-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'threat.indicator.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.common_name': { + dashed_name: 'threat-indicator-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.country': { + dashed_name: 'threat-indicator-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'threat.indicator.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'threat.indicator.x509.subject.distinguished_name': { + dashed_name: 'threat-indicator-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'threat.indicator.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.locality': { + dashed_name: 'threat-indicator-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'threat.indicator.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organization': { + dashed_name: 'threat-indicator-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'threat.indicator.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.organizational_unit': { + dashed_name: 'threat-indicator-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'threat.indicator.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'threat.indicator.x509.subject.state_or_province': { + dashed_name: 'threat-indicator-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'threat.indicator.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'threat.indicator.x509.version_number': { + dashed_name: 'threat-indicator-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'threat.indicator.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'threat.software.alias': { + dashed_name: 'threat-software-alias', + description: + 'The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.\nWhile not required, you can use a MITRE ATT&CK® associated software description.', + example: '[ "X-Agent" ]', + flat_name: 'threat.software.alias', + ignore_above: 1024, + level: 'extended', + name: 'software.alias', + normalize: ['array'], + short: 'Alias of the software', + type: 'keyword', + }, + 'threat.software.id': { + dashed_name: 'threat-software-id', + description: + 'The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software id.', + example: 'S0552', + flat_name: 'threat.software.id', + ignore_above: 1024, + level: 'extended', + name: 'software.id', + normalize: [], + short: 'ID of the software', + type: 'keyword', + }, + 'threat.software.name': { + dashed_name: 'threat-software-name', + description: + 'The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software name.', + example: 'AdFind', + flat_name: 'threat.software.name', + ignore_above: 1024, + level: 'extended', + name: 'software.name', + normalize: [], + short: 'Name of the software.', + type: 'keyword', + }, + 'threat.software.platforms': { + dashed_name: 'threat-software-platforms', + description: + 'The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values.', + example: '[ "Windows" ]', + expected_values: [ + 'AWS', + 'Azure', + 'Azure AD', + 'GCP', + 'Linux', + 'macOS', + 'Network', + 'Office 365', + 'SaaS', + 'Windows', + ], + flat_name: 'threat.software.platforms', + ignore_above: 1024, + level: 'extended', + name: 'software.platforms', + normalize: ['array'], + short: 'Platforms of the software.', + type: 'keyword', + }, + 'threat.software.reference': { + dashed_name: 'threat-software-reference', + description: + 'The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software reference URL.', + example: 'https://attack.mitre.org/software/S0552/', + flat_name: 'threat.software.reference', + ignore_above: 1024, + level: 'extended', + name: 'software.reference', + normalize: [], + short: 'Software reference URL.', + type: 'keyword', + }, + 'threat.software.type': { + dashed_name: 'threat-software-type', + description: + 'The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type.', + example: 'Tool', + expected_values: ['Malware', 'Tool'], + flat_name: 'threat.software.type', + ignore_above: 1024, + level: 'extended', + name: 'software.type', + normalize: [], + short: 'Software type.', + type: 'keyword', + }, + 'threat.tactic.id': { + dashed_name: 'threat-tactic-id', + description: + 'The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'TA0002', + flat_name: 'threat.tactic.id', + ignore_above: 1024, + level: 'extended', + name: 'tactic.id', + normalize: ['array'], + short: 'Threat tactic id.', + type: 'keyword', + }, + 'threat.tactic.name': { + dashed_name: 'threat-tactic-name', + description: + 'Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)', + example: 'Execution', + flat_name: 'threat.tactic.name', + ignore_above: 1024, + level: 'extended', + name: 'tactic.name', + normalize: ['array'], + short: 'Threat tactic.', + type: 'keyword', + }, + 'threat.tactic.reference': { + dashed_name: 'threat-tactic-reference', + description: + 'The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'https://attack.mitre.org/tactics/TA0002/', + flat_name: 'threat.tactic.reference', + ignore_above: 1024, + level: 'extended', + name: 'tactic.reference', + normalize: ['array'], + short: 'Threat tactic URL reference.', + type: 'keyword', + }, + 'threat.technique.id': { + dashed_name: 'threat-technique-id', + description: + 'The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'T1059', + flat_name: 'threat.technique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.id', + normalize: ['array'], + short: 'Threat technique id.', + type: 'keyword', + }, + 'threat.technique.name': { + dashed_name: 'threat-technique-name', + description: + 'The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'Command and Scripting Interpreter', + flat_name: 'threat.technique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.name', + normalize: ['array'], + short: 'Threat technique name.', + type: 'keyword', + }, + 'threat.technique.reference': { + dashed_name: 'threat-technique-reference', + description: + 'The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'https://attack.mitre.org/techniques/T1059/', + flat_name: 'threat.technique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.reference', + normalize: ['array'], + short: 'Threat technique URL reference.', + type: 'keyword', + }, + 'threat.technique.subtechnique.id': { + dashed_name: 'threat-technique-subtechnique-id', + description: + 'The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'T1059.001', + flat_name: 'threat.technique.subtechnique.id', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.id', + normalize: ['array'], + short: 'Threat subtechnique id.', + type: 'keyword', + }, + 'threat.technique.subtechnique.name': { + dashed_name: 'threat-technique-subtechnique-name', + description: + 'The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'PowerShell', + flat_name: 'threat.technique.subtechnique.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'threat.technique.subtechnique.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'technique.subtechnique.name', + normalize: ['array'], + short: 'Threat subtechnique name.', + type: 'keyword', + }, + 'threat.technique.subtechnique.reference': { + dashed_name: 'threat-technique-subtechnique-reference', + description: + 'The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'https://attack.mitre.org/techniques/T1059/001/', + flat_name: 'threat.technique.subtechnique.reference', + ignore_above: 1024, + level: 'extended', + name: 'technique.subtechnique.reference', + normalize: ['array'], + short: 'Threat subtechnique URL reference.', + type: 'keyword', + }, + 'threat.threat.indicator.marking.tlp.version': { + dashed_name: 'threat-threat-indicator-marking-tlp-version', + description: 'Traffic Light Protocol version.', + example: 2, + flat_name: 'threat.threat.indicator.marking.tlp.version', + ignore_above: 1024, + level: 'extended', + name: 'threat.indicator.marking.tlp.version', + normalize: [], + short: 'Indicator TLP version', + type: 'keyword', + }, + }, + group: 2, + name: 'threat', + nestings: [ + 'threat.enrichments.indicator.as', + 'threat.enrichments.indicator.file', + 'threat.enrichments.indicator.geo', + 'threat.enrichments.indicator.registry', + 'threat.enrichments.indicator.url', + 'threat.enrichments.indicator.x509', + 'threat.indicator.as', + 'threat.indicator.file', + 'threat.indicator.geo', + 'threat.indicator.registry', + 'threat.indicator.url', + 'threat.indicator.x509', + ], + prefix: 'threat.', + reused_here: [ + { + full: 'threat.indicator.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'threat.enrichments.indicator.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'threat.indicator.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'threat.enrichments.indicator.as', + schema_name: 'as', + short: 'Fields describing an Autonomous System (Internet routing prefix).', + }, + { + full: 'threat.indicator.file', + schema_name: 'file', + short: 'Fields describing files.', + }, + { + full: 'threat.enrichments.indicator.file', + schema_name: 'file', + short: 'Fields describing files.', + }, + { + full: 'threat.indicator.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'threat.enrichments.indicator.geo', + schema_name: 'geo', + short: 'Fields describing a location.', + }, + { + full: 'threat.indicator.registry', + schema_name: 'registry', + short: 'Fields related to Windows Registry operations.', + }, + { + full: 'threat.enrichments.indicator.registry', + schema_name: 'registry', + short: 'Fields related to Windows Registry operations.', + }, + { + full: 'threat.indicator.url', + schema_name: 'url', + short: 'Fields that let you store URLs in various forms.', + }, + { + full: 'threat.enrichments.indicator.url', + schema_name: 'url', + short: 'Fields that let you store URLs in various forms.', + }, + ], + short: 'Fields to classify events and alerts according to a threat taxonomy.', + title: 'Threat', + type: 'group', + }, + tls: { + description: + 'Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files.', + fields: { + 'tls.cipher': { + dashed_name: 'tls-cipher', + description: 'String indicating the cipher used during the current connection.', + example: 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + flat_name: 'tls.cipher', + ignore_above: 1024, + level: 'extended', + name: 'cipher', + normalize: [], + short: 'String indicating the cipher used during the current connection.', + type: 'keyword', + }, + 'tls.client.certificate': { + dashed_name: 'tls-client-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.client.certificate', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.certificate_chain': { + dashed_name: 'tls-client-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.client.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'client.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.md5': { + dashed_name: 'tls-client-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.client.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha1': { + dashed_name: 'tls-client-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.client.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.hash.sha256': { + dashed_name: 'tls-client-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.client.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'client.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.', + type: 'keyword', + }, + 'tls.client.issuer': { + dashed_name: 'tls-client-issuer', + description: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.client.issuer', + ignore_above: 1024, + level: 'extended', + name: 'client.issuer', + normalize: [], + short: + 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.ja3': { + dashed_name: 'tls-client-ja3', + description: + 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + example: 'd4e5b18d6b55c71272893221c96ba240', + flat_name: 'tls.client.ja3', + ignore_above: 1024, + level: 'extended', + name: 'client.ja3', + normalize: [], + short: 'A hash that identifies clients based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.client.not_after': { + dashed_name: 'tls-client-not-after', + description: 'Date/Time indicating when client certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_after', + level: 'extended', + name: 'client.not_after', + normalize: [], + short: 'Date/Time indicating when client certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.not_before': { + dashed_name: 'tls-client-not-before', + description: 'Date/Time indicating when client certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.client.not_before', + level: 'extended', + name: 'client.not_before', + normalize: [], + short: 'Date/Time indicating when client certificate is first considered valid.', + type: 'date', + }, + 'tls.client.server_name': { + dashed_name: 'tls-client-server-name', + description: + 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.', + example: 'www.elastic.co', + flat_name: 'tls.client.server_name', + ignore_above: 1024, + level: 'extended', + name: 'client.server_name', + normalize: [], + short: 'Hostname the client is trying to connect to. Also called the SNI.', + type: 'keyword', + }, + 'tls.client.subject': { + dashed_name: 'tls-client-subject', + description: + 'Distinguished name of subject of the x.509 certificate presented by the client.', + example: 'CN=myclient, OU=Documentation Team, DC=example, DC=com', + flat_name: 'tls.client.subject', + ignore_above: 1024, + level: 'extended', + name: 'client.subject', + normalize: [], + short: 'Distinguished name of subject of the x.509 certificate presented by the client.', + type: 'keyword', + }, + 'tls.client.supported_ciphers': { + dashed_name: 'tls-client-supported-ciphers', + description: 'Array of ciphers offered by the client during the client hello.', + example: + '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]', + flat_name: 'tls.client.supported_ciphers', + ignore_above: 1024, + level: 'extended', + name: 'client.supported_ciphers', + normalize: ['array'], + short: 'Array of ciphers offered by the client during the client hello.', + type: 'keyword', + }, + 'tls.client.x509.alternative_names': { + dashed_name: 'tls-client-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.client.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.client.x509.issuer.common_name': { + dashed_name: 'tls-client-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.country': { + dashed_name: 'tls-client-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.client.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.client.x509.issuer.distinguished_name': { + dashed_name: 'tls-client-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.client.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.locality': { + dashed_name: 'tls-client-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.client.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.issuer.organization': { + dashed_name: 'tls-client-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.client.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.organizational_unit': { + dashed_name: 'tls-client-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.client.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.issuer.state_or_province': { + dashed_name: 'tls-client-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.not_after': { + dashed_name: 'tls-client-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.client.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.client.x509.not_before': { + dashed_name: 'tls-client-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.client.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.client.x509.public_key_algorithm': { + dashed_name: 'tls-client-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.client.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.client.x509.public_key_curve': { + dashed_name: 'tls-client-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.client.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.client.x509.public_key_exponent': { + dashed_name: 'tls-client-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.client.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.client.x509.public_key_size': { + dashed_name: 'tls-client-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.client.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.client.x509.serial_number': { + dashed_name: 'tls-client-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.client.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.client.x509.signature_algorithm': { + dashed_name: 'tls-client-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.client.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.client.x509.subject.common_name': { + dashed_name: 'tls-client-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.client.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.country': { + dashed_name: 'tls-client-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.client.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.client.x509.subject.distinguished_name': { + dashed_name: 'tls-client-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.client.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.client.x509.subject.locality': { + dashed_name: 'tls-client-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.client.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.client.x509.subject.organization': { + dashed_name: 'tls-client-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.client.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.organizational_unit': { + dashed_name: 'tls-client-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.client.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.client.x509.subject.state_or_province': { + dashed_name: 'tls-client-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.client.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.client.x509.version_number': { + dashed_name: 'tls-client-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.client.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.curve': { + dashed_name: 'tls-curve', + description: 'String indicating the curve used for the given cipher, when applicable.', + example: 'secp256r1', + flat_name: 'tls.curve', + ignore_above: 1024, + level: 'extended', + name: 'curve', + normalize: [], + short: 'String indicating the curve used for the given cipher, when applicable.', + type: 'keyword', + }, + 'tls.established': { + dashed_name: 'tls-established', + description: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + flat_name: 'tls.established', + level: 'extended', + name: 'established', + normalize: [], + short: + 'Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.', + type: 'boolean', + }, + 'tls.next_protocol': { + dashed_name: 'tls-next-protocol', + description: + 'String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case.', + example: 'http/1.1', + flat_name: 'tls.next_protocol', + ignore_above: 1024, + level: 'extended', + name: 'next_protocol', + normalize: [], + short: 'String indicating the protocol being tunneled.', + type: 'keyword', + }, + 'tls.resumed': { + dashed_name: 'tls-resumed', + description: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + flat_name: 'tls.resumed', + level: 'extended', + name: 'resumed', + normalize: [], + short: + 'Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.', + type: 'boolean', + }, + 'tls.server.certificate': { + dashed_name: 'tls-server-certificate', + description: + 'PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.', + example: 'MII...', + flat_name: 'tls.server.certificate', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate', + normalize: [], + short: 'PEM-encoded stand-alone certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.certificate_chain': { + dashed_name: 'tls-server-certificate-chain', + description: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.', + example: '["MII...", "MII..."]', + flat_name: 'tls.server.certificate_chain', + ignore_above: 1024, + level: 'extended', + name: 'server.certificate_chain', + normalize: ['array'], + short: + 'Array of PEM-encoded certificates that make up the certificate chain offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.md5': { + dashed_name: 'tls-server-hash-md5', + description: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC', + flat_name: 'tls.server.hash.md5', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.md5', + normalize: [], + short: + 'Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha1': { + dashed_name: 'tls-server-hash-sha1', + description: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '9E393D93138888D288266C2D915214D1D1CCEB2A', + flat_name: 'tls.server.hash.sha1', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha1', + normalize: [], + short: + 'Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.hash.sha256': { + dashed_name: 'tls-server-hash-sha256', + description: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.', + example: '0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0', + flat_name: 'tls.server.hash.sha256', + ignore_above: 1024, + level: 'extended', + name: 'server.hash.sha256', + normalize: [], + short: + 'Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.', + type: 'keyword', + }, + 'tls.server.issuer': { + dashed_name: 'tls-server-issuer', + description: 'Subject of the issuer of the x.509 certificate presented by the server.', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.issuer', + ignore_above: 1024, + level: 'extended', + name: 'server.issuer', + normalize: [], + short: 'Subject of the issuer of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.ja3s': { + dashed_name: 'tls-server-ja3s', + description: + 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + example: '394441ab65754e2207b1e1b457b3641d', + flat_name: 'tls.server.ja3s', + ignore_above: 1024, + level: 'extended', + name: 'server.ja3s', + normalize: [], + short: 'A hash that identifies servers based on how they perform an SSL/TLS handshake.', + type: 'keyword', + }, + 'tls.server.not_after': { + dashed_name: 'tls-server-not-after', + description: 'Timestamp indicating when server certificate is no longer considered valid.', + example: '2021-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_after', + level: 'extended', + name: 'server.not_after', + normalize: [], + short: 'Timestamp indicating when server certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.not_before': { + dashed_name: 'tls-server-not-before', + description: 'Timestamp indicating when server certificate is first considered valid.', + example: '1970-01-01T00:00:00.000Z', + flat_name: 'tls.server.not_before', + level: 'extended', + name: 'server.not_before', + normalize: [], + short: 'Timestamp indicating when server certificate is first considered valid.', + type: 'date', + }, + 'tls.server.subject': { + dashed_name: 'tls-server-subject', + description: 'Subject of the x.509 certificate presented by the server.', + example: 'CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com', + flat_name: 'tls.server.subject', + ignore_above: 1024, + level: 'extended', + name: 'server.subject', + normalize: [], + short: 'Subject of the x.509 certificate presented by the server.', + type: 'keyword', + }, + 'tls.server.x509.alternative_names': { + dashed_name: 'tls-server-x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'tls.server.x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'tls.server.x509.issuer.common_name': { + dashed_name: 'tls-server-x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.country': { + dashed_name: 'tls-server-x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'tls.server.x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'tls.server.x509.issuer.distinguished_name': { + dashed_name: 'tls-server-x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'tls.server.x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.locality': { + dashed_name: 'tls-server-x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'tls.server.x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.issuer.organization': { + dashed_name: 'tls-server-x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'tls.server.x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.organizational_unit': { + dashed_name: 'tls-server-x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'tls.server.x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.issuer.state_or_province': { + dashed_name: 'tls-server-x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.not_after': { + dashed_name: 'tls-server-x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'tls.server.x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'tls.server.x509.not_before': { + dashed_name: 'tls-server-x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'tls.server.x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + original_fieldset: 'x509', + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'tls.server.x509.public_key_algorithm': { + dashed_name: 'tls-server-x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'tls.server.x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'tls.server.x509.public_key_curve': { + dashed_name: 'tls-server-x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'tls.server.x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + original_fieldset: 'x509', + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'tls.server.x509.public_key_exponent': { + dashed_name: 'tls-server-x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'tls.server.x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + original_fieldset: 'x509', + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'tls.server.x509.public_key_size': { + dashed_name: 'tls-server-x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'tls.server.x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + original_fieldset: 'x509', + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'tls.server.x509.serial_number': { + dashed_name: 'tls-server-x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'tls.server.x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + original_fieldset: 'x509', + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'tls.server.x509.signature_algorithm': { + dashed_name: 'tls-server-x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'tls.server.x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + original_fieldset: 'x509', + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'tls.server.x509.subject.common_name': { + dashed_name: 'tls-server-x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'tls.server.x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.country': { + dashed_name: 'tls-server-x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'tls.server.x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'tls.server.x509.subject.distinguished_name': { + dashed_name: 'tls-server-x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'tls.server.x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + original_fieldset: 'x509', + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'tls.server.x509.subject.locality': { + dashed_name: 'tls-server-x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'tls.server.x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of locality names (L)', + type: 'keyword', + }, + 'tls.server.x509.subject.organization': { + dashed_name: 'tls-server-x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'tls.server.x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.organizational_unit': { + dashed_name: 'tls-server-x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'tls.server.x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'tls.server.x509.subject.state_or_province': { + dashed_name: 'tls-server-x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'tls.server.x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + original_fieldset: 'x509', + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'tls.server.x509.version_number': { + dashed_name: 'tls-server-x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'tls.server.x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + original_fieldset: 'x509', + short: 'Version of x509 format.', + type: 'keyword', + }, + 'tls.version': { + dashed_name: 'tls-version', + description: 'Numeric part of the version parsed from the original string.', + example: '1.2', + flat_name: 'tls.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Numeric part of the version parsed from the original string.', + type: 'keyword', + }, + 'tls.version_protocol': { + dashed_name: 'tls-version-protocol', + description: 'Normalized lowercase protocol name parsed from original string.', + example: 'tls', + flat_name: 'tls.version_protocol', + ignore_above: 1024, + level: 'extended', + name: 'version_protocol', + normalize: [], + short: 'Normalized lowercase protocol name parsed from original string.', + type: 'keyword', + }, + }, + group: 2, + name: 'tls', + nestings: ['tls.client.x509', 'tls.server.x509'], + prefix: 'tls.', + reused_here: [ + { + full: 'tls.client.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + { + full: 'tls.server.x509', + schema_name: 'x509', + short: 'These fields contain x509 certificate metadata.', + }, + ], + short: 'Fields describing a TLS connection.', + title: 'TLS', + type: 'group', + }, + tracing: { + description: + 'Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.\nUnlike most field sets in ECS, the tracing fields are *not* nested under the field set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, and so on.', + fields: { + 'span.id': { + dashed_name: 'span-id', + description: + 'Unique identifier of the span within the scope of its trace.\nA span represents an operation within a transaction, such as a request to another service, or a database query.', + example: '3ff9a8981b7ccd5a', + flat_name: 'span.id', + ignore_above: 1024, + level: 'extended', + name: 'span.id', + normalize: [], + short: 'Unique identifier of the span within the scope of its trace.', + type: 'keyword', + }, + 'trace.id': { + dashed_name: 'trace-id', + description: + 'Unique identifier of the trace.\nA trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.', + example: '4bf92f3577b34da6a3ce929d0e0e4736', + flat_name: 'trace.id', + ignore_above: 1024, + level: 'extended', + name: 'trace.id', + normalize: [], + short: 'Unique identifier of the trace.', + type: 'keyword', + }, + 'transaction.id': { + dashed_name: 'transaction-id', + description: + 'Unique identifier of the transaction within the scope of its trace.\nA transaction is the highest level of work measured within a service, such as a request to a server.', + example: '00f067aa0ba902b7', + flat_name: 'transaction.id', + ignore_above: 1024, + level: 'extended', + name: 'transaction.id', + normalize: [], + short: 'Unique identifier of the transaction within the scope of its trace.', + type: 'keyword', + }, + }, + group: 2, + name: 'tracing', + prefix: '', + root: true, + short: 'Fields related to distributed tracing.', + title: 'Tracing', + type: 'group', + }, + url: { + description: + 'URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.', + fields: { + 'url.domain': { + dashed_name: 'url-domain', + description: + 'Domain of the url, such as "www.elastic.co".\nIn some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.\nIf the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', + example: 'www.elastic.co', + flat_name: 'url.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Domain of the url.', + type: 'keyword', + }, + 'url.extension': { + dashed_name: 'url-extension', + description: + 'The field contains the file extension from the original request url, excluding the leading dot.\nThe file extension is only set if it exists, as not every url has a file extension.\nThe leading period must not be included. For example, the value must be "png", not ".png".\nNote that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', + example: 'png', + flat_name: 'url.extension', + ignore_above: 1024, + level: 'extended', + name: 'extension', + normalize: [], + short: 'File extension from the request url, excluding the leading dot.', + type: 'keyword', + }, + 'url.fragment': { + dashed_name: 'url-fragment', + description: + 'Portion of the url after the `#`, such as "top".\nThe `#` is not part of the fragment.', + flat_name: 'url.fragment', + ignore_above: 1024, + level: 'extended', + name: 'fragment', + normalize: [], + short: 'Portion of the url after the `#`.', + type: 'keyword', + }, + 'url.full': { + dashed_name: 'url-full', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top', + flat_name: 'url.full', + level: 'extended', + multi_fields: [{ flat_name: 'url.full.text', name: 'text', type: 'match_only_text' }], + name: 'full', + normalize: [], + short: 'Full unparsed URL.', + type: 'wildcard', + }, + 'url.original': { + dashed_name: 'url-original', + description: + 'Unmodified original url as seen in the event source.\nNote that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.\nThis field is meant to represent the URL as it was observed, complete or not.', + example: 'https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch', + flat_name: 'url.original', + level: 'extended', + multi_fields: [ + { + flat_name: 'url.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + short: 'Unmodified original url as seen in the event source.', + type: 'wildcard', + }, + 'url.password': { + dashed_name: 'url-password', + description: 'Password of the request.', + flat_name: 'url.password', + ignore_above: 1024, + level: 'extended', + name: 'password', + normalize: [], + short: 'Password of the request.', + type: 'keyword', + }, + 'url.path': { + dashed_name: 'url-path', + description: 'Path of the request, such as "/search".', + flat_name: 'url.path', + level: 'extended', + name: 'path', + normalize: [], + short: 'Path of the request, such as "/search".', + type: 'wildcard', + }, + 'url.port': { + dashed_name: 'url-port', + description: 'Port of the request, such as 443.', + example: 443, + flat_name: 'url.port', + format: 'string', + level: 'extended', + name: 'port', + normalize: [], + short: 'Port of the request, such as 443.', + type: 'long', + }, + 'url.query': { + dashed_name: 'url-query', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch".\nThe `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.', + flat_name: 'url.query', + ignore_above: 1024, + level: 'extended', + name: 'query', + normalize: [], + short: 'Query string of the request.', + type: 'keyword', + }, + 'url.registered_domain': { + dashed_name: 'url-registered-domain', + description: + 'The highest registered url domain, stripped of the subdomain.\nFor example, the registered domain for "foo.example.com" is "example.com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', + flat_name: 'url.registered_domain', + ignore_above: 1024, + level: 'extended', + name: 'registered_domain', + normalize: [], + short: 'The highest registered url domain, stripped of the subdomain.', + type: 'keyword', + }, + 'url.scheme': { + dashed_name: 'url-scheme', + description: + 'Scheme of the request, such as "https".\nNote: The `:` is not part of the scheme.', + example: 'https', + flat_name: 'url.scheme', + ignore_above: 1024, + level: 'extended', + name: 'scheme', + normalize: [], + short: 'Scheme of the url.', + type: 'keyword', + }, + 'url.subdomain': { + dashed_name: 'url-subdomain', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.\nFor example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + flat_name: 'url.subdomain', + ignore_above: 1024, + level: 'extended', + name: 'subdomain', + normalize: [], + short: 'The subdomain of the domain.', + type: 'keyword', + }, + 'url.top_level_domain': { + dashed_name: 'url-top-level-domain', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".\nThis value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + example: 'co.uk', + flat_name: 'url.top_level_domain', + ignore_above: 1024, + level: 'extended', + name: 'top_level_domain', + normalize: [], + short: 'The effective top level domain (com, org, net, co.uk).', + type: 'keyword', + }, + 'url.username': { + dashed_name: 'url-username', + description: 'Username of the request.', + flat_name: 'url.username', + ignore_above: 1024, + level: 'extended', + name: 'username', + normalize: [], + short: 'Username of the request.', + type: 'keyword', + }, + }, + group: 2, + name: 'url', + prefix: 'url.', + reusable: { + expected: [ + { as: 'url', at: 'threat.indicator', full: 'threat.indicator.url' }, + { + as: 'url', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.url', + }, + ], + top_level: true, + }, + short: 'Fields that let you store URLs in various forms.', + title: 'URL', + type: 'group', + }, + user: { + description: + 'The user fields describe information about the user that is relevant to the event.\nFields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.', + fields: { + 'user.changes.domain': { + dashed_name: 'user-changes-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.changes.email': { + dashed_name: 'user-changes-email', + description: 'User email address.', + flat_name: 'user.changes.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.changes.full_name': { + dashed_name: 'user-changes-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.changes.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.changes.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.changes.group.domain': { + dashed_name: 'user-changes-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.changes.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.changes.group.id': { + dashed_name: 'user-changes-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.changes.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.changes.group.name': { + dashed_name: 'user-changes-group-name', + description: 'Name of the group.', + flat_name: 'user.changes.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.changes.hash': { + dashed_name: 'user-changes-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.changes.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.changes.id': { + dashed_name: 'user-changes-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.changes.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.changes.name': { + dashed_name: 'user-changes-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.changes.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.changes.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.changes.roles': { + dashed_name: 'user-changes-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.changes.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.domain': { + dashed_name: 'user-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.domain': { + dashed_name: 'user-effective-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.effective.email': { + dashed_name: 'user-effective-email', + description: 'User email address.', + flat_name: 'user.effective.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.effective.full_name': { + dashed_name: 'user-effective-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.effective.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.effective.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.effective.group.domain': { + dashed_name: 'user-effective-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.effective.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.effective.group.id': { + dashed_name: 'user-effective-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.effective.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.effective.group.name': { + dashed_name: 'user-effective-group-name', + description: 'Name of the group.', + flat_name: 'user.effective.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.effective.hash': { + dashed_name: 'user-effective-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.effective.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.effective.id': { + dashed_name: 'user-effective-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.effective.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.effective.name': { + dashed_name: 'user-effective-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.effective.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.effective.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.effective.roles': { + dashed_name: 'user-effective-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.effective.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.email': { + dashed_name: 'user-email', + description: 'User email address.', + flat_name: 'user.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + short: 'User email address.', + type: 'keyword', + }, + 'user.full_name': { + dashed_name: 'user-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.group.domain': { + dashed_name: 'user-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.group.id': { + dashed_name: 'user-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.group.name': { + dashed_name: 'user-group-name', + description: 'Name of the group.', + flat_name: 'user.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.hash': { + dashed_name: 'user-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.id': { + dashed_name: 'user-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.name': { + dashed_name: 'user-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.risk.calculated_level': { + dashed_name: 'user-risk-calculated-level', + description: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 'High', + flat_name: 'user.risk.calculated_level', + ignore_above: 1024, + level: 'extended', + name: 'calculated_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'keyword', + }, + 'user.risk.calculated_score': { + dashed_name: 'user-risk-calculated-score', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + example: 880.73, + flat_name: 'user.risk.calculated_score', + level: 'extended', + name: 'calculated_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.', + type: 'float', + }, + 'user.risk.calculated_score_norm': { + dashed_name: 'user-risk-calculated-score-norm', + description: + 'A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.', + example: 88.73, + flat_name: 'user.risk.calculated_score_norm', + level: 'extended', + name: 'calculated_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an internal system.', + type: 'float', + }, + 'user.risk.static_level': { + dashed_name: 'user-risk-static-level', + description: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 'High', + flat_name: 'user.risk.static_level', + ignore_above: 1024, + level: 'extended', + name: 'static_level', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'keyword', + }, + 'user.risk.static_score': { + dashed_name: 'user-risk-static-score', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + example: 830, + flat_name: 'user.risk.static_score', + level: 'extended', + name: 'static_score', + normalize: [], + original_fieldset: 'risk', + short: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.', + type: 'float', + }, + 'user.risk.static_score_norm': { + dashed_name: 'user-risk-static-score-norm', + description: + 'A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.', + example: 83, + flat_name: 'user.risk.static_score_norm', + level: 'extended', + name: 'static_score_norm', + normalize: [], + original_fieldset: 'risk', + short: 'A normalized risk score calculated by an external system.', + type: 'float', + }, + 'user.roles': { + dashed_name: 'user-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + 'user.target.domain': { + dashed_name: 'user-target-domain', + description: + 'Name of the directory the user is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'user', + short: 'Name of the directory the user is a member of.', + type: 'keyword', + }, + 'user.target.email': { + dashed_name: 'user-target-email', + description: 'User email address.', + flat_name: 'user.target.email', + ignore_above: 1024, + level: 'extended', + name: 'email', + normalize: [], + original_fieldset: 'user', + short: 'User email address.', + type: 'keyword', + }, + 'user.target.full_name': { + dashed_name: 'user-target-full-name', + description: "User's full name, if available.", + example: 'Albert Einstein', + flat_name: 'user.target.full_name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user.target.full_name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full_name', + normalize: [], + original_fieldset: 'user', + short: "User's full name, if available.", + type: 'keyword', + }, + 'user.target.group.domain': { + dashed_name: 'user-target-group-domain', + description: + 'Name of the directory the group is a member of.\nFor example, an LDAP or Active Directory domain name.', + flat_name: 'user.target.group.domain', + ignore_above: 1024, + level: 'extended', + name: 'domain', + normalize: [], + original_fieldset: 'group', + short: 'Name of the directory the group is a member of.', + type: 'keyword', + }, + 'user.target.group.id': { + dashed_name: 'user-target-group-id', + description: 'Unique identifier for the group on the system/platform.', + flat_name: 'user.target.group.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + original_fieldset: 'group', + short: 'Unique identifier for the group on the system/platform.', + type: 'keyword', + }, + 'user.target.group.name': { + dashed_name: 'user-target-group-name', + description: 'Name of the group.', + flat_name: 'user.target.group.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + original_fieldset: 'group', + short: 'Name of the group.', + type: 'keyword', + }, + 'user.target.hash': { + dashed_name: 'user-target-hash', + description: + 'Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.', + flat_name: 'user.target.hash', + ignore_above: 1024, + level: 'extended', + name: 'hash', + normalize: [], + original_fieldset: 'user', + short: 'Unique user hash to correlate information for a user in anonymized form.', + type: 'keyword', + }, + 'user.target.id': { + dashed_name: 'user-target-id', + description: 'Unique identifier of the user.', + example: 'S-1-5-21-202424912787-2692429404-2351956786-1000', + flat_name: 'user.target.id', + ignore_above: 1024, + level: 'core', + name: 'id', + normalize: [], + original_fieldset: 'user', + short: 'Unique identifier of the user.', + type: 'keyword', + }, + 'user.target.name': { + dashed_name: 'user-target-name', + description: 'Short name or login of the user.', + example: 'a.einstein', + flat_name: 'user.target.name', + ignore_above: 1024, + level: 'core', + multi_fields: [ + { + flat_name: 'user.target.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'user', + short: 'Short name or login of the user.', + type: 'keyword', + }, + 'user.target.roles': { + dashed_name: 'user-target-roles', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + flat_name: 'user.target.roles', + ignore_above: 1024, + level: 'extended', + name: 'roles', + normalize: ['array'], + original_fieldset: 'user', + short: 'Array of user roles at the time of the event.', + type: 'keyword', + }, + }, + group: 2, + name: 'user', + nestings: ['user.changes', 'user.effective', 'user.group', 'user.risk', 'user.target'], + prefix: 'user.', + reusable: { + expected: [ + { as: 'user', at: 'client', full: 'client.user' }, + { as: 'user', at: 'destination', full: 'destination.user' }, + { as: 'user', at: 'server', full: 'server.user' }, + { as: 'user', at: 'source', full: 'source.user' }, + { + as: 'target', + at: 'user', + full: 'user.target', + short_override: 'Targeted user of action taken.', + }, + { + as: 'effective', + at: 'user', + full: 'user.effective', + short_override: 'User whose privileges were assumed.', + }, + { + as: 'changes', + at: 'user', + full: 'user.changes', + short_override: 'Captures changes made to a user.', + }, + { + as: 'user', + at: 'process', + full: 'process.user', + short_override: 'The effective user (euid).', + }, + { + as: 'saved_user', + at: 'process', + full: 'process.saved_user', + short_override: 'The saved user (suid).', + }, + { + as: 'real_user', + at: 'process', + full: 'process.real_user', + short_override: 'The real user (ruid). Identifies the real owner of the process.', + }, + { + as: 'attested_user', + at: 'process', + beta: 'Reusing the `user` fields in this location is currently considered beta.', + full: 'process.attested_user', + short_override: + 'The externally attested user based on an external source such as the Kube API.', + }, + ], + top_level: true, + }, + reused_here: [ + { + full: 'user.group', + schema_name: 'group', + short: "User's group relevant to the event.", + }, + { + full: 'user.risk', + schema_name: 'risk', + short: 'Fields for describing risk score and level.', + }, + { + full: 'user.target', + schema_name: 'user', + short: 'Targeted user of action taken.', + }, + { + full: 'user.effective', + schema_name: 'user', + short: 'User whose privileges were assumed.', + }, + { + full: 'user.changes', + schema_name: 'user', + short: 'Captures changes made to a user.', + }, + ], + short: 'Fields to describe the user relevant to the event.', + title: 'User', + type: 'group', + }, + user_agent: { + description: + 'The user_agent fields normally come from a browser request.\nThey often show up in web service logs coming from the parsed user agent string.', + fields: { + 'user_agent.device.name': { + dashed_name: 'user-agent-device-name', + description: 'Name of the device.', + example: 'iPhone', + flat_name: 'user_agent.device.name', + ignore_above: 1024, + level: 'extended', + name: 'device.name', + normalize: [], + short: 'Name of the device.', + type: 'keyword', + }, + 'user_agent.name': { + dashed_name: 'user-agent-name', + description: 'Name of the user agent.', + example: 'Safari', + flat_name: 'user_agent.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Name of the user agent.', + type: 'keyword', + }, + 'user_agent.original': { + dashed_name: 'user-agent-original', + description: 'Unparsed user_agent string.', + example: + 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', + flat_name: 'user_agent.original', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.original.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'original', + normalize: [], + short: 'Unparsed user_agent string.', + type: 'keyword', + }, + 'user_agent.os.family': { + dashed_name: 'user-agent-os-family', + description: 'OS family (such as redhat, debian, freebsd, windows).', + example: 'debian', + flat_name: 'user_agent.os.family', + ignore_above: 1024, + level: 'extended', + name: 'family', + normalize: [], + original_fieldset: 'os', + short: 'OS family (such as redhat, debian, freebsd, windows).', + type: 'keyword', + }, + 'user_agent.os.full': { + dashed_name: 'user-agent-os-full', + description: 'Operating system name, including the version or code name.', + example: 'Mac OS Mojave', + flat_name: 'user_agent.os.full', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.full.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'full', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, including the version or code name.', + type: 'keyword', + }, + 'user_agent.os.kernel': { + dashed_name: 'user-agent-os-kernel', + description: 'Operating system kernel version as a raw string.', + example: '4.4.0-112-generic', + flat_name: 'user_agent.os.kernel', + ignore_above: 1024, + level: 'extended', + name: 'kernel', + normalize: [], + original_fieldset: 'os', + short: 'Operating system kernel version as a raw string.', + type: 'keyword', + }, + 'user_agent.os.name': { + dashed_name: 'user-agent-os-name', + description: 'Operating system name, without the version.', + example: 'Mac OS X', + flat_name: 'user_agent.os.name', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'user_agent.os.name.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'name', + normalize: [], + original_fieldset: 'os', + short: 'Operating system name, without the version.', + type: 'keyword', + }, + 'user_agent.os.platform': { + dashed_name: 'user-agent-os-platform', + description: 'Operating system platform (such centos, ubuntu, windows).', + example: 'darwin', + flat_name: 'user_agent.os.platform', + ignore_above: 1024, + level: 'extended', + name: 'platform', + normalize: [], + original_fieldset: 'os', + short: 'Operating system platform (such centos, ubuntu, windows).', + type: 'keyword', + }, + 'user_agent.os.type': { + dashed_name: 'user-agent-os-type', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families.\nIf the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + expected_values: ['linux', 'macos', 'unix', 'windows', 'ios', 'android'], + flat_name: 'user_agent.os.type', + ignore_above: 1024, + level: 'extended', + name: 'type', + normalize: [], + original_fieldset: 'os', + short: 'Which commercial OS family (one of: linux, macos, unix, windows, ios or android).', + type: 'keyword', + }, + 'user_agent.os.version': { + dashed_name: 'user-agent-os-version', + description: 'Operating system version as a raw string.', + example: '10.14.1', + flat_name: 'user_agent.os.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + original_fieldset: 'os', + short: 'Operating system version as a raw string.', + type: 'keyword', + }, + 'user_agent.version': { + dashed_name: 'user-agent-version', + description: 'Version of the user agent.', + example: 12, + flat_name: 'user_agent.version', + ignore_above: 1024, + level: 'extended', + name: 'version', + normalize: [], + short: 'Version of the user agent.', + type: 'keyword', + }, + }, + group: 2, + name: 'user_agent', + nestings: ['user_agent.os'], + prefix: 'user_agent.', + reused_here: [ + { + full: 'user_agent.os', + schema_name: 'os', + short: 'OS fields contain information about the operating system.', + }, + ], + short: 'Fields to describe a browser user_agent string.', + title: 'User agent', + type: 'group', + }, + vlan: { + description: + 'The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection.\nNetwork.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.\nNetwork.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging.\nObserver.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers.', + fields: { + 'vlan.id': { + dashed_name: 'vlan-id', + description: 'VLAN ID as reported by the observer.', + example: 10, + flat_name: 'vlan.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'VLAN ID as reported by the observer.', + type: 'keyword', + }, + 'vlan.name': { + dashed_name: 'vlan-name', + description: 'Optional VLAN name as reported by the observer.', + example: 'outside', + flat_name: 'vlan.name', + ignore_above: 1024, + level: 'extended', + name: 'name', + normalize: [], + short: 'Optional VLAN name as reported by the observer.', + type: 'keyword', + }, + }, + group: 2, + name: 'vlan', + prefix: 'vlan.', + reusable: { + expected: [ + { as: 'vlan', at: 'observer.ingress', full: 'observer.ingress.vlan' }, + { as: 'vlan', at: 'observer.egress', full: 'observer.egress.vlan' }, + { as: 'vlan', at: 'network', full: 'network.vlan' }, + { as: 'vlan', at: 'network.inner', full: 'network.inner.vlan' }, + ], + top_level: false, + }, + short: 'Fields to describe observed VLAN information.', + title: 'VLAN', + type: 'group', + }, + vulnerability: { + description: + 'The vulnerability fields describe information about a vulnerability that is relevant to an event.', + fields: { + 'vulnerability.category': { + dashed_name: 'vulnerability-category', + description: + 'The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])\nThis field must be an array.', + example: '["Firewall"]', + flat_name: 'vulnerability.category', + ignore_above: 1024, + level: 'extended', + name: 'category', + normalize: ['array'], + short: 'Category of a vulnerability.', + type: 'keyword', + }, + 'vulnerability.classification': { + dashed_name: 'vulnerability-classification', + description: + 'The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)', + example: 'CVSS', + flat_name: 'vulnerability.classification', + ignore_above: 1024, + level: 'extended', + name: 'classification', + normalize: [], + short: 'Classification of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.description': { + dashed_name: 'vulnerability-description', + description: + 'The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])', + example: 'In macOS before 2.12.6, there is a vulnerability in the RPC...', + flat_name: 'vulnerability.description', + ignore_above: 1024, + level: 'extended', + multi_fields: [ + { + flat_name: 'vulnerability.description.text', + name: 'text', + type: 'match_only_text', + }, + ], + name: 'description', + normalize: [], + short: 'Description of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.enumeration': { + dashed_name: 'vulnerability-enumeration', + description: + 'The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)', + example: 'CVE', + flat_name: 'vulnerability.enumeration', + ignore_above: 1024, + level: 'extended', + name: 'enumeration', + normalize: [], + short: 'Identifier of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.id': { + dashed_name: 'vulnerability-id', + description: + 'The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]', + example: 'CVE-2019-00001', + flat_name: 'vulnerability.id', + ignore_above: 1024, + level: 'extended', + name: 'id', + normalize: [], + short: 'ID of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.reference': { + dashed_name: 'vulnerability-reference', + description: + 'A resource that provides additional information, context, and mitigations for the identified vulnerability.', + example: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', + flat_name: 'vulnerability.reference', + ignore_above: 1024, + level: 'extended', + name: 'reference', + normalize: [], + short: 'Reference of the vulnerability.', + type: 'keyword', + }, + 'vulnerability.report_id': { + dashed_name: 'vulnerability-report-id', + description: 'The report or scan identification number.', + example: 20191018.0001, + flat_name: 'vulnerability.report_id', + ignore_above: 1024, + level: 'extended', + name: 'report_id', + normalize: [], + short: 'Scan identification number.', + type: 'keyword', + }, + 'vulnerability.scanner.vendor': { + dashed_name: 'vulnerability-scanner-vendor', + description: 'The name of the vulnerability scanner vendor.', + example: 'Tenable', + flat_name: 'vulnerability.scanner.vendor', + ignore_above: 1024, + level: 'extended', + name: 'scanner.vendor', + normalize: [], + short: 'Name of the scanner vendor.', + type: 'keyword', + }, + 'vulnerability.score.base': { + dashed_name: 'vulnerability-score-base', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nBase scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.base', + level: 'extended', + name: 'score.base', + normalize: [], + short: 'Vulnerability Base score.', + type: 'float', + }, + 'vulnerability.score.environmental': { + dashed_name: 'vulnerability-score-environmental', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nEnvironmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)', + example: 5.5, + flat_name: 'vulnerability.score.environmental', + level: 'extended', + name: 'score.environmental', + normalize: [], + short: 'Vulnerability Environmental score.', + type: 'float', + }, + 'vulnerability.score.temporal': { + dashed_name: 'vulnerability-score-temporal', + description: + 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.\nTemporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)', + flat_name: 'vulnerability.score.temporal', + level: 'extended', + name: 'score.temporal', + normalize: [], + short: 'Vulnerability Temporal score.', + type: 'float', + }, + 'vulnerability.score.version': { + dashed_name: 'vulnerability-score-version', + description: + 'The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.\nCVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 2, + flat_name: 'vulnerability.score.version', + ignore_above: 1024, + level: 'extended', + name: 'score.version', + normalize: [], + short: 'CVSS version.', + type: 'keyword', + }, + 'vulnerability.severity': { + dashed_name: 'vulnerability-severity', + description: + 'The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)', + example: 'Critical', + flat_name: 'vulnerability.severity', + ignore_above: 1024, + level: 'extended', + name: 'severity', + normalize: [], + short: 'Severity of the vulnerability.', + type: 'keyword', + }, + }, + group: 2, + name: 'vulnerability', + prefix: 'vulnerability.', + short: 'Fields to describe the vulnerability relevant to an event.', + title: 'Vulnerability', + type: 'group', + }, + x509: { + description: + 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.\nWhen the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`).\nEvents that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.', + fields: { + 'x509.alternative_names': { + dashed_name: 'x509-alternative-names', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + flat_name: 'x509.alternative_names', + ignore_above: 1024, + level: 'extended', + name: 'alternative_names', + normalize: ['array'], + short: 'List of subject alternative names (SAN).', + type: 'keyword', + }, + 'x509.issuer.common_name': { + dashed_name: 'x509-issuer-common-name', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + flat_name: 'x509.issuer.common_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.common_name', + normalize: ['array'], + short: 'List of common name (CN) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.country': { + dashed_name: 'x509-issuer-country', + description: 'List of country \\(C) codes', + example: 'US', + flat_name: 'x509.issuer.country', + ignore_above: 1024, + level: 'extended', + name: 'issuer.country', + normalize: ['array'], + short: 'List of country \\(C) codes', + type: 'keyword', + }, + 'x509.issuer.distinguished_name': { + dashed_name: 'x509-issuer-distinguished-name', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: + 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + flat_name: 'x509.issuer.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'issuer.distinguished_name', + normalize: [], + short: 'Distinguished name (DN) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.locality': { + dashed_name: 'x509-issuer-locality', + description: 'List of locality names (L)', + example: 'Mountain View', + flat_name: 'x509.issuer.locality', + ignore_above: 1024, + level: 'extended', + name: 'issuer.locality', + normalize: ['array'], + short: 'List of locality names (L)', + type: 'keyword', + }, + 'x509.issuer.organization': { + dashed_name: 'x509-issuer-organization', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + flat_name: 'x509.issuer.organization', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organization', + normalize: ['array'], + short: 'List of organizations (O) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.organizational_unit': { + dashed_name: 'x509-issuer-organizational-unit', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + flat_name: 'x509.issuer.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'issuer.organizational_unit', + normalize: ['array'], + short: 'List of organizational units (OU) of issuing certificate authority.', + type: 'keyword', + }, + 'x509.issuer.state_or_province': { + dashed_name: 'x509-issuer-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'x509.issuer.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'issuer.state_or_province', + normalize: ['array'], + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'x509.not_after': { + dashed_name: 'x509-not-after', + description: 'Time at which the certificate is no longer considered valid.', + example: '2020-07-16T03:15:39Z', + flat_name: 'x509.not_after', + level: 'extended', + name: 'not_after', + normalize: [], + short: 'Time at which the certificate is no longer considered valid.', + type: 'date', + }, + 'x509.not_before': { + dashed_name: 'x509-not-before', + description: 'Time at which the certificate is first considered valid.', + example: '2019-08-16T01:40:25Z', + flat_name: 'x509.not_before', + level: 'extended', + name: 'not_before', + normalize: [], + short: 'Time at which the certificate is first considered valid.', + type: 'date', + }, + 'x509.public_key_algorithm': { + dashed_name: 'x509-public-key-algorithm', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + flat_name: 'x509.public_key_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'public_key_algorithm', + normalize: [], + short: 'Algorithm used to generate the public key.', + type: 'keyword', + }, + 'x509.public_key_curve': { + dashed_name: 'x509-public-key-curve', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + flat_name: 'x509.public_key_curve', + ignore_above: 1024, + level: 'extended', + name: 'public_key_curve', + normalize: [], + short: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + type: 'keyword', + }, + 'x509.public_key_exponent': { + dashed_name: 'x509-public-key-exponent', + description: 'Exponent used to derive the public key. This is algorithm specific.', + doc_values: false, + example: 65537, + flat_name: 'x509.public_key_exponent', + index: false, + level: 'extended', + name: 'public_key_exponent', + normalize: [], + short: 'Exponent used to derive the public key. This is algorithm specific.', + type: 'long', + }, + 'x509.public_key_size': { + dashed_name: 'x509-public-key-size', + description: 'The size of the public key space in bits.', + example: 2048, + flat_name: 'x509.public_key_size', + level: 'extended', + name: 'public_key_size', + normalize: [], + short: 'The size of the public key space in bits.', + type: 'long', + }, + 'x509.serial_number': { + dashed_name: 'x509-serial-number', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + flat_name: 'x509.serial_number', + ignore_above: 1024, + level: 'extended', + name: 'serial_number', + normalize: [], + short: 'Unique serial number issued by the certificate authority.', + type: 'keyword', + }, + 'x509.signature_algorithm': { + dashed_name: 'x509-signature-algorithm', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + flat_name: 'x509.signature_algorithm', + ignore_above: 1024, + level: 'extended', + name: 'signature_algorithm', + normalize: [], + short: 'Identifier for certificate signature algorithm.', + type: 'keyword', + }, + 'x509.subject.common_name': { + dashed_name: 'x509-subject-common-name', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + flat_name: 'x509.subject.common_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.common_name', + normalize: ['array'], + short: 'List of common names (CN) of subject.', + type: 'keyword', + }, + 'x509.subject.country': { + dashed_name: 'x509-subject-country', + description: 'List of country \\(C) code', + example: 'US', + flat_name: 'x509.subject.country', + ignore_above: 1024, + level: 'extended', + name: 'subject.country', + normalize: ['array'], + short: 'List of country \\(C) code', + type: 'keyword', + }, + 'x509.subject.distinguished_name': { + dashed_name: 'x509-subject-distinguished-name', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: + 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + flat_name: 'x509.subject.distinguished_name', + ignore_above: 1024, + level: 'extended', + name: 'subject.distinguished_name', + normalize: [], + short: 'Distinguished name (DN) of the certificate subject entity.', + type: 'keyword', + }, + 'x509.subject.locality': { + dashed_name: 'x509-subject-locality', + description: 'List of locality names (L)', + example: 'San Francisco', + flat_name: 'x509.subject.locality', + ignore_above: 1024, + level: 'extended', + name: 'subject.locality', + normalize: ['array'], + short: 'List of locality names (L)', + type: 'keyword', + }, + 'x509.subject.organization': { + dashed_name: 'x509-subject-organization', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + flat_name: 'x509.subject.organization', + ignore_above: 1024, + level: 'extended', + name: 'subject.organization', + normalize: ['array'], + short: 'List of organizations (O) of subject.', + type: 'keyword', + }, + 'x509.subject.organizational_unit': { + dashed_name: 'x509-subject-organizational-unit', + description: 'List of organizational units (OU) of subject.', + flat_name: 'x509.subject.organizational_unit', + ignore_above: 1024, + level: 'extended', + name: 'subject.organizational_unit', + normalize: ['array'], + short: 'List of organizational units (OU) of subject.', + type: 'keyword', + }, + 'x509.subject.state_or_province': { + dashed_name: 'x509-subject-state-or-province', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + flat_name: 'x509.subject.state_or_province', + ignore_above: 1024, + level: 'extended', + name: 'subject.state_or_province', + normalize: ['array'], + short: 'List of state or province names (ST, S, or P)', + type: 'keyword', + }, + 'x509.version_number': { + dashed_name: 'x509-version-number', + description: 'Version of x509 format.', + example: 3, + flat_name: 'x509.version_number', + ignore_above: 1024, + level: 'extended', + name: 'version_number', + normalize: [], + short: 'Version of x509 format.', + type: 'keyword', + }, + }, + group: 2, + name: 'x509', + prefix: 'x509.', + reusable: { + expected: [ + { as: 'x509', at: 'file', full: 'file.x509' }, + { as: 'x509', at: 'threat.indicator', full: 'threat.indicator.x509' }, + { + as: 'x509', + at: 'threat.enrichments.indicator', + full: 'threat.enrichments.indicator.x509', + }, + { as: 'x509', at: 'tls.client', full: 'tls.client.x509' }, + { as: 'x509', at: 'tls.server', full: 'tls.server.x509' }, + ], + top_level: false, + }, + short: 'These fields contain x509 certificate metadata.', + title: 'x509 Certificate', + type: 'group', + }, +}; diff --git a/packages/kbn-ecs/generated/server.ts b/packages/kbn-ecs/generated/server.ts new file mode 100644 index 0000000000000..182eaca274a6d --- /dev/null +++ b/packages/kbn-ecs/generated/server.ts @@ -0,0 +1,186 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. + * For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. + * Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + */ +export interface EcsServer { + /** + * Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + * Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + */ + address?: string; + as?: { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; + }; + + /** + * Bytes sent from the server to the client. + */ + bytes?: number; + /** + * The domain name of the server system. + * This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + */ + domain?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * IP address of the server (IPv4 or IPv6). + */ + ip?: string; + /** + * MAC address of the server. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string; + nat?: { + /** + * Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + * Typically used with load balancers, firewalls, or routers. + */ + ip?: string; + /** + * Translated port of destination based NAT sessions (e.g. internet to private DMZ) + * Typically used with load balancers, firewalls, or routers. + */ + port?: number; + }; + + /** + * Packets sent from the server to the client. + */ + packets?: number; + /** + * Port of the server. + */ + port?: number; + /** + * The highest registered server domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + user?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; +} diff --git a/packages/kbn-ecs/generated/service.ts b/packages/kbn-ecs/generated/service.ts new file mode 100644 index 0000000000000..b25c422473fe5 --- /dev/null +++ b/packages/kbn-ecs/generated/service.ts @@ -0,0 +1,224 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The service fields describe the service for or from which the data was collected. + * These fields help you find and correlate logs for a specific service and version. + */ +export interface EcsService { + /** + * Address where data about this service was collected from. + * This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + */ + address?: string; + /** + * Identifies the environment where the service is running. + * If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + */ + environment?: string; + /** + * Ephemeral identifier of this service (if one exists). + * This id normally changes across restarts, but `service.id` does not. + */ + ephemeral_id?: string; + /** + * Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + * This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + * Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + */ + id?: string; + /** + * Name of the service data is collected from. + * The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + * In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + */ + name?: string; + node?: { + /** + * Name of a service node. + * This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + * In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + */ + name?: string; + /** + * Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + * Role of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + role?: string; + /** + * Roles of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + roles?: string[]; + }; + + origin?: { + /** + * Address where data about this service was collected from. + * This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + */ + address?: string; + /** + * Identifies the environment where the service is running. + * If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + */ + environment?: string; + /** + * Ephemeral identifier of this service (if one exists). + * This id normally changes across restarts, but `service.id` does not. + */ + ephemeral_id?: string; + /** + * Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + * This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + * Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + */ + id?: string; + /** + * Name of the service data is collected from. + * The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + * In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + */ + name?: string; + node?: { + /** + * Name of a service node. + * This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + * In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + */ + name?: string; + /** + * Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + * Role of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + role?: string; + /** + * Roles of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + roles?: string[]; + }; + + /** + * Current state of the service. + */ + state?: string; + /** + * The type of the service data is collected from. + * The type can be used to group and correlate logs and metrics from one service type. + * Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + */ + type?: string; + /** + * Version of the service the data was collected from. + * This allows to look at a data set only for a specific version of a service. + */ + version?: string; + }; + + /** + * Current state of the service. + */ + state?: string; + target?: { + /** + * Address where data about this service was collected from. + * This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + */ + address?: string; + /** + * Identifies the environment where the service is running. + * If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + */ + environment?: string; + /** + * Ephemeral identifier of this service (if one exists). + * This id normally changes across restarts, but `service.id` does not. + */ + ephemeral_id?: string; + /** + * Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + * This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + * Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + */ + id?: string; + /** + * Name of the service data is collected from. + * The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + * In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + */ + name?: string; + node?: { + /** + * Name of a service node. + * This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + * In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + */ + name?: string; + /** + * Deprecated for removal in next major version release. This field will be superseded by `node.roles`. + * Role of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data`. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + role?: string; + /** + * Roles of a service node. + * This allows for distinction between different running roles of the same service. + * In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks` or both. + * In the case of Elasticsearch, the `service.node.role` could be `master` or `data` or both. + * Other services could use this to distinguish between a `web` and `worker` role running as part of the service. + */ + roles?: string[]; + }; + + /** + * Current state of the service. + */ + state?: string; + /** + * The type of the service data is collected from. + * The type can be used to group and correlate logs and metrics from one service type. + * Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + */ + type?: string; + /** + * Version of the service the data was collected from. + * This allows to look at a data set only for a specific version of a service. + */ + version?: string; + }; + + /** + * The type of the service data is collected from. + * The type can be used to group and correlate logs and metrics from one service type. + * Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + */ + type?: string; + /** + * Version of the service the data was collected from. + * This allows to look at a data set only for a specific version of a service. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/source.ts b/packages/kbn-ecs/generated/source.ts new file mode 100644 index 0000000000000..fbdb54009d999 --- /dev/null +++ b/packages/kbn-ecs/generated/source.ts @@ -0,0 +1,185 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. + * Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. + */ +export interface EcsSource { + /** + * Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + * Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + */ + address?: string; + as?: { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; + }; + + /** + * Bytes sent from the source to the destination. + */ + bytes?: number; + /** + * The domain name of the source system. + * This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + */ + domain?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * IP address of the source (IPv4 or IPv6). + */ + ip?: string; + /** + * MAC address of the source. + * The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + */ + mac?: string; + nat?: { + /** + * Translated ip of source based NAT sessions (e.g. internal client to internet) + * Typically connections traversing load balancers, firewalls, or routers. + */ + ip?: string; + /** + * Translated port of source based NAT sessions. (e.g. internal client to internet) + * Typically used with load balancers, firewalls, or routers. + */ + port?: number; + }; + + /** + * Packets sent from the source to the destination. + */ + packets?: number; + /** + * Port of the source. + */ + port?: number; + /** + * The highest registered source domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + user?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; +} diff --git a/packages/kbn-ecs/generated/threat.ts b/packages/kbn-ecs/generated/threat.ts new file mode 100644 index 0000000000000..afa74f8fe3bfb --- /dev/null +++ b/packages/kbn-ecs/generated/threat.ts @@ -0,0 +1,891 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. + * These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + */ +export interface EcsThreat { + /** + * A list of associated indicators objects enriching the event, and the context of that association/enrichment. + */ + enrichments?: Array>; + feed?: { + /** + * The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. + */ + dashboard_id?: string; + /** + * Description of the threat feed in a UI friendly format. + */ + description?: string; + /** + * The name of the threat feed in UI friendly format. + */ + name?: string; + /** + * Reference information for the threat feed in a UI friendly format. + */ + reference?: string; + }; + + /** + * Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + */ + framework?: string; + group?: { + /** + * The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. + * While not required, you can use a MITRE ATT&CK® group alias(es). + */ + alias?: string[]; + /** + * The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. + * While not required, you can use a MITRE ATT&CK® group id. + */ + id?: string; + /** + * The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. + * While not required, you can use a MITRE ATT&CK® group name. + */ + name?: string; + /** + * The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. + * While not required, you can use a MITRE ATT&CK® group reference URL. + */ + reference?: string; + }; + + indicator?: { + as?: { + /** + * Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + */ + number?: number; + organization?: { + /** + * Organization name. + */ + name?: string; + }; + }; + + /** + * Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + */ + confidence?: string; + /** + * Describes the type of action conducted by the threat. + */ + description?: string; + email?: { + /** + * Identifies a threat indicator as an email address (irrespective of direction). + */ + address?: string; + }; + + file?: { + /** + * Last time the file was accessed. + * Note that not all filesystems keep track of access time. + */ + accessed?: string; + /** + * Array of file attributes. + * Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + */ + attributes?: string[]; + code_signature?: { + /** + * The hashing algorithm used to sign the process. + * This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + */ + digest_algorithm?: string; + /** + * Boolean to capture if a signature is present. + */ + exists?: boolean; + /** + * The identifier used to sign the process. + * This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + */ + signing_id?: string; + /** + * Additional information about the certificate status. + * This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + */ + status?: string; + /** + * Subject name of the code signer + */ + subject_name?: string; + /** + * The team identifier used to sign the process. + * This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + */ + team_id?: string; + /** + * Date and time when the code signature was generated and signed. + */ + timestamp?: string; + /** + * Stores the trust status of the certificate chain. + * Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + */ + trusted?: boolean; + /** + * Boolean to capture if the digital signature is verified against the binary content. + * Leave unpopulated if a certificate was unchecked. + */ + valid?: boolean; + }; + + /** + * File creation time. + * Note that not all filesystems store the creation time. + */ + created?: string; + /** + * Last time the file attributes or metadata changed. + * Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + */ + ctime?: string; + /** + * Device that is the source of the file. + */ + device?: string; + /** + * Directory where the file is located. It should include the drive letter, when appropriate. + */ + directory?: string; + /** + * Drive letter where the file is located. This field is only relevant on Windows. + * The value should be uppercase, and not include the colon. + */ + drive_letter?: string; + elf?: { + /** + * Machine architecture of the ELF file. + */ + architecture?: string; + /** + * Byte sequence of ELF file. + */ + byte_order?: string; + /** + * CPU type of the ELF file. + */ + cpu_type?: string; + /** + * Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + */ + creation_date?: string; + /** + * List of exported element names and types. + */ + exports?: Array>; + header?: { + /** + * Version of the ELF Application Binary Interface (ABI). + */ + abi_version?: string; + /** + * Header class of the ELF file. + */ + class?: string; + /** + * Data table of the ELF header. + */ + data?: string; + /** + * Header entrypoint of the ELF file. + */ + entrypoint?: number; + /** + * "0x1" for original ELF files. + */ + object_version?: string; + /** + * Application Binary Interface (ABI) of the Linux OS. + */ + os_abi?: string; + /** + * Header type of the ELF file. + */ + type?: string; + /** + * Version of the ELF header. + */ + version?: string; + }; + + /** + * List of imported element names and types. + */ + imports?: Array>; + /** + * An array containing an object for each section of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + */ + sections?: Array>; + /** + * An array containing an object for each segment of the ELF file. + * The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + */ + segments?: Array>; + /** + * List of shared libraries used by this ELF object. + */ + shared_libraries?: string[]; + /** + * telfhash symbol hash for ELF file. + */ + telfhash?: string; + }; + + /** + * File extension, excluding the leading dot. + * Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + */ + extension?: string; + /** + * A fork is additional data associated with a filesystem object. + * On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + * On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + */ + fork_name?: string; + /** + * Primary group ID (GID) of the file. + */ + gid?: string; + /** + * Primary group name of the file. + */ + group?: string; + hash?: { + /** + * MD5 hash. + */ + md5?: string; + /** + * SHA1 hash. + */ + sha1?: string; + /** + * SHA256 hash. + */ + sha256?: string; + /** + * SHA384 hash. + */ + sha384?: string; + /** + * SHA512 hash. + */ + sha512?: string; + /** + * SSDEEP hash. + */ + ssdeep?: string; + /** + * TLSH hash. + */ + tlsh?: string; + }; + + /** + * Inode representing the file in the filesystem. + */ + inode?: string; + /** + * MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + */ + mime_type?: string; + /** + * Mode of the file in octal representation. + */ + mode?: string; + /** + * Last time the file content was modified. + */ + mtime?: string; + /** + * Name of the file including the extension, without the directory. + */ + name?: string; + /** + * File owner's username. + */ + owner?: string; + /** + * Full path to the file, including the file name. It should include the drive letter, when appropriate. + */ + path?: string; + pe?: { + /** + * CPU architecture target for the file. + */ + architecture?: string; + /** + * Internal company name of the file, provided at compile-time. + */ + company?: string; + /** + * Internal description of the file, provided at compile-time. + */ + description?: string; + /** + * Internal version of the file, provided at compile-time. + */ + file_version?: string; + /** + * A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + * Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + */ + imphash?: string; + /** + * Internal name of the file, provided at compile-time. + */ + original_file_name?: string; + /** + * A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. + * Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. + */ + pehash?: string; + /** + * Internal product name of the file, provided at compile-time. + */ + product?: string; + }; + + /** + * File size in bytes. + * Only relevant when `file.type` is "file". + */ + size?: number; + /** + * Target path for symlinks. + */ + target_path?: string; + /** + * File type (file, dir, or symlink). + */ + type?: string; + /** + * The user ID (UID) or security identifier (SID) of the file owner. + */ + uid?: string; + x509?: { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; + }; + }; + + /** + * The date and time when intelligence source first reported sighting this indicator. + */ + first_seen?: string; + geo?: { + /** + * City name. + */ + city_name?: string; + /** + * Two-letter code representing continent's name. + */ + continent_code?: string; + /** + * Name of the continent. + */ + continent_name?: string; + /** + * Country ISO code. + */ + country_iso_code?: string; + /** + * Country name. + */ + country_name?: string; + /** + * Longitude and latitude. + */ + location?: { lat: number; lon: number }; + /** + * User-defined description of a location, at the level of granularity they care about. + * Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + * Not typically used in automated geolocation. + */ + name?: string; + /** + * Postal code associated with the location. + * Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + */ + postal_code?: string; + /** + * Region ISO code. + */ + region_iso_code?: string; + /** + * Region name. + */ + region_name?: string; + /** + * The time zone of the location, such as IANA time zone name. + */ + timezone?: string; + }; + + /** + * Identifies a threat indicator as an IP address (irrespective of direction). + */ + ip?: string; + /** + * The date and time when intelligence source last reported sighting this indicator. + */ + last_seen?: string; + marking?: { + /** + * Traffic Light Protocol sharing markings. + */ + tlp?: string; + }; + + /** + * The date and time when intelligence source last modified information for this indicator. + */ + modified_at?: string; + /** + * Identifies a threat indicator as a port number (irrespective of direction). + */ + port?: number; + /** + * The name of the indicator's provider. + */ + provider?: string; + /** + * Reference URL linking to additional information about this indicator. + */ + reference?: string; + registry?: { + data?: { + /** + * Original bytes written with base64 encoding. + * For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + */ + bytes?: string; + /** + * Content when writing string types. + * Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + */ + strings?: string[]; + /** + * Standard registry type for encoding contents + */ + type?: string; + }; + + /** + * Abbreviated name for the hive. + */ + hive?: string; + /** + * Hive-relative path of keys. + */ + key?: string; + /** + * Full path, including hive, key and value + */ + path?: string; + /** + * Name of the value written. + */ + value?: string; + }; + + /** + * Count of AV/EDR vendors that successfully detected malicious file or URL. + */ + scanner_stats?: number; + /** + * Number of times this indicator was observed conducting threat activity. + */ + sightings?: number; + /** + * Type of indicator as represented by Cyber Observable in STIX 2.0. + */ + type?: string; + url?: { + /** + * Domain of the url, such as "www.elastic.co". + * In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + * If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + */ + domain?: string; + /** + * The field contains the file extension from the original request url, excluding the leading dot. + * The file extension is only set if it exists, as not every url has a file extension. + * The leading period must not be included. For example, the value must be "png", not ".png". + * Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + */ + extension?: string; + /** + * Portion of the url after the `#`, such as "top". + * The `#` is not part of the fragment. + */ + fragment?: string; + /** + * If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + */ + full?: string; + /** + * Unmodified original url as seen in the event source. + * Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + * This field is meant to represent the URL as it was observed, complete or not. + */ + original?: string; + /** + * Password of the request. + */ + password?: string; + /** + * Path of the request, such as "/search". + */ + path?: string; + /** + * Port of the request, such as 443. + */ + port?: number; + /** + * The query field describes the query string of the request, such as "q=elasticsearch". + * The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + */ + query?: string; + /** + * The highest registered url domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * Scheme of the request, such as "https". + * Note: The `:` is not part of the scheme. + */ + scheme?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + /** + * Username of the request. + */ + username?: string; + }; + + x509?: { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; + }; + }; + + software?: { + /** + * The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. + * While not required, you can use a MITRE ATT&CK® associated software description. + */ + alias?: string[]; + /** + * The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + * While not required, you can use a MITRE ATT&CK® software id. + */ + id?: string; + /** + * The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + * While not required, you can use a MITRE ATT&CK® software name. + */ + name?: string; + /** + * The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + * While not required, you can use MITRE ATT&CK® software platform values. + */ + platforms?: string[]; + /** + * The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + * While not required, you can use a MITRE ATT&CK® software reference URL. + */ + reference?: string; + /** + * The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + * While not required, you can use a MITRE ATT&CK® software type. + */ + type?: string; + }; + + tactic?: { + /** + * The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + */ + id?: string[]; + /** + * Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + */ + name?: string[]; + /** + * The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + */ + reference?: string[]; + }; + + technique?: { + /** + * The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + */ + id?: string[]; + /** + * The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + */ + name?: string[]; + /** + * The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + */ + reference?: string[]; + subtechnique?: { + /** + * The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + */ + id?: string[]; + /** + * The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + */ + name?: string[]; + /** + * The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + */ + reference?: string[]; + }; + }; + + threat?: { + indicator?: { + marking?: { + tlp?: { + /** + * Traffic Light Protocol version. + */ + version?: string; + }; + }; + }; + }; +} diff --git a/packages/kbn-ecs/generated/tls.ts b/packages/kbn-ecs/generated/tls.ts new file mode 100644 index 0000000000000..5ce5343a73ab6 --- /dev/null +++ b/packages/kbn-ecs/generated/tls.ts @@ -0,0 +1,349 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. + */ +export interface EcsTls { + /** + * String indicating the cipher used during the current connection. + */ + cipher?: string; + client?: { + /** + * PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + */ + certificate?: string; + /** + * Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + */ + certificate_chain?: string[]; + hash?: { + /** + * Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + md5?: string; + /** + * Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + sha1?: string; + /** + * Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + sha256?: string; + }; + + /** + * Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + */ + issuer?: string; + /** + * A hash that identifies clients based on how they perform an SSL/TLS handshake. + */ + ja3?: string; + /** + * Date/Time indicating when client certificate is no longer considered valid. + */ + not_after?: string; + /** + * Date/Time indicating when client certificate is first considered valid. + */ + not_before?: string; + /** + * Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + */ + server_name?: string; + /** + * Distinguished name of subject of the x.509 certificate presented by the client. + */ + subject?: string; + /** + * Array of ciphers offered by the client during the client hello. + */ + supported_ciphers?: string[]; + x509?: { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; + }; + }; + + /** + * String indicating the curve used for the given cipher, when applicable. + */ + curve?: string; + /** + * Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + */ + established?: boolean; + /** + * String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + */ + next_protocol?: string; + /** + * Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + */ + resumed?: boolean; + server?: { + /** + * PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + */ + certificate?: string; + /** + * Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + */ + certificate_chain?: string[]; + hash?: { + /** + * Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + md5?: string; + /** + * Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + sha1?: string; + /** + * Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + */ + sha256?: string; + }; + + /** + * Subject of the issuer of the x.509 certificate presented by the server. + */ + issuer?: string; + /** + * A hash that identifies servers based on how they perform an SSL/TLS handshake. + */ + ja3s?: string; + /** + * Timestamp indicating when server certificate is no longer considered valid. + */ + not_after?: string; + /** + * Timestamp indicating when server certificate is first considered valid. + */ + not_before?: string; + /** + * Subject of the x.509 certificate presented by the server. + */ + subject?: string; + x509?: { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; + }; + }; + + /** + * Numeric part of the version parsed from the original string. + */ + version?: string; + /** + * Normalized lowercase protocol name parsed from original string. + */ + version_protocol?: string; +} diff --git a/packages/kbn-ecs/generated/tracing.ts b/packages/kbn-ecs/generated/tracing.ts new file mode 100644 index 0000000000000..f893979ea4a4c --- /dev/null +++ b/packages/kbn-ecs/generated/tracing.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + * Unlike most field sets in ECS, the tracing fields are *not* nested under the field set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, and so on. + */ +export interface EcsTracing { + span?: { + /** + * Unique identifier of the span within the scope of its trace. + * A span represents an operation within a transaction, such as a request to another service, or a database query. + */ + id?: string; + }; + + trace?: { + /** + * Unique identifier of the trace. + * A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + */ + id?: string; + }; + + transaction?: { + /** + * Unique identifier of the transaction within the scope of its trace. + * A transaction is the highest level of work measured within a service, such as a request to a server. + */ + id?: string; + }; +} diff --git a/packages/kbn-ecs/generated/url.ts b/packages/kbn-ecs/generated/url.ts new file mode 100644 index 0000000000000..ad64ff8b90fb0 --- /dev/null +++ b/packages/kbn-ecs/generated/url.ts @@ -0,0 +1,83 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + */ +export interface EcsUrl { + /** + * Domain of the url, such as "www.elastic.co". + * In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + * If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + */ + domain?: string; + /** + * The field contains the file extension from the original request url, excluding the leading dot. + * The file extension is only set if it exists, as not every url has a file extension. + * The leading period must not be included. For example, the value must be "png", not ".png". + * Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + */ + extension?: string; + /** + * Portion of the url after the `#`, such as "top". + * The `#` is not part of the fragment. + */ + fragment?: string; + /** + * If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + */ + full?: string; + /** + * Unmodified original url as seen in the event source. + * Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + * This field is meant to represent the URL as it was observed, complete or not. + */ + original?: string; + /** + * Password of the request. + */ + password?: string; + /** + * Path of the request, such as "/search". + */ + path?: string; + /** + * Port of the request, such as 443. + */ + port?: number; + /** + * The query field describes the query string of the request, such as "q=elasticsearch". + * The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + */ + query?: string; + /** + * The highest registered url domain, stripped of the subdomain. + * For example, the registered domain for "foo.example.com" is "example.com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + */ + registered_domain?: string; + /** + * Scheme of the request, such as "https". + * Note: The `:` is not part of the scheme. + */ + scheme?: string; + /** + * The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + * For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + */ + subdomain?: string; + /** + * The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + * This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + */ + top_level_domain?: string; + /** + * Username of the request. + */ + username?: string; +} diff --git a/packages/kbn-ecs/generated/user.ts b/packages/kbn-ecs/generated/user.ts new file mode 100644 index 0000000000000..9f22ea7d7cc8d --- /dev/null +++ b/packages/kbn-ecs/generated/user.ts @@ -0,0 +1,233 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The user fields describe information about the user that is relevant to the event. + * Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + */ +export interface EcsUser { + changes?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; + + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + effective?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; + + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + risk?: { + /** + * A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_level?: string; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. + */ + calculated_score?: number; + /** + * A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100. + */ + calculated_score_norm?: number; + /** + * A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_level?: string; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. + */ + static_score?: number; + /** + * A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100. + */ + static_score_norm?: number; + }; + + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + target?: { + /** + * Name of the directory the user is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * User email address. + */ + email?: string; + /** + * User's full name, if available. + */ + full_name?: string; + group?: { + /** + * Name of the directory the group is a member of. + * For example, an LDAP or Active Directory domain name. + */ + domain?: string; + /** + * Unique identifier for the group on the system/platform. + */ + id?: string; + /** + * Name of the group. + */ + name?: string; + }; + + /** + * Unique user hash to correlate information for a user in anonymized form. + * Useful if `user.id` or `user.name` contain confidential information and cannot be used. + */ + hash?: string; + /** + * Unique identifier of the user. + */ + id?: string; + /** + * Short name or login of the user. + */ + name?: string; + /** + * Array of user roles at the time of the event. + */ + roles?: string[]; + }; +} diff --git a/packages/kbn-ecs/generated/user_agent.ts b/packages/kbn-ecs/generated/user_agent.ts new file mode 100644 index 0000000000000..7ca483c745af0 --- /dev/null +++ b/packages/kbn-ecs/generated/user_agent.ts @@ -0,0 +1,65 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The user_agent fields normally come from a browser request. + * They often show up in web service logs coming from the parsed user agent string. + */ +export interface EcsUserAgent { + device?: { + /** + * Name of the device. + */ + name?: string; + }; + + /** + * Name of the user agent. + */ + name?: string; + /** + * Unparsed user_agent string. + */ + original?: string; + os?: { + /** + * OS family (such as redhat, debian, freebsd, windows). + */ + family?: string; + /** + * Operating system name, including the version or code name. + */ + full?: string; + /** + * Operating system kernel version as a raw string. + */ + kernel?: string; + /** + * Operating system name, without the version. + */ + name?: string; + /** + * Operating system platform (such centos, ubuntu, windows). + */ + platform?: string; + /** + * Use the `os.type` field to categorize the operating system into one of the broad commercial families. + * If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + */ + type?: string; + /** + * Operating system version as a raw string. + */ + version?: string; + }; + + /** + * Version of the user agent. + */ + version?: string; +} diff --git a/packages/kbn-ecs/generated/vlan.ts b/packages/kbn-ecs/generated/vlan.ts new file mode 100644 index 0000000000000..af461a711db05 --- /dev/null +++ b/packages/kbn-ecs/generated/vlan.ts @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. + * Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. + * Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. + * Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + */ +export interface EcsVlan { + /** + * VLAN ID as reported by the observer. + */ + id?: string; + /** + * Optional VLAN name as reported by the observer. + */ + name?: string; +} diff --git a/packages/kbn-ecs/generated/vulnerability.ts b/packages/kbn-ecs/generated/vulnerability.ts new file mode 100644 index 0000000000000..fb6fb6c79cef3 --- /dev/null +++ b/packages/kbn-ecs/generated/vulnerability.ts @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * The vulnerability fields describe information about a vulnerability that is relevant to an event. + */ +export interface EcsVulnerability { + /** + * The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) + * This field must be an array. + */ + category?: string[]; + /** + * The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + */ + classification?: string; + /** + * The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + */ + description?: string; + /** + * The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + */ + enumeration?: string; + /** + * The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + */ + id?: string; + /** + * A resource that provides additional information, context, and mitigations for the identified vulnerability. + */ + reference?: string; + /** + * The report or scan identification number. + */ + report_id?: string; + scanner?: { + /** + * The name of the vulnerability scanner vendor. + */ + vendor?: string; + }; + + score?: { + /** + * Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + * Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + */ + base?: number; + /** + * Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + * Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + */ + environmental?: number; + /** + * Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + * Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + */ + temporal?: number; + /** + * The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + * CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + */ + version?: string; + }; + + /** + * The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + */ + severity?: string; +} diff --git a/packages/kbn-ecs/generated/x509.ts b/packages/kbn-ecs/generated/x509.ts new file mode 100644 index 0000000000000..f4db637a110c1 --- /dev/null +++ b/packages/kbn-ecs/generated/x509.ts @@ -0,0 +1,117 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. + * When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). + * Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. + */ +export interface EcsX509 { + /** + * List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + */ + alternative_names?: string[]; + issuer?: { + /** + * List of common name (CN) of issuing certificate authority. + */ + common_name?: string[]; + /** + * List of country \(C) codes + */ + country?: string[]; + /** + * Distinguished name (DN) of issuing certificate authority. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of issuing certificate authority. + */ + organization?: string[]; + /** + * List of organizational units (OU) of issuing certificate authority. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Time at which the certificate is no longer considered valid. + */ + not_after?: string; + /** + * Time at which the certificate is first considered valid. + */ + not_before?: string; + /** + * Algorithm used to generate the public key. + */ + public_key_algorithm?: string; + /** + * The curve used by the elliptic curve public key algorithm. This is algorithm specific. + */ + public_key_curve?: string; + /** + * Exponent used to derive the public key. This is algorithm specific. + */ + public_key_exponent?: number; + /** + * The size of the public key space in bits. + */ + public_key_size?: number; + /** + * Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + */ + serial_number?: string; + /** + * Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + */ + signature_algorithm?: string; + subject?: { + /** + * List of common names (CN) of subject. + */ + common_name?: string[]; + /** + * List of country \(C) code + */ + country?: string[]; + /** + * Distinguished name (DN) of the certificate subject entity. + */ + distinguished_name?: string; + /** + * List of locality names (L) + */ + locality?: string[]; + /** + * List of organizations (O) of subject. + */ + organization?: string[]; + /** + * List of organizational units (OU) of subject. + */ + organizational_unit?: string[]; + /** + * List of state or province names (ST, S, or P) + */ + state_or_province?: string[]; + }; + + /** + * Version of x509 format. + */ + version_number?: string; +} diff --git a/packages/kbn-ecs/index.ts b/packages/kbn-ecs/index.ts index 2ad902cd523c9..a25cdcc7ed297 100644 --- a/packages/kbn-ecs/index.ts +++ b/packages/kbn-ecs/index.ts @@ -6,4 +6,4 @@ * Side Public License, v 1. */ -export * from './src/ecs'; +export * from './generated'; diff --git a/packages/kbn-ecs/src/ecs/autonomous_system.ts b/packages/kbn-ecs/src/ecs/autonomous_system.ts deleted file mode 100644 index ca9841bd4d7a7..0000000000000 --- a/packages/kbn-ecs/src/ecs/autonomous_system.ts +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-as.html - * - * @internal - */ -export interface EcsAutonomousSystem { - number?: number; - organization?: { name: string }; -} diff --git a/packages/kbn-ecs/src/ecs/base.ts b/packages/kbn-ecs/src/ecs/base.ts deleted file mode 100644 index df633aa882c3a..0000000000000 --- a/packages/kbn-ecs/src/ecs/base.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-base.html - * - * @internal - */ -export interface EcsBase { - ['@timestamp']: string; - labels?: Record; - message?: string; - tags?: string[]; -} diff --git a/packages/kbn-ecs/src/ecs/client.ts b/packages/kbn-ecs/src/ecs/client.ts deleted file mode 100644 index 5597ee8080060..0000000000000 --- a/packages/kbn-ecs/src/ecs/client.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsAutonomousSystem } from './autonomous_system'; -import { EcsGeo } from './geo'; -import { EcsNestedUser } from './user'; - -interface NestedFields { - as?: EcsAutonomousSystem; - geo?: EcsGeo; - user?: EcsNestedUser; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-client.html - * - * @internal - */ -export interface EcsClient extends NestedFields { - address?: string; - bytes?: number; - domain?: string; - ip?: string; - mac?: string; - nat?: { ip?: string; port?: number }; - packets?: number; - port?: number; - registered_domain?: string; - subdomain?: string; - top_level_domain?: string; -} diff --git a/packages/kbn-ecs/src/ecs/cloud.ts b/packages/kbn-ecs/src/ecs/cloud.ts deleted file mode 100644 index 55f43a523cced..0000000000000 --- a/packages/kbn-ecs/src/ecs/cloud.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-cloud.html - * - * @internal - */ -export interface EcsCloud { - account?: { id?: string; name?: string }; - availability_zone?: string; - instance?: { id?: string; name?: string }; - machine?: { type: string }; - project?: { id?: string; name?: string }; - provider?: string; - region?: string; - service?: { name: string }; -} diff --git a/packages/kbn-ecs/src/ecs/container.ts b/packages/kbn-ecs/src/ecs/container.ts deleted file mode 100644 index 52997b9e0ec55..0000000000000 --- a/packages/kbn-ecs/src/ecs/container.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-container.html - * - * @internal - */ -export interface EcsContainer { - cpu?: { usage?: number }; - disk?: Disk; - id?: string; - image?: Image; - labels?: Record; - memory?: { usage?: number }; - name?: string; - network?: Network; - runtime?: string; -} - -interface Disk { - read?: { bytes?: number }; - write?: { bytes?: number }; -} - -interface Image { - hash?: { all: string[] }; - name?: string; - tag?: string[]; -} - -interface Network { - egress?: { bytes?: number }; - ingress?: { bytes?: number }; -} diff --git a/packages/kbn-ecs/src/ecs/data_stream.ts b/packages/kbn-ecs/src/ecs/data_stream.ts deleted file mode 100644 index 1f941e3ec5f9d..0000000000000 --- a/packages/kbn-ecs/src/ecs/data_stream.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-data_stream.html - * - * @internal - */ -export interface EcsDataStream { - dataset?: string; - namespace?: string; - type?: 'logs' | 'metrics'; -} diff --git a/packages/kbn-ecs/src/ecs/destination.ts b/packages/kbn-ecs/src/ecs/destination.ts deleted file mode 100644 index 7c2facd3dc2f9..0000000000000 --- a/packages/kbn-ecs/src/ecs/destination.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsAutonomousSystem } from './autonomous_system'; -import { EcsGeo } from './geo'; -import { EcsNestedUser } from './user'; - -interface NestedFields { - as?: EcsAutonomousSystem; - geo?: EcsGeo; - user?: EcsNestedUser; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-destination.html - * - * @internal - */ -export interface EcsDestination extends NestedFields { - address?: string; - bytes?: number; - domain?: string; - ip?: string; - mac?: string; - nat?: { ip?: string; port?: number }; - packets?: number; - port?: number; - registered_domain?: string; - subdomain?: string; - top_level_domain?: string; -} diff --git a/packages/kbn-ecs/src/ecs/dll.ts b/packages/kbn-ecs/src/ecs/dll.ts deleted file mode 100644 index 863afda6453ee..0000000000000 --- a/packages/kbn-ecs/src/ecs/dll.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsCodeSignature } from './code_signature'; -import { EcsHash } from './hash'; - -interface NestedFields { - code_signature?: EcsCodeSignature; - hash?: EcsHash; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-dll.html - * - * @internal - */ -export interface EcsDll extends NestedFields { - name?: string; - path?: string; -} diff --git a/packages/kbn-ecs/src/ecs/dns.ts b/packages/kbn-ecs/src/ecs/dns.ts deleted file mode 100644 index efca3750127d0..0000000000000 --- a/packages/kbn-ecs/src/ecs/dns.ts +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-dns.html - * - * @internal - */ -export interface EcsDns { - answers?: Answer[]; - header_flags?: HeaderFlags[]; - id?: number; - op_code?: string; - question?: Question; - resolved_ip?: string[]; - response_code?: string; - type?: string; -} - -type HeaderFlags = 'AA' | 'TC' | 'RD' | 'RA' | 'AD' | 'CD' | 'DO'; - -interface Answer { - data: string; - class?: string; - name?: string; - ttl?: number; - type?: string; -} - -interface Question { - class?: string; - name?: string; - registered_domain?: string; - subdomain?: string; - top_level_domain?: string; - type?: string; -} diff --git a/packages/kbn-ecs/src/ecs/elf.ts b/packages/kbn-ecs/src/ecs/elf.ts deleted file mode 100644 index 6b2588c63ffaa..0000000000000 --- a/packages/kbn-ecs/src/ecs/elf.ts +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-elf.html - * - * @internal - */ -export interface EcsElf { - architecture?: string; - byte_order?: string; - cpu_type?: string; - creation_date?: string; - exports?: Export[]; - imports?: Import[]; - header?: Header; - sections?: Section[]; - segments?: Segment[]; - shared_libraries?: string[]; - telfhash?: string; -} - -interface Export { - binding?: string; - name?: string; - section?: string; - size?: string; - type?: string; - version?: string; - visibility?: string; -} - -interface Import { - library?: string; - name?: string; - type?: string; - version?: string; -} - -interface Header { - abi_version?: string; - class?: string; - data?: string; - entrypoint?: number; - object_version?: string; - os_abi?: string; - type?: string; - version?: string; -} - -interface Section { - chi2?: number; - entropy?: number; - flags?: string; - name?: string; - physical_offset?: string; - physical_size?: number; - type?: string; - virtual_address?: number; - virtual_size?: number; -} - -interface Segment { - sections?: string; - type?: string; -} diff --git a/packages/kbn-ecs/src/ecs/email.ts b/packages/kbn-ecs/src/ecs/email.ts deleted file mode 100644 index fcc3295fd71b5..0000000000000 --- a/packages/kbn-ecs/src/ecs/email.ts +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsFile } from './file'; -import { EcsHash } from './hash'; - -interface NestedFields { - // Not all hash types are explicitly supported, see - // https://github.com/elastic/ecs/pull/1569 - hash?: Pick; -} - -interface AttachmentNestedFields { - file?: Pick; -} - -/** - * No docs yet, see https://github.com/elastic/ecs/pull/1569 - * - * @internal - */ -export interface EcsEmail extends NestedFields { - attachments?: Attachment[]; - bcc?: string[]; - cc?: string[]; - content_type?: string; - delivery_timestamp?: string; - direction?: string; - from?: string; - local_id?: string; - message_id?: string; - origination_timestamp?: string; - reply_to?: string; - subject?: string; - 'subject.text'?: string; - to?: string[]; - x_mailer?: string; -} - -// eslint-disable-next-line @typescript-eslint/no-empty-interface -interface Attachment extends AttachmentNestedFields { - // intentionally empty -} diff --git a/packages/kbn-ecs/src/ecs/event.ts b/packages/kbn-ecs/src/ecs/event.ts deleted file mode 100644 index 212a04526c709..0000000000000 --- a/packages/kbn-ecs/src/ecs/event.ts +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-event.html - * - * @internal - */ -export interface EcsEvent { - action?: string; - agent_id_status?: 'verified' | 'mismatch' | 'missing' | 'auth_metadata_missing'; - category?: EcsEventCategory[]; - code?: string; - created?: string; - dataset?: string; - duration?: number; - end?: string; - hash?: string; - id?: string; - ingested?: string; - kind?: EcsEventKind; - module?: string; - original?: string; - outcome?: EcsEventOutcome; - provider?: string; - reason?: string; - reference?: string; - risk_score?: number; - risk_score_norm?: number; - sequence?: number; - severity?: number; - start?: string; - timezone?: string; - type?: EcsEventType[]; - url?: string; -} - -/** - * @public - */ -export type EcsEventCategory = - | 'authentication' - | 'configuration' - | 'database' - | 'driver' - | 'email' - | 'file' - | 'host' - | 'iam' - | 'intrusion_detection' - | 'malware' - | 'network' - | 'package' - | 'process' - | 'registry' - | 'session' - | 'web'; - -/** - * @public - */ -export type EcsEventKind = 'alert' | 'event' | 'metric' | 'state' | 'pipeline_error' | 'signal'; - -/** - * @public - */ -export type EcsEventOutcome = 'failure' | 'success' | 'unknown'; - -/** - * @public - */ -export type EcsEventType = - | 'access' - | 'admin' - | 'allowed' - | 'change' - | 'connection' - | 'creation' - | 'deletion' - | 'denied' - | 'end' - | 'error' - | 'group' - | 'info' - | 'installation' - | 'protocol' - | 'start' - | 'user'; diff --git a/packages/kbn-ecs/src/ecs/faas.ts b/packages/kbn-ecs/src/ecs/faas.ts deleted file mode 100644 index 0fd4048955d3c..0000000000000 --- a/packages/kbn-ecs/src/ecs/faas.ts +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-faas.html - * - * @internal - */ -export interface EcsFaas { - coldstart?: boolean; - execution?: string; - id?: string; - name?: string; - trigger?: Trigger; - version?: string; -} - -interface Trigger { - request_id?: string; - type?: 'http' | 'pubsub' | 'datasource' | 'timer' | 'other'; -} diff --git a/packages/kbn-ecs/src/ecs/file.ts b/packages/kbn-ecs/src/ecs/file.ts deleted file mode 100644 index 09a7d33f0105d..0000000000000 --- a/packages/kbn-ecs/src/ecs/file.ts +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsCodeSignature } from './code_signature'; -import { EcsElf } from './elf'; -import { EcsHash } from './hash'; -import { EcsX509 } from './x509'; - -interface NestedFields { - code_signature?: EcsCodeSignature; - elf?: EcsElf; - hash?: EcsHash; - x509?: EcsX509; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-file.html - * - * @internal - */ -export interface EcsFile extends NestedFields { - accessed?: string; - attributes?: string[]; - created?: string; - ctime?: string; - device?: string; - directory?: string; - drive_letter?: string; - extension?: string; - fork_name?: string; - gid?: string; - group?: string; - inode?: string; - // Technically this is a known list, but it's massive, so we'll just accept a string for now :) - // https://www.iana.org/assignments/media-types/media-types.xhtml - mime_type?: string; - mode?: string; - mtime?: string; - name?: string; - owner?: string; - path?: string; - 'path.text'?: string; - size?: number; - target_path?: string; - 'target_path.text'?: string; - type?: string; - uid?: string; -} diff --git a/packages/kbn-ecs/src/ecs/geo.ts b/packages/kbn-ecs/src/ecs/geo.ts deleted file mode 100644 index 3189e1a5557e3..0000000000000 --- a/packages/kbn-ecs/src/ecs/geo.ts +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-geo.html - * - * @internal - */ -export interface EcsGeo { - city_name?: string; - continent_code?: string; - continent_name?: string; - country_iso_code?: string; - country_name?: string; - location?: GeoPoint; - name?: string; - postal_code?: string; - region_iso_code?: string; - region_name?: string; - timezone?: string; -} - -interface GeoPoint { - lat: number; - lon: number; -} diff --git a/packages/kbn-ecs/src/ecs/hash.ts b/packages/kbn-ecs/src/ecs/hash.ts deleted file mode 100644 index 84b0216765b00..0000000000000 --- a/packages/kbn-ecs/src/ecs/hash.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-hash.html - * - * @internal - */ -export interface EcsHash { - md5?: string; - sha1?: string; - sha256?: string; - sha384?: string; - sha512?: string; - ssdeep?: string; - tlsh?: string; -} diff --git a/packages/kbn-ecs/src/ecs/host.ts b/packages/kbn-ecs/src/ecs/host.ts deleted file mode 100644 index a500367ced841..0000000000000 --- a/packages/kbn-ecs/src/ecs/host.ts +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsGeo } from './geo'; -import { EcsOs } from './os'; - -interface NestedFields { - geo?: EcsGeo; - os?: EcsOs; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-host.html - * - * @internal - */ -export interface EcsHost extends NestedFields { - architecture?: string; - boot?: { id: string }; - cpu?: { usage: number }; - disk?: Disk; - domain?: string; - hostname?: string; - id?: string; - ip?: string[]; - mac?: string[]; - name?: string; - network?: Network; - pid_ns_ino?: string; - type?: string; - uptime?: number; -} - -interface Disk { - read?: { bytes: number }; - write?: { bytes: number }; -} - -interface Network { - egress?: { bytes?: number; packets?: number }; - ingress?: { bytes?: number; packets?: number }; -} diff --git a/packages/kbn-ecs/src/ecs/http.ts b/packages/kbn-ecs/src/ecs/http.ts deleted file mode 100644 index 809ad19fd6a79..0000000000000 --- a/packages/kbn-ecs/src/ecs/http.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-http.html - * - * @internal - */ -export interface EcsHttp { - request?: Request; - response?: Response; - version?: string; -} - -interface Request { - body?: { bytes?: number; content?: string }; - bytes?: number; - id?: string; - // We can't provide predefined values here because ECS requires preserving the - // original casing for anomaly detection use cases. - method?: string; - mime_type?: string; - referrer?: string; -} - -interface Response { - body?: { bytes?: number; content?: string }; - bytes?: number; - mime_type?: string; - status_code?: number; -} diff --git a/packages/kbn-ecs/src/ecs/log.ts b/packages/kbn-ecs/src/ecs/log.ts deleted file mode 100644 index 13b7654fdeded..0000000000000 --- a/packages/kbn-ecs/src/ecs/log.ts +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-log.html - * - * @internal - */ -export interface EcsLog { - file?: { path: string }; - level?: string; - logger?: string; - origin?: Origin; - syslog?: Syslog; -} - -interface Origin { - file?: { line?: number; name?: string }; - function?: string; -} - -interface Syslog { - appname?: string; - facility?: { code?: number; name?: string }; - hostname?: string; - msgid?: string; - priority?: number; - procid?: string; - severity?: { code?: number; name?: string }; - structured_data?: Record; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/network.ts b/packages/kbn-ecs/src/ecs/network.ts deleted file mode 100644 index 9f225eb73c40b..0000000000000 --- a/packages/kbn-ecs/src/ecs/network.ts +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsVlan } from './vlan'; - -interface NestedFields { - inner?: { vlan?: EcsVlan }; - vlan?: EcsVlan; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-network.html - * - * @internal - */ -export interface EcsNetwork extends NestedFields { - application?: string; - bytes?: number; - community_id?: string; - direction?: Direction; - forwarded_ip?: string; - iana_number?: string; - name?: string; - packets?: number; - protocol?: string; - transport?: string; - type?: string; -} - -type Direction = - | 'ingress' - | 'egress' - | 'inbound' - | 'outbound' - | 'internal' - | 'external' - | 'unknown'; diff --git a/packages/kbn-ecs/src/ecs/observer.ts b/packages/kbn-ecs/src/ecs/observer.ts deleted file mode 100644 index 77627eed7a6bf..0000000000000 --- a/packages/kbn-ecs/src/ecs/observer.ts +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsGeo } from './geo'; -import { EcsInterface } from './interface'; -import { EcsOs } from './os'; -import { EcsVlan } from './vlan'; - -interface NestedFields { - egress?: NestedEgressFields; - geo?: EcsGeo; - ingress?: NestedIngressFields; - os?: EcsOs; -} - -interface NestedEgressFields { - interface?: EcsInterface; - vlan?: EcsVlan; -} - -interface NestedIngressFields { - interface?: EcsInterface; - vlan?: EcsVlan; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-observer.html - * - * @internal - */ -export interface EcsObserver extends NestedFields { - egress?: Egress; - hostname?: string; - ingress?: Ingress; - ip?: string[]; - mac?: string[]; - name?: string; - product?: string; - serial_number?: string; - type?: string; - vendor?: string; - version?: string; -} - -interface Egress extends NestedEgressFields { - zone?: string; -} - -interface Ingress extends NestedIngressFields { - zone?: string; -} diff --git a/packages/kbn-ecs/src/ecs/orchestrator.ts b/packages/kbn-ecs/src/ecs/orchestrator.ts deleted file mode 100644 index 87ede628bdeb9..0000000000000 --- a/packages/kbn-ecs/src/ecs/orchestrator.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-orchestrator.html - * - * @internal - */ -export interface EcsOrchestrator { - api_version?: string; - cluster?: Cluster; - namespace?: string; - organization?: string; - resource?: Resource; - type?: string; -} - -interface Cluster { - id?: string; - name?: string; - url?: string; - version?: string; -} - -interface Resource { - id?: string; - ip?: string[]; - name?: string; - parent?: { type: string }; - type?: string; -} diff --git a/packages/kbn-ecs/src/ecs/os.ts b/packages/kbn-ecs/src/ecs/os.ts deleted file mode 100644 index d4830df618ed2..0000000000000 --- a/packages/kbn-ecs/src/ecs/os.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-os.html - * - * @internal - */ -export interface EcsOs { - family?: string; - full?: string; - kernel?: string; - name?: string; - platform?: string; - type?: 'linux' | 'macos' | 'unix' | 'windows'; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/package.ts b/packages/kbn-ecs/src/ecs/package.ts deleted file mode 100644 index fce1415d08c4b..0000000000000 --- a/packages/kbn-ecs/src/ecs/package.ts +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-package.html - * - * @internal - */ -export interface EcsPackage { - architecture?: string; - build_version?: string; - checksum?: string; - description?: string; - install_scope?: string; - installed?: string; - license?: string; - name?: string; - path?: string; - reference?: string; - size?: number; - type?: string; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/pe.ts b/packages/kbn-ecs/src/ecs/pe.ts deleted file mode 100644 index b4b8be422a97d..0000000000000 --- a/packages/kbn-ecs/src/ecs/pe.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-pe.html - * - * @internal - */ -export interface EcsPe { - architecture?: string; - company?: string; - description?: string; - file_version?: string; - imphash?: string; - original_file_name?: string; - pehash?: string; - product?: string; -} diff --git a/packages/kbn-ecs/src/ecs/process.ts b/packages/kbn-ecs/src/ecs/process.ts deleted file mode 100644 index 8a83875025d84..0000000000000 --- a/packages/kbn-ecs/src/ecs/process.ts +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsCodeSignature } from './code_signature'; -import { EcsElf } from './elf'; -import { EcsGroup } from './group'; -import { EcsHash } from './hash'; -import { EcsSource } from './source'; -import { EcsUser } from './user'; - -interface NestedFields { - code_signature?: EcsCodeSignature; - elf?: EcsElf; - entry_leader?: EcsProcess; - group?: EcsGroup; - group_leader?: EcsProcess; - hash?: EcsHash; - parent?: EcsProcess; - previous?: EcsProcess; - real_group?: EcsGroup; - real_user?: EcsUser; - saved_group?: EcsGroup; - saved_user?: EcsUser; - session_leader?: EcsProcess & { entry_meta?: EntryMeta }; - supplemental_groups?: EcsGroup; - user?: EcsUser; -} - -interface EntryMeta { - type?: string; - source?: EcsSource; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-process.html - * - * @internal - */ -export interface EcsProcess extends NestedFields { - args?: string[]; - args_count?: number; - command_line?: string; - end?: string; - entity_id?: string; - env_vars?: Record; - executable?: string; - exit_code?: number; - name?: string; - pgid?: number; - pid?: number; - start?: string; - title?: string; - uptime?: number; - working_directory?: string; -} diff --git a/packages/kbn-ecs/src/ecs/registry.ts b/packages/kbn-ecs/src/ecs/registry.ts deleted file mode 100644 index 27042ae552e82..0000000000000 --- a/packages/kbn-ecs/src/ecs/registry.ts +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-registry.html - * - * @internal - */ -export interface EcsRegistry { - data?: Data; - hive?: string; - key?: string; - path?: string; - value?: string; -} - -interface Data { - bytes?: string; - strings?: string[]; - type?: string; -} diff --git a/packages/kbn-ecs/src/ecs/related.ts b/packages/kbn-ecs/src/ecs/related.ts deleted file mode 100644 index d4556bea24d19..0000000000000 --- a/packages/kbn-ecs/src/ecs/related.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-related.html - * - * @internal - */ -export interface EcsRelated { - hash?: string[]; - hosts?: string[]; - ip?: string[]; - user?: string[]; -} diff --git a/packages/kbn-ecs/src/ecs/rule.ts b/packages/kbn-ecs/src/ecs/rule.ts deleted file mode 100644 index 144d93b12a42b..0000000000000 --- a/packages/kbn-ecs/src/ecs/rule.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-rule.html - * - * @internal - */ -export interface EcsRule { - author?: string[]; - category?: string; - description?: string; - id?: string; - license?: string; - name?: string; - reference?: string; - ruleset?: string; - uuid?: string; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/server.ts b/packages/kbn-ecs/src/ecs/server.ts deleted file mode 100644 index 2d6666925cb99..0000000000000 --- a/packages/kbn-ecs/src/ecs/server.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsAutonomousSystem } from './autonomous_system'; -import { EcsGeo } from './geo'; -import { EcsNestedUser } from './user'; - -interface NestedFields { - as?: EcsAutonomousSystem; - geo?: EcsGeo; - user?: EcsNestedUser; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-server.html - * - * @internal - */ -export interface EcsServer extends NestedFields { - address?: string; - bytes?: number; - domain?: string; - ip?: string; - mac?: string; - nat?: { ip?: string; port?: number }; - packets?: number; - port?: number; - registered_domain?: string; - subdomain?: string; - top_level_domain?: string; -} diff --git a/packages/kbn-ecs/src/ecs/service.ts b/packages/kbn-ecs/src/ecs/service.ts deleted file mode 100644 index 52ab6f117c22a..0000000000000 --- a/packages/kbn-ecs/src/ecs/service.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-service.html - * - * @internal - */ -export interface EcsService { - address?: string; - environment?: string; - ephemeral_id?: string; - id?: string; - name?: string; - node?: Node; - state?: string; - type?: string; - version?: string; -} - -interface Node { - name?: string; - roles?: string[]; -} diff --git a/packages/kbn-ecs/src/ecs/source.ts b/packages/kbn-ecs/src/ecs/source.ts deleted file mode 100644 index 10fd3df7efe23..0000000000000 --- a/packages/kbn-ecs/src/ecs/source.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsAutonomousSystem } from './autonomous_system'; -import { EcsGeo } from './geo'; -import { EcsNestedUser } from './user'; - -interface NestedFields { - as?: EcsAutonomousSystem; - geo?: EcsGeo; - user?: EcsNestedUser; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-source.html - * - * @internal - */ -export interface EcsSource extends NestedFields { - address?: string; - bytes?: number; - domain?: string; - ip?: string; - mac?: string; - nat?: { ip?: string; port?: number }; - packets?: number; - port?: number; - registered_domain?: string; - subdomain?: string; - top_level_domain?: string; -} diff --git a/packages/kbn-ecs/src/ecs/threat.ts b/packages/kbn-ecs/src/ecs/threat.ts deleted file mode 100644 index bba86fdbf128f..0000000000000 --- a/packages/kbn-ecs/src/ecs/threat.ts +++ /dev/null @@ -1,139 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsAutonomousSystem } from './autonomous_system'; -import { EcsFile } from './file'; -import { EcsGeo } from './geo'; -import { EcsRegistry } from './registry'; -import { EcsUrl } from './url'; -import { EcsX509 } from './x509'; - -interface IndicatorNestedFields { - as?: EcsAutonomousSystem; - file?: EcsFile; - geo?: EcsGeo; - registry?: EcsRegistry; - url?: EcsUrl; - x509?: EcsX509; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-threat.html - * - * @internal - */ -export interface EcsThreat { - enrichments?: Enrichment[]; - indicator?: Indicator; - feed?: Feed; - framework?: string; - group?: Group; - software?: Software; - tactic?: Tactic; - technique?: Technique; -} - -interface Enrichment { - indicator?: Indicator; - matched?: Matched; -} - -interface Indicator extends IndicatorNestedFields { - confidence?: 'Not Specified' | 'None' | 'Low' | 'Medium' | 'High'; - description?: string; - email?: { address?: string }; - first_seen?: string; - ip?: string; - last_seen?: string; - marking?: Marking; - modified_at?: string; - port?: number; - provider?: string; - reference?: string; - scanner_stats?: number; - sightings?: number; - type?: IndicatorType; -} - -interface Feed { - dashboard_id?: string; - description?: string; - name?: string; - reference?: string; -} - -interface Marking { - tlp?: 'WHITE' | 'GREEN' | 'AMBER' | 'RED'; -} - -interface Matched { - atomic?: string; - field?: string; - id?: string; - index?: string; - type?: string; -} - -interface Group { - alias?: string[]; - id?: string; - name?: string; - reference?: string; -} - -interface Software { - id?: string; - name?: string; - platforms?: SoftwarePlatforms[]; - reference?: string; - type?: 'Malware' | 'Tool'; -} - -type SoftwarePlatforms = - | 'AWS' - | 'Azure' - | 'Azure AD' - | 'GCP' - | 'Linux' - | 'macOS' - | 'Network' - | 'Office 365' - | 'SaaS' - | 'Windows'; - -interface Tactic { - id?: string[]; - name?: string[]; - reference?: string[]; -} - -interface Technique { - id?: string[]; - name?: string[]; - reference?: string[]; - subtechnique?: Technique; -} - -type IndicatorType = - | 'autonomous-system' - | 'artifact' - | 'directory' - | 'domain-name' - | 'email-addr' - | 'file' - | 'ipv4-addr' - | 'ipv6-addr' - | 'mac-addr' - | 'mutex' - | 'port' - | 'process' - | 'software' - | 'url' - | 'user-account' - | 'windows-registry-key' - | 'x509-certificate'; diff --git a/packages/kbn-ecs/src/ecs/tls.ts b/packages/kbn-ecs/src/ecs/tls.ts deleted file mode 100644 index a4aa8dce04a98..0000000000000 --- a/packages/kbn-ecs/src/ecs/tls.ts +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsX509 } from './x509'; - -interface NestedClientFields { - x509?: EcsX509; -} - -interface NestedServerFields { - x509?: EcsX509; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-tls.html - * - * @internal - */ -export interface EcsTls { - cipher?: string; - client?: Client; - curve?: string; - established?: boolean; - next_protocol?: string; - resumed?: boolean; - server?: Server; - version?: string; - version_protocol?: string; -} - -interface Client extends NestedClientFields { - certificate?: string; - certificate_chain?: string[]; - hash?: Hash; - issuer?: string; - ja3?: string; - not_after?: string; - not_before?: string; - server_name?: string; - subject?: string; - supported_ciphers?: string[]; -} - -interface Server extends NestedServerFields { - certificate?: string; - certificate_chain?: string[]; - hash?: Hash; - issuer?: string; - ja3s?: string; - not_after?: string; - not_before?: string; - subject?: string; -} - -interface Hash { - md5?: string; - sha1?: string; - sha256?: string; -} diff --git a/packages/kbn-ecs/src/ecs/tracing.ts b/packages/kbn-ecs/src/ecs/tracing.ts deleted file mode 100644 index 05413770ca2d0..0000000000000 --- a/packages/kbn-ecs/src/ecs/tracing.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * Unlike other ECS field sets, tracing fields are not nested under the field - * set name (i.e. `trace.id` is valid, `tracing.trace.id` is not). So, like - * the base fields, we will need to do an intersection with these types at - * the root level. - * - * https://www.elastic.co/guide/en/ecs/master/ecs-tracing.html - * - * @internal - */ -export interface EcsTracing { - span?: { id?: string }; - trace?: { id?: string }; - transaction?: { id?: string }; -} diff --git a/packages/kbn-ecs/src/ecs/url.ts b/packages/kbn-ecs/src/ecs/url.ts deleted file mode 100644 index 7e4fe59bab4af..0000000000000 --- a/packages/kbn-ecs/src/ecs/url.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-url.html - * - * @internal - */ -export interface EcsUrl { - domain?: string; - extension?: string; - fragment?: string; - full?: string; - original?: string; - password?: string; - path?: string; - port?: number; - query?: string; - registered_domain?: string; - scheme?: string; - subdomain?: string; - top_level_domain?: string; - username?: string; -} diff --git a/packages/kbn-ecs/src/ecs/user.ts b/packages/kbn-ecs/src/ecs/user.ts deleted file mode 100644 index ec6f78473f3e3..0000000000000 --- a/packages/kbn-ecs/src/ecs/user.ts +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsGroup } from './group'; - -interface NestedFields { - group?: EcsGroup; -} - -/** - * `User` is unlike most other fields which can be reused in multiple places - * in that ECS places restrictions on which individual properties can be reused; - * - * Specifically, `changes`, `effective`, and `target` may be used if `user` is - * placed at the root level, but not if it is nested inside another field like - * `destination`. A more detailed explanation of these nuances can be found at: - * - * https://www.elastic.co/guide/en/ecs/master/ecs-user-usage.html - * - * As a result, we need to export a separate `NestedUser` type to import into - * other interfaces internally. This contains the reusable subset of properties - * from `User`. - * - * @internal - */ -export interface EcsNestedUser extends NestedFields { - domain?: string; - email?: string; - full_name?: string; - hash?: string; - id?: string; - name?: string; - roles?: string[]; -} - -/** - * @internal - */ -export interface EcsUser extends EcsNestedUser { - changes?: EcsNestedUser; - effective?: EcsNestedUser; - target?: EcsNestedUser; -} diff --git a/packages/kbn-ecs/src/ecs/user_agent.ts b/packages/kbn-ecs/src/ecs/user_agent.ts deleted file mode 100644 index b0a97a47eac62..0000000000000 --- a/packages/kbn-ecs/src/ecs/user_agent.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { EcsOs } from './os'; - -interface NestedFields { - os?: EcsOs; -} - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-user_agent.html - * - * @internal - */ -export interface EcsUserAgent extends NestedFields { - device?: { name: string }; - name?: string; - original?: string; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/vulnerability.ts b/packages/kbn-ecs/src/ecs/vulnerability.ts deleted file mode 100644 index 6dec07ff5874f..0000000000000 --- a/packages/kbn-ecs/src/ecs/vulnerability.ts +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-vulnerability.html - * - * @internal - */ -export interface EcsVulnerability { - category?: string[]; - classification?: string; - description?: string; - enumeration?: string; - id?: string; - reference?: string; - report_id?: string; - scanner?: { vendor: string }; - score?: Score; - severity?: string; -} - -interface Score { - base?: number; - environmental?: number; - temporal?: number; - version?: string; -} diff --git a/packages/kbn-ecs/src/ecs/x509.ts b/packages/kbn-ecs/src/ecs/x509.ts deleted file mode 100644 index 1b5b9f194923f..0000000000000 --- a/packages/kbn-ecs/src/ecs/x509.ts +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-x509.html - * - * @internal - */ -export interface EcsX509 { - alternative_names?: string[]; - issuer?: Issuer; - not_after?: string; - not_before?: string; - public_key_algorithm?: string; - public_key_curve?: string; - public_key_exponent?: number; - public_key_size?: number; - serial_number?: string; - signature_algorithm?: string; - subject?: Subject; - version_number?: string; -} - -interface Issuer { - common_name?: string[]; - country?: string[]; - distinguished_name?: string; - locality?: string[]; - organization?: string[]; - organizational_unit?: string[]; - state_or_province?: string[]; -} - -interface Subject { - common_name?: string[]; - country?: string[]; - distinguished_name?: string; - locality?: string[]; - organization?: string[]; - organizational_unit?: string[]; - state_or_province?: string[]; -} diff --git a/packages/kbn-i18n/src/core/i18n.test.ts b/packages/kbn-i18n/src/core/i18n.test.ts index f9a6535d881ee..dfea790f129b5 100644 --- a/packages/kbn-i18n/src/core/i18n.test.ts +++ b/packages/kbn-i18n/src/core/i18n.test.ts @@ -662,13 +662,13 @@ describe('I18n engine', () => { i18n.translate('a.short', { values: { expires: new Date(2018, 5, 20, 18, 40, 30, 50) }, } as any) - ).toBe('Coupon expires at 6:40 PM'); + ).toBe('Coupon expires at 6:40 PM'); expect( i18n.translate('a.medium', { values: { expires: new Date(2018, 5, 20, 18, 40, 30, 50) }, } as any) - ).toBe('Coupon expires at 6:40:30 PM'); + ).toBe('Coupon expires at 6:40:30 PM'); }); test('should format default messages with time formatter', () => { @@ -679,14 +679,14 @@ describe('I18n engine', () => { defaultMessage: 'Coupon expires at {expires, time, short}', values: { expires: new Date(2018, 5, 20, 18, 40, 30, 50) }, }) - ).toBe('Coupon expires at 6:40 PM'); + ).toBe('Coupon expires at 6:40 PM'); expect( i18n.translate('foo', { defaultMessage: 'Coupon expires at {expires, time, medium}', values: { expires: new Date(2018, 5, 20, 18, 40, 30, 50) }, }) - ).toBe('Coupon expires at 6:40:30 PM'); + ).toBe('Coupon expires at 6:40:30 PM'); }); test('should format message with a custom format', () => { diff --git a/packages/kbn-logging/src/log_meta.ts b/packages/kbn-logging/src/log_meta.ts index e17f841979cb2..1ba110b0e0bee 100644 --- a/packages/kbn-logging/src/log_meta.ts +++ b/packages/kbn-logging/src/log_meta.ts @@ -8,8 +8,7 @@ import { EcsBase, - EcsAgent, - EcsAutonomousSystem, + EcsAs as EcsAutonomousSystem, EcsClient, EcsCloud, EcsContainer, @@ -40,6 +39,7 @@ import { EcsUser, EcsUserAgent, EcsVulnerability, + EcsAgent, } from '@kbn/ecs'; /** diff --git a/packages/kbn-monaco/BUILD.bazel b/packages/kbn-monaco/BUILD.bazel index 2ca10b073fd18..8d13702e74588 100644 --- a/packages/kbn-monaco/BUILD.bazel +++ b/packages/kbn-monaco/BUILD.bazel @@ -56,11 +56,9 @@ webpack_cli( env = select({ "//:dist": { "NODE_ENV": "production", - "NODE_OPTIONS": "--openssl-legacy-provider", }, "//conditions:default": { "NODE_ENV": "development", - "NODE_OPTIONS": "--openssl-legacy-provider", }, }), visibility = ["//visibility:public"], diff --git a/packages/kbn-optimizer/src/optimizer/observe_worker.ts b/packages/kbn-optimizer/src/optimizer/observe_worker.ts index 49c150fbf2dcb..cf250a7deef6e 100644 --- a/packages/kbn-optimizer/src/optimizer/observe_worker.ts +++ b/packages/kbn-optimizer/src/optimizer/observe_worker.ts @@ -60,7 +60,6 @@ function usingWorkerProc(config: OptimizerConfig, fn: (proc: ChildProcess) => (): ProcResource => { const proc = fork(require.resolve('../worker/run_worker'), [], { execArgv: [ - '--openssl-legacy-provider', `--require=@kbn/babel-register/install`, ...(inspectFlag && config.inspectWorkers ? [`${inspectFlag}=${inspectPortCounter++}`] diff --git a/packages/kbn-slo-schema/src/schema/common.ts b/packages/kbn-slo-schema/src/schema/common.ts index 36404aad390f1..b2ef0d5a3a933 100644 --- a/packages/kbn-slo-schema/src/schema/common.ts +++ b/packages/kbn-slo-schema/src/schema/common.ts @@ -44,6 +44,13 @@ const summarySchema = t.type({ errorBudget: errorBudgetSchema, }); +const historicalSummarySchema = t.intersection([ + t.type({ + date: dateType, + }), + summarySchema, +]); + const dateRangeSchema = t.type({ from: dateType, to: dateType }); export { @@ -52,6 +59,7 @@ export { dateRangeSchema, dateType, errorBudgetSchema, + historicalSummarySchema, statusSchema, summarySchema, }; diff --git a/packages/kbn-slo-schema/src/schema/indicators.ts b/packages/kbn-slo-schema/src/schema/indicators.ts index a8936c38f7663..73933fb785794 100644 --- a/packages/kbn-slo-schema/src/schema/indicators.ts +++ b/packages/kbn-slo-schema/src/schema/indicators.ts @@ -7,13 +7,7 @@ */ import * as t from 'io-ts'; -import { - allOrAnyString, - dateRangeSchema, - dateType, - errorBudgetSchema, - statusSchema, -} from './common'; +import { allOrAnyString, dateRangeSchema } from './common'; const apmTransactionDurationIndicatorTypeSchema = t.literal('sli.apm.transactionDuration'); const apmTransactionDurationIndicatorSchema = t.type({ @@ -68,13 +62,6 @@ const indicatorDataSchema = t.type({ total: t.number, }); -const historicalSummarySchema = t.type({ - date: dateType, - errorBudget: errorBudgetSchema, - sliValue: t.number, - status: statusSchema, -}); - const indicatorTypesSchema = t.union([ apmTransactionDurationIndicatorTypeSchema, apmTransactionErrorRateIndicatorTypeSchema, @@ -117,5 +104,4 @@ export { indicatorTypesArraySchema, indicatorTypesSchema, indicatorDataSchema, - historicalSummarySchema, }; diff --git a/packages/kbn-test/src/kbn_client/kbn_client_saved_objects.ts b/packages/kbn-test/src/kbn_client/kbn_client_saved_objects.ts index 33360bf82ef0c..b896aef3d2f56 100644 --- a/packages/kbn-test/src/kbn_client/kbn_client_saved_objects.ts +++ b/packages/kbn-test/src/kbn_client/kbn_client_saved_objects.ts @@ -7,7 +7,6 @@ */ import { inspect } from 'util'; - import * as Rx from 'rxjs'; import { mergeMap } from 'rxjs/operators'; import { isAxiosResponseError } from '@kbn/dev-utils'; @@ -90,6 +89,11 @@ async function concurrently(maxConcurrency: number, arr: T[], fn: (item: T) = } } +/** + * SO client for FTR. + * + * @remarks: Leverage the `ftrApis` plugin under the hood. + */ export class KbnClientSavedObjects { constructor(private readonly log: ToolingLog, private readonly requester: KbnClientRequester) {} @@ -117,8 +121,8 @@ export class KbnClientSavedObjects { const { data } = await this.requester.request>({ description: 'get saved object', path: options.space - ? uriencode`/s/${options.space}/api/saved_objects/${options.type}/${options.id}` - : uriencode`/api/saved_objects/${options.type}/${options.id}`, + ? uriencode`/s/${options.space}/internal/ftr/kbn_client_so/${options.type}/${options.id}` + : uriencode`/internal/ftr/kbn_client_so/${options.type}/${options.id}`, method: 'GET', }); return data; @@ -133,8 +137,8 @@ export class KbnClientSavedObjects { const { data } = await this.requester.request>({ description: 'update saved object', path: options.id - ? uriencode`/api/saved_objects/${options.type}/${options.id}` - : uriencode`/api/saved_objects/${options.type}`, + ? uriencode`/internal/ftr/kbn_client_so/${options.type}/${options.id}` + : uriencode`/internal/ftr/kbn_client_so/${options.type}`, query: { overwrite: options.overwrite, }, @@ -156,7 +160,7 @@ export class KbnClientSavedObjects { const { data } = await this.requester.request>({ description: 'update saved object', - path: uriencode`/api/saved_objects/${options.type}/${options.id}`, + path: uriencode`/internal/ftr/kbn_client_so/${options.type}/${options.id}`, query: { overwrite: options.overwrite, }, @@ -179,8 +183,8 @@ export class KbnClientSavedObjects { const { data } = await this.requester.request({ description: 'delete saved object', path: options.space - ? uriencode`/s/${options.space}/api/saved_objects/${options.type}/${options.id}` - : uriencode`/api/saved_objects/${options.type}/${options.id}`, + ? uriencode`/s/${options.space}/internal/ftr/kbn_client_so/${options.type}/${options.id}` + : uriencode`/internal/ftr/kbn_client_so/${options.type}/${options.id}`, method: 'DELETE', }); @@ -196,8 +200,8 @@ export class KbnClientSavedObjects { const resp = await this.requester.request({ method: 'GET', path: options.space - ? uriencode`/s/${options.space}/api/saved_objects/_find` - : '/api/saved_objects/_find', + ? uriencode`/s/${options.space}/internal/ftr/kbn_client_so/_find` + : `/internal/ftr/kbn_client_so/_find`, query: { per_page: 1000, type: options.types, @@ -270,8 +274,8 @@ export class KbnClientSavedObjects { await this.requester.request({ method: 'DELETE', path: options.space - ? uriencode`/s/${options.space}/api/saved_objects/${obj.type}/${obj.id}?force=true` - : uriencode`/api/saved_objects/${obj.type}/${obj.id}?force=true`, + ? uriencode`/s/${options.space}/internal/ftr/kbn_client_so/${obj.type}/${obj.id}` + : uriencode`/internal/ftr/kbn_client_so/${obj.type}/${obj.id}`, }); deleted++; } catch (error) { diff --git a/packages/kbn-ui-shared-deps-npm/BUILD.bazel b/packages/kbn-ui-shared-deps-npm/BUILD.bazel index 7bcc1b3c4b380..2814c674e9626 100644 --- a/packages/kbn-ui-shared-deps-npm/BUILD.bazel +++ b/packages/kbn-ui-shared-deps-npm/BUILD.bazel @@ -84,11 +84,9 @@ webpack_cli( env = select({ "//:dist": { "NODE_ENV": "production", - "NODE_OPTIONS": "--openssl-legacy-provider", }, "//conditions:default": { "NODE_ENV": "development", - "NODE_OPTIONS": "--openssl-legacy-provider", }, }) ) diff --git a/packages/kbn-ui-shared-deps-src/BUILD.bazel b/packages/kbn-ui-shared-deps-src/BUILD.bazel index 49c2cc62dcfe5..0b350c51331ff 100644 --- a/packages/kbn-ui-shared-deps-src/BUILD.bazel +++ b/packages/kbn-ui-shared-deps-src/BUILD.bazel @@ -45,11 +45,9 @@ webpack_cli( env = select({ "//:dist": { "NODE_ENV": "production", - "NODE_OPTIONS": "--openssl-legacy-provider", }, "//conditions:default": { "NODE_ENV": "development", - "NODE_OPTIONS": "--openssl-legacy-provider", }, }), visibility = ["//visibility:public"], diff --git a/packages/kbn-utility-types/index.ts b/packages/kbn-utility-types/index.ts index ab3ad9f60a2a0..52f707f2bc0d4 100644 --- a/packages/kbn-utility-types/index.ts +++ b/packages/kbn-utility-types/index.ts @@ -138,3 +138,5 @@ export interface DeepPartialArray extends Array> {} export type DeepPartialObject = { [P in keyof T]+?: DeepPartial }; export type { DotObject, DedotObject } from './src/dot'; + +export type ArrayElement = A extends ReadonlyArray ? T : never; diff --git a/scripts/ship_ci_stats.js b/scripts/ship_ci_stats.js index a45ab8472956c..4ceb5a6bc668a 100644 --- a/scripts/ship_ci_stats.js +++ b/scripts/ship_ci_stats.js @@ -7,4 +7,4 @@ */ require('../src/setup_node_env'); -require('@kbn/dev-utils').shipCiStatsCli(); +require('@kbn/ci-stats-shipper-cli'); diff --git a/src/core/server/index.ts b/src/core/server/index.ts index 37306d63acf6b..3364f4e4026e1 100644 --- a/src/core/server/index.ts +++ b/src/core/server/index.ts @@ -215,7 +215,7 @@ export type { AppenderConfigType, } from '@kbn/core-logging-server'; export type { Logger, LoggerFactory, LogMeta, LogRecord, LogLevel } from '@kbn/logging'; -export type { Ecs, EcsEventCategory, EcsEventKind, EcsEventOutcome, EcsEventType } from '@kbn/ecs'; +export type { Ecs, EcsEvent } from '@kbn/ecs'; export type { NodeInfo, NodeRoles } from '@kbn/core-node-server'; diff --git a/src/core/server/integration_tests/core_app/core_app_routes.test.ts b/src/core/server/integration_tests/core_app/core_app_routes.test.ts index 153a1a435d9dd..8fa0cae5a2c51 100644 --- a/src/core/server/integration_tests/core_app/core_app_routes.test.ts +++ b/src/core/server/integration_tests/core_app/core_app_routes.test.ts @@ -53,6 +53,11 @@ describe('Core app routes', () => { const response = await request.get(root, '/base-path/foo/').expect(302); expect(response.get('location')).toEqual('/base-path/foo'); }); + + it('URI encodes redirect path', async () => { + const response = await request.get(root, '/%5Csome-path/').expect(302); + expect(response.get('location')).toEqual('/base-path/%5Csome-path'); + }); }); describe('`/` route', () => { diff --git a/src/dev/build/tasks/patch_native_modules_task.ts b/src/dev/build/tasks/patch_native_modules_task.ts index 596b94933385e..2c4436f387dfe 100644 --- a/src/dev/build/tasks/patch_native_modules_task.ts +++ b/src/dev/build/tasks/patch_native_modules_task.ts @@ -41,17 +41,17 @@ interface Package { const packages: Package[] = [ { name: 're2', - version: '1.17.7', + version: '1.17.4', destinationPath: 'node_modules/re2/build/Release/re2.node', extractMethod: 'gunzip', archives: { 'darwin-x64': { - url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.7/darwin-x64-108.gz', - sha256: '4ed378c5a7fe6134b717afe7642254aff1ed7a881cbcaa53a012ac3efab49f99', + url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.4/darwin-x64-93.gz', + sha256: '9558c5cb39622e9b3653203e772b129d6c634e7dbd7af1b244352fc1d704601f', }, 'linux-x64': { - url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.7/linux-x64-108.gz', - sha256: '197a617ca2965f220848561afed71ff6df653f6d79910cf38e866c84ab38a236', + url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.4/linux-x64-93.gz', + sha256: '4d06747b266c75b6f7ced93977692c0586ce6a52924cabb569bd966378941aa1', }, // ARM builds are currently done manually as Github Actions used in upstream project @@ -67,8 +67,8 @@ const packages: Package[] = [ // * capture the sha256 with: `shasum -a 256 linux-arm64-*` // * upload the `linux-arm64-*.gz` artifact to the `yarn-prebuilt-artifacts` bucket in GCS using the correct version number 'linux-arm64': { - url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.7/linux-arm64-108.gz', - sha256: 'a690087a1a1fd9887aac1abdab68d1992600e218be10783da6d3381cca950c1a', + url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.4/linux-arm64-93.gz', + sha256: '25409584f76f3d6ed85463d84adf094eb6e256ed1cb0b754b95bcbda6691fc26', }, // A similar process is necessary for building on ARM macs: @@ -78,13 +78,13 @@ const packages: Package[] = [ // * capture the sha256 with: `shasum -a 256 darwin-arm64-*` // * upload the `darwin-arm64-*.gz` artifact to the `yarn-prebuilt-artifacts` bucket in GCS using the correct version number 'darwin-arm64': { - url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.7/darwin-arm64-108.gz', - sha256: '42afc32137ff5c5bebae5d68347a9786906748c2f28e06194d8950707f2ae90e', + url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.4/darwin-arm64-93.gz', + sha256: 'd4b708749ddef1c87019f6b80e051ed0c29ccd1de34f233c47d8dcaddf803872', }, 'win32-x64': { - url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.7/win32-x64-108.gz', - sha256: 'ff72fe02de652262659c8e17e44a932f3c873362233756b40d1a97538d05de92', + url: 'https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/node-re2/uhop/node-re2/releases/download/1.17.4/win32-x64-93.gz', + sha256: '0320d0c0385432944c6fb3c8c8fcd78d440ce5626f7618f9ec71d88e44820674', }, }, }, diff --git a/src/plugins/console/README.md b/src/plugins/console/README.md index 6920ae8b944cf..ac4cc8f76dd38 100644 --- a/src/plugins/console/README.md +++ b/src/plugins/console/README.md @@ -17,6 +17,32 @@ GET _search {"query":{"match_all":{}}} ``` +### Kibana API support ([#100253](https://github.com/elastic/kibana/pull/128562)) +Console plugin now supports Kibana API endpoints. `kbn:` prefix must be used in the request URL to send a request to Kibana API. For example, the following request sends a request to the Kibana API to retrieve the list of available spaces: +``` +GET kbn:api/spaces/space +``` + +### Request-body comments +Single-line and multiline comments can be added to the request body. The comments are displayed in the request editor, but are not sent to the cluster. The comments are useful for adding notes to the request body. For example, the following request body contains a single-line comment and a multiline comment: +``` +POST /_some_endpoint +{ + // This is a single-line comment + /* This is a multiline comment */ + "field": "value" +} +``` + +### Variables +Console plugin now supports variables. The variables can be used in the request body and in the request URL. The variables are defined in the `Variables` flyout in the Console UI and used in the request body and URL by wrapping the variable name with `${}`. For example, the following request body contains a variable: +``` +POST /_some_endpoint +{ + "field": "${variable}" +} +``` + ## Architecture Console uses Ace editor that is wrapped with [`CoreEditor`](https://github.com/elastic/kibana/blob/main/src/plugins/console/public/types/core_editor.ts), so that if needed it can easily be replaced with another editor, for example Monaco. The autocomplete logic is located in [`autocomplete`](https://github.com/elastic/kibana/blob/main/src/plugins/console/public/lib/autocomplete) folder. Autocomplete rules are computed by classes in `components` sub-folder. @@ -234,3 +260,22 @@ Some autocomplete definitions need to be configured with dynamic values that can A list of variables is defined in the `parametrizedComponentFactories` function in [`kb.js`](https://github.com/elastic/kibana/blob/main/src/plugins/console/public/lib/kb/kb.js) file. The values of these variables are assigned dynamically for every cluster. Use these variables with curly braces, for example `{indices}`, `{types}`, `{id}`, `{username}`, `{template}`, `{nodes}` etc. + +### Architecture changes in 8.3 release (timeline: 07-04-2022 - 19-06-2022) +One of the main changes in architecture is refactoring the retrieval of autocomplete suggestions. Console used to send a separate request to ES for each autocomplete entity (mappings, aliases, templates, data-streams etc) to retrieve the autocomplete suggestions via the original [hand-rolled ES proxy](https://github.com/elastic/kibana/blob/main/src/plugins/console/server/routes/api/console/proxy/create_handler.ts). This had a few drawbacks: +- The number of requests was dependent on the number of autocomplete entities, which was not scalable and could cause performance issues +- It added unnecessary dependencies on the ES proxy +- We risked fetching an enormous response payload for users who have a large number of mappings. + +To address these issues, we created a specific [route](https://github.com/elastic/kibana/blob/main/src/plugins/console/server/routes/api/console/autocomplete_entities/index.ts) in the Kibana server to retrieve all autocomplete entities in one request and send it to the client. The response for mappings capped to 10MB to avoid sending a huge payload. The client-side code was refactored to use the new response format. For more details, see [#130633](https://github.com/elastic/kibana/pull/130633). + +Another change is replacing jQuery with the core http client to communicate with the Kibana server. Console used a custom jQuery ajax [function](https://github.com/elastic/kibana/blob/8.0/src/plugins/console/public/lib/es/es.ts) to send requests to the Kibana server to have lower-level control over the requests, specifically controls like `crossDomain: true`. This is no longer needed since we are using the core http client. For more details, see [#127867](https://github.com/elastic/kibana/pull/127867). + +### Outstanding issues +#### Autocomplete suggestions for Kibana API endpoints +Console currently supports autocomplete suggestions for Elasticsearch API endpoints. The autocomplete suggestions for Kibana API endpoints are not supported yet. +Related issue: [#130661](https://github.com/elastic/kibana/issues/130661) + +#### Migration to Monaco Editor +Console plugin is currently using Ace Editor and it is planned to migrate to Monaco Editor in the future. +Related issue: [#57435](https://github.com/elastic/kibana/issues/57435) \ No newline at end of file diff --git a/src/plugins/discover/public/application/main/components/layout/discover_layout.scss b/src/plugins/discover/public/application/main/components/layout/discover_layout.scss index b2d9ab190e075..5cb1f54edfd2e 100644 --- a/src/plugins/discover/public/application/main/components/layout/discover_layout.scss +++ b/src/plugins/discover/public/application/main/components/layout/discover_layout.scss @@ -31,10 +31,6 @@ discover-app { overflow: hidden; } -.dscPageBody__sidebar { - position: relative; -} - .dscPageContent__wrapper { padding: $euiSizeS $euiSizeS $euiSizeS 0; overflow: hidden; // Ensures horizontal scroll of table diff --git a/src/plugins/discover/public/application/main/components/layout/discover_layout.tsx b/src/plugins/discover/public/application/main/components/layout/discover_layout.tsx index 8f1dcc4ba8dfb..ab8c5da67d04a 100644 --- a/src/plugins/discover/public/application/main/components/layout/discover_layout.tsx +++ b/src/plugins/discover/public/application/main/components/layout/discover_layout.tsx @@ -321,7 +321,7 @@ export function DiscoverLayout({ history={history} /> - + ( )); const DiscoverFieldTypeIcon: React.FC<{ field: DataViewField }> = memo(({ field }) => { - const typeForIcon = getTypeForFieldIcon(field); - return ( - - ); + return ; }); const FieldName: React.FC<{ field: DataViewField; highlight?: string }> = memo( diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.scss b/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.scss deleted file mode 100644 index 59b6e49b0fe0e..0000000000000 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.scss +++ /dev/null @@ -1,15 +0,0 @@ -.dscFieldSearch__formWrapper { - padding: $euiSizeM; -} - -.dscFieldTypesHelp__popover { - flex-grow: 0; - min-width: 0 !important; // Reduce width of icon-only button -} - -.dscFieldTypesHelp__panel { - width: $euiSize * 22; - @include euiBreakpoint('xs', 's') { - width: $euiSize * 20; - } -} \ No newline at end of file diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.test.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.test.tsx deleted file mode 100644 index eafe3fec1eeaf..0000000000000 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.test.tsx +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { act } from 'react-dom/test-utils'; -import { mountWithIntl } from '@kbn/test-jest-helpers'; -import { findTestSubject } from '@elastic/eui/lib/test'; -import { DiscoverFieldSearch, Props } from './discover_field_search'; -import { EuiButtonGroupProps, EuiPopover } from '@elastic/eui'; -import { ReactWrapper } from 'enzyme'; -import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; - -describe('DiscoverFieldSearch', () => { - const defaultProps = { - onChange: jest.fn(), - value: 'test', - types: ['any', 'string', '_source'], - presentFieldTypes: ['string', 'date', 'boolean', 'number'], - isPlainRecord: false, - }; - - function mountComponent(props?: Props) { - const compProps = props || defaultProps; - return mountWithIntl( - - - - ); - } - - function findButtonGroup(component: ReactWrapper, id: string) { - return component.find(`[data-test-subj="${id}ButtonGroup"]`).first(); - } - - test('enter value', () => { - const component = mountComponent(); - const input = findTestSubject(component, 'fieldFilterSearchInput'); - input.simulate('change', { target: { value: 'new filter' } }); - expect(defaultProps.onChange).toBeCalledTimes(1); - expect(defaultProps.onChange).toHaveBeenCalledWith('name', 'new filter'); - }); - - test('change in active filters should change facet selection and call onChange', () => { - const onChange = jest.fn(); - const component = mountComponent({ ...defaultProps, ...{ onChange } }); - const btn = findTestSubject(component, 'toggleFieldFilterButton'); - const badge = btn.find('.euiNotificationBadge').last(); - expect(badge.text()).toEqual('0'); - btn.simulate('click'); - const aggregatableButtonGroup = findButtonGroup(component, 'aggregatable'); - - act(() => { - // @ts-expect-error - (aggregatableButtonGroup.props() as EuiButtonGroupProps).onChange('aggregatable-true', null); - }); - component.update(); - expect(badge.text()).toEqual('1'); - expect(onChange).toBeCalledWith('aggregatable', true); - }); - - test('change in active filters should change filters count', () => { - const component = mountComponent(); - let btn = findTestSubject(component, 'toggleFieldFilterButton'); - btn.simulate('click'); - btn = findTestSubject(component, 'toggleFieldFilterButton'); - const badge = btn.find('.euiNotificationBadge').last(); - // no active filters - expect(badge.text()).toEqual('0'); - // change value of aggregatable select - const aggregatableButtonGroup = findButtonGroup(component, 'aggregatable'); - act(() => { - // @ts-expect-error - (aggregatableButtonGroup.props() as EuiButtonGroupProps).onChange('aggregatable-true', null); - }); - component.update(); - expect(badge.text()).toEqual('1'); - // change value of searchable select - const searchableButtonGroup = findButtonGroup(component, 'searchable'); - act(() => { - // @ts-expect-error - (searchableButtonGroup.props() as EuiButtonGroupProps).onChange('searchable-true', null); - }); - component.update(); - expect(badge.text()).toEqual('2'); - // change value of searchable select - act(() => { - // @ts-expect-error - (searchableButtonGroup.props() as EuiButtonGroupProps).onChange('searchable-any', null); - }); - component.update(); - expect(badge.text()).toEqual('1'); - }); - - test('change in filters triggers onChange', () => { - const onChange = jest.fn(); - const component = mountComponent({ ...defaultProps, ...{ onChange } }); - const btn = findTestSubject(component, 'toggleFieldFilterButton'); - btn.simulate('click'); - const aggregtableButtonGroup = findButtonGroup(component, 'aggregatable'); - act(() => { - // @ts-expect-error - (aggregtableButtonGroup.props() as EuiButtonGroupProps).onChange('aggregatable-true', null); - }); - expect(onChange).toBeCalledTimes(1); - }); - - test('change in type filters triggers onChange with appropriate value', () => { - const onChange = jest.fn(); - const component = mountComponent({ ...defaultProps, ...{ onChange } }); - const btn = findTestSubject(component, 'toggleFieldFilterButton'); - btn.simulate('click'); - const typeSelector = findTestSubject(component, 'typeSelect'); - typeSelector.simulate('change', { target: { value: 'string' } }); - expect(onChange).toBeCalledWith('type', 'string'); - typeSelector.simulate('change', { target: { value: 'any' } }); - expect(onChange).toBeCalledWith('type', 'any'); - }); - - test('click on filter button should open and close popover', () => { - const component = mountComponent(); - const btn = findTestSubject(component, 'toggleFieldFilterButton'); - btn.simulate('click'); - let popover = component.find(EuiPopover); - expect(popover.get(0).props.isOpen).toBe(true); - btn.simulate('click'); - popover = component.find(EuiPopover); - expect(popover.get(0).props.isOpen).toBe(false); - }); - - test('click help button should open popover with types of field docs', () => { - const component = mountComponent(); - - const btn = findTestSubject(component, 'fieldTypesHelpButton'); - btn.simulate('click'); - let popover = component.find(EuiPopover); - expect(popover.get(1).props.isOpen).toBe(true); - - const rows = component.find('.euiTableRow'); - expect(rows.length).toBe(4); - - btn.simulate('click'); - popover = component.find(EuiPopover); - expect(popover.get(1).props.isOpen).toBe(false); - }); -}); diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.tsx deleted file mode 100644 index 8d7103f70efe9..0000000000000 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_field_search.tsx +++ /dev/null @@ -1,426 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import './discover_field_search.scss'; - -import React, { OptionHTMLAttributes, ReactNode, useMemo, useState } from 'react'; -import { i18n } from '@kbn/i18n'; -import { - EuiBasicTable, - EuiFieldSearch, - EuiFilterGroup, - EuiFlexGroup, - EuiFlexItem, - EuiPopover, - EuiPopoverTitle, - EuiSelect, - EuiForm, - EuiFormRow, - EuiButtonGroup, - EuiFilterButton, - EuiSpacer, - EuiIcon, - EuiBasicTableColumn, - EuiLink, - EuiText, - EuiPanel, -} from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n-react'; -import { FieldIcon } from '@kbn/react-field'; -import { getFieldTypeDescription } from './lib/get_field_type_description'; -import { KNOWN_FIELD_TYPES } from '../../../../../common/field_types'; -import { useDiscoverServices } from '../../../../hooks/use_discover_services'; - -export interface State { - searchable: string; - aggregatable: string; - type: string; - [index: string]: string | boolean; -} - -export interface Props { - /** - * triggered on input of user into search field - */ - onChange: (field: string, value: string | boolean | undefined) => void; - /** - * types for the type filter - */ - types: string[]; - /** - * types presented in current data view - */ - presentFieldTypes: string[]; - /** - * the input value of the user - */ - value?: string; - /** - * is text base lang mode - */ - isPlainRecord: boolean; - - /** - * For a11y - */ - fieldSearchDescriptionId?: string; -} - -interface FieldTypeTableItem { - id: number; - dataType: string; - description: string; -} - -/** - * Component is Discover's side bar to search of available fields - * Additionally there's a button displayed that allows the user to show/hide more filter fields - */ -export function DiscoverFieldSearch({ - onChange, - value, - types, - presentFieldTypes, - isPlainRecord, - fieldSearchDescriptionId, -}: Props) { - const searchPlaceholder = i18n.translate('discover.fieldChooser.searchPlaceHolder', { - defaultMessage: 'Search field names', - }); - const aggregatableLabel = i18n.translate('discover.fieldChooser.filter.aggregatableLabel', { - defaultMessage: 'Aggregatable', - }); - const searchableLabel = i18n.translate('discover.fieldChooser.filter.searchableLabel', { - defaultMessage: 'Searchable', - }); - const typeLabel = i18n.translate('discover.fieldChooser.filter.typeLabel', { - defaultMessage: 'Type', - }); - const typeOptions = types - ? types.map((type) => { - return { value: type, text: type }; - }) - : [{ value: 'any', text: 'any' }]; - - const [activeFiltersCount, setActiveFiltersCount] = useState(0); - const [isPopoverOpen, setPopoverOpen] = useState(false); - const [isHelpOpen, setIsHelpOpen] = useState(false); - const [values, setValues] = useState({ - searchable: 'any', - aggregatable: 'any', - type: 'any', - }); - - const { docLinks } = useDiscoverServices(); - - const items: FieldTypeTableItem[] = useMemo(() => { - const knownTypes = Object.values(KNOWN_FIELD_TYPES) as string[]; - return presentFieldTypes - .filter((element) => knownTypes.includes(element)) - .sort((one, another) => one.localeCompare(another)) - .map((element, index) => ({ - id: index, - dataType: element, - description: getFieldTypeDescription(element, docLinks), - })); - }, [presentFieldTypes, docLinks]); - - const onHelpClick = () => setIsHelpOpen((prevIsHelpOpen) => !prevIsHelpOpen); - const closeHelp = () => setIsHelpOpen(false); - - const columnsSidebar: Array> = [ - { - field: 'dataType', - name: i18n.translate('discover.fieldTypesPopover.dataTypeColumnTitle', { - defaultMessage: 'Data type', - }), - width: '110px', - render: (name: string) => ( - - - - - {name} - - ), - }, - { - field: 'description', - name: i18n.translate('discover.fieldTypesPopover.descriptionColumnTitle', { - defaultMessage: 'Description', - }), - // eslint-disable-next-line react/no-danger - render: (description: string) =>

, - }, - ]; - - const filterBtnAriaLabel = isPopoverOpen - ? i18n.translate('discover.fieldChooser.toggleFieldFilterButtonHideAriaLabel', { - defaultMessage: 'Hide field filter settings', - }) - : i18n.translate('discover.fieldChooser.toggleFieldFilterButtonShowAriaLabel', { - defaultMessage: 'Show field filter settings', - }); - - const handleFilterButtonClicked = () => { - setPopoverOpen(!isPopoverOpen); - }; - - const applyFilterValue = (id: string, filterValue: string | boolean) => { - switch (filterValue) { - case 'any': - if (id !== 'type') { - onChange(id, undefined); - } else { - onChange(id, filterValue); - } - break; - case 'true': - onChange(id, true); - break; - case 'false': - onChange(id, false); - break; - default: - onChange(id, filterValue); - } - }; - - const isFilterActive = (name: string, filterValue: string | boolean) => { - return filterValue !== 'any'; - }; - - const handleValueChange = (name: string, filterValue: string | boolean) => { - const previousValue = values[name]; - updateFilterCount(name, previousValue, filterValue); - const updatedValues = { ...values }; - updatedValues[name] = filterValue; - setValues(updatedValues); - applyFilterValue(name, filterValue); - }; - - const updateFilterCount = ( - name: string, - previousValue: string | boolean, - currentValue: string | boolean - ) => { - const previouslyFilterActive = isFilterActive(name, previousValue); - const filterActive = isFilterActive(name, currentValue); - const diff = Number(filterActive) - Number(previouslyFilterActive); - setActiveFiltersCount(activeFiltersCount + diff); - }; - - const buttonContent = ( - 0} - numFilters={0} - hasActiveFilters={activeFiltersCount > 0} - numActiveFilters={activeFiltersCount} - onClick={handleFilterButtonClicked} - > - - - ); - - const select = ( - id: string, - selectOptions: Array<{ text: ReactNode } & OptionHTMLAttributes>, - selectValue: string - ) => { - return ( - ) => - handleValueChange(id, e.target.value) - } - aria-label={i18n.translate('discover.fieldChooser.filter.fieldSelectorLabel', { - defaultMessage: 'Selection of {id} filter options', - values: { id }, - })} - data-test-subj={`${id}Select`} - compressed - /> - ); - }; - - const toggleButtons = (id: string) => { - return [ - { - id: `${id}-any`, - label: i18n.translate('discover.fieldChooser.filter.toggleButton.any', { - defaultMessage: 'any', - }), - }, - { - id: `${id}-true`, - label: i18n.translate('discover.fieldChooser.filter.toggleButton.yes', { - defaultMessage: 'yes', - }), - }, - { - id: `${id}-false`, - label: i18n.translate('discover.fieldChooser.filter.toggleButton.no', { - defaultMessage: 'no', - }), - }, - ]; - }; - - const buttonGroup = (id: string, legend: string) => { - return ( - handleValueChange(id, optionId.replace(`${id}-`, ''))} - buttonSize="compressed" - isFullWidth - data-test-subj={`${id}ButtonGroup`} - /> - ); - }; - - const selectionPanel = ( -
- - - {buttonGroup('aggregatable', aggregatableLabel)} - - - {buttonGroup('searchable', searchableLabel)} - - - {select('type', typeOptions, values.type)} - - -
- ); - - const helpButton = ( - - - - ); - - return ( - - - - onChange('name', event.target.value)} - placeholder={searchPlaceholder} - value={value} - /> - - - - {!isPlainRecord && ( - - - { - setPopoverOpen(false); - }} - button={buttonContent} - > - - {i18n.translate('discover.fieldChooser.filter.filterByTypeLabel', { - defaultMessage: 'Filter by type', - })} - - {selectionPanel} - - - - {i18n.translate('discover.fieldChooser.popoverTitle', { - defaultMessage: 'Field types', - })} - - - - - - -

- {i18n.translate('discover.fieldTypesPopover.learnMoreText', { - defaultMessage: 'Learn more about', - })} -   - - - -

- - - - - - )} - - ); -} diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.scss b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.scss index d7190b61e33f3..806893269da34 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.scss +++ b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.scss @@ -2,7 +2,7 @@ overflow: hidden; margin: 0 !important; flex-grow: 1; - padding: $euiSizeS 0 $euiSizeS $euiSizeS; + padding: 0; width: $euiSize * 19; height: 100%; @@ -13,6 +13,14 @@ } } +.dscSidebar__list { + padding: $euiSizeS 0 $euiSizeS $euiSizeS; + + @include euiBreakpoint('xs', 's') { + padding: $euiSizeS 0 0 0; + } +} + .dscSidebar__group { height: 100%; } diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.test.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.test.tsx index 86fda1b9a196d..28cb0b9bfde27 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.test.tsx +++ b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.test.tsx @@ -17,7 +17,6 @@ import { DiscoverSidebarProps, } from './discover_sidebar'; import type { AggregateQuery, Query } from '@kbn/es-query'; -import { getDefaultFieldFilter } from './lib/field_filter'; import { createDiscoverServicesMock } from '../../../../__mocks__/services'; import { stubLogstashDataView } from '@kbn/data-plugin/common/stubs'; import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; @@ -29,7 +28,7 @@ import { VIEW_MODE } from '../../../../../common/constants'; import { DiscoverMainProvider } from '../../services/discover_state_provider'; import * as ExistingFieldsHookApi from '@kbn/unified-field-list-plugin/public/hooks/use_existing_fields'; import { ExistenceFetchStatus } from '@kbn/unified-field-list-plugin/public'; -import { getDataViewFieldList } from './lib/get_data_view_field_list'; +import { getDataViewFieldList } from './lib/get_field_list'; const mockGetActions = jest.fn>>, [string, { fieldName: string }]>( () => Promise.resolve([]) @@ -66,7 +65,7 @@ function getCompProps(): DiscoverSidebarProps { } } - const allFields = getDataViewFieldList(dataView, fieldCounts, false); + const allFields = getDataViewFieldList(dataView, fieldCounts); (ExistingFieldsHookApi.useExistingFieldsReader as jest.Mock).mockClear(); (ExistingFieldsHookApi.useExistingFieldsReader as jest.Mock).mockImplementation(() => ({ @@ -100,8 +99,6 @@ function getCompProps(): DiscoverSidebarProps { onRemoveField: jest.fn(), selectedDataView: dataView, trackUiMetric: jest.fn(), - fieldFilter: getDefaultFieldFilter(), - setFieldFilter: jest.fn(), onFieldEdited: jest.fn(), editField: jest.fn(), viewMode: VIEW_MODE.DOCUMENT_LEVEL, @@ -112,6 +109,7 @@ function getCompProps(): DiscoverSidebarProps { useNewFieldsApi: true, showFieldList: true, isAffectedByGlobalFilter: false, + isProcessing: false, }; } diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.tsx index ae16233c1fa6b..fc41760cc731e 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.tsx +++ b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar.tsx @@ -20,6 +20,8 @@ import { isOfAggregateQueryType } from '@kbn/es-query'; import { DataViewPicker } from '@kbn/unified-search-plugin/public'; import { type DataViewField, getFieldSubtypeMulti } from '@kbn/data-views-plugin/public'; import { + FieldList, + FieldListFilters, FieldListGrouped, FieldListGroupedProps, FieldsGroupNames, @@ -31,7 +33,6 @@ import { VIEW_MODE } from '../../../../../common/constants'; import { useAppStateSelector } from '../../services/discover_app_state_container'; import { useDiscoverServices } from '../../../../hooks/use_discover_services'; import { DiscoverField } from './discover_field'; -import { DiscoverFieldSearch } from './discover_field_search'; import { FIELDS_LIMIT_SETTING, PLUGIN_ID } from '../../../../../common'; import { getSelectedFields, @@ -39,7 +40,6 @@ import { type SelectedFieldsResult, INITIAL_SELECTED_FIELDS_RESULT, } from './lib/group_fields'; -import { doesFieldMatchFilters, FieldFilterState, setFieldFilterProp } from './lib/field_filter'; import { DiscoverSidebarResponsiveProps } from './discover_sidebar_responsive'; import { getUiActions } from '../../../../kibana_services'; import { getRawRecordType } from '../../utils/get_raw_record_type'; @@ -49,13 +49,9 @@ const fieldSearchDescriptionId = htmlIdGenerator()(); export interface DiscoverSidebarProps extends DiscoverSidebarResponsiveProps { /** - * Current state of the field filter, filtering fields by name, type, ... + * Show loading instead of the field list if processing */ - fieldFilter: FieldFilterState; - /** - * Change current state of fieldFilter - */ - setFieldFilter: (next: FieldFilterState) => void; + isProcessing: boolean; /** * Callback to close the flyout if sidebar is rendered in a flyout @@ -82,7 +78,7 @@ export interface DiscoverSidebarProps extends DiscoverSidebarResponsiveProps { createNewDataView?: () => void; /** - * All fields: fields from data view and unmapped fields + * All fields: fields from data view and unmapped fields or columns from text-based search */ allFields: DataViewField[] | null; @@ -108,16 +104,15 @@ export interface DiscoverSidebarProps extends DiscoverSidebarResponsiveProps { } export function DiscoverSidebarComponent({ + isProcessing, alwaysShowActionButtons = false, columns, - fieldFilter, documents$, allFields, onAddField, onAddFilter, onRemoveField, selectedDataView, - setFieldFilter, trackUiMetric, useNewFieldsApi = false, onFieldEdited, @@ -137,41 +132,6 @@ export function DiscoverSidebarComponent({ ); const query = useAppStateSelector((state) => state.query); - const onChangeFieldSearch = useCallback( - (filterName: string, value: string | boolean | undefined) => { - const newState = setFieldFilterProp(fieldFilter, filterName, value); - setFieldFilter(newState); - }, - [fieldFilter, setFieldFilter] - ); - - const { fieldTypes, presentFieldTypes } = useMemo(() => { - const result = ['any']; - const dataViewFieldTypes = new Set(); - if (Array.isArray(allFields)) { - for (const field of allFields) { - if (field.type !== '_source') { - // If it's a string type, we want to distinguish between keyword and text - // For this purpose we need the ES type - const type = - field.type === 'string' && - field.esTypes && - ['keyword', 'text'].includes(field.esTypes[0]) - ? field.esTypes?.[0] - : field.type; - // _id and _index would map to string, that's why we don't add the string type here - if (type && type !== 'string') { - dataViewFieldTypes.add(type); - } - if (result.indexOf(field.type) === -1) { - result.push(field.type); - } - } - } - } - return { fieldTypes: result, presentFieldTypes: Array.from(dataViewFieldTypes) }; - }, [allFields]); - const showFieldStats = useMemo(() => viewMode === VIEW_MODE.DOCUMENT_LEVEL, [viewMode]); const [selectedFieldsState, setSelectedFieldsState] = useState( INITIAL_SELECTED_FIELDS_RESULT @@ -181,9 +141,14 @@ export function DiscoverSidebarComponent({ >(undefined); useEffect(() => { - const result = getSelectedFields(selectedDataView, columns); + const result = getSelectedFields({ + dataView: selectedDataView, + columns, + allFields, + isPlainRecord, + }); setSelectedFieldsState(result); - }, [selectedDataView, columns, setSelectedFieldsState]); + }, [selectedDataView, columns, setSelectedFieldsState, allFields, isPlainRecord]); useEffect(() => { if (isPlainRecord || !useNewFieldsApi) { @@ -244,12 +209,6 @@ export function DiscoverSidebarComponent({ }, [columns, selectedDataView, query]); const popularFieldsLimit = useMemo(() => uiSettings.get(FIELDS_LIMIT_SETTING), [uiSettings]); - const onFilterField: GroupedFieldsParams['onFilterField'] = useCallback( - (field) => { - return doesFieldMatchFilters(field, fieldFilter); - }, - [fieldFilter] - ); const onSupportedFieldFilter: GroupedFieldsParams['onSupportedFieldFilter'] = useCallback( (field) => { @@ -267,7 +226,7 @@ export function DiscoverSidebarComponent({ }; } }, []); - const { fieldListGroupedProps } = useGroupedFields({ + const { fieldListFiltersProps, fieldListGroupedProps } = useGroupedFields({ dataViewId: (!isPlainRecord && selectedDataView?.id) || null, // passing `null` for text-based queries allFields, popularFieldsLimit: !isPlainRecord ? popularFieldsLimit : 0, @@ -277,18 +236,17 @@ export function DiscoverSidebarComponent({ dataViews, core, }, - onFilterField, onSupportedFieldFilter, onOverrideFieldGroupDetails, }); const renderFieldItem: FieldListGroupedProps['renderFieldItem'] = useCallback( - ({ field, groupName }) => ( + ({ field, groupName, fieldSearchHighlight }) => (
  • )} - -
    - - -
    - {showFieldList && ( - - )} + } + className="dscSidebar__list" + > + {showFieldList ? ( + + ) : ( + + )} + {!!editField && ( + + editField()} + size="s" + > + {i18n.translate('discover.fieldChooser.addField.label', { + defaultMessage: 'Add a field', + })} + + + )} + {isPlainRecord && ( + + + {i18n.translate('discover.textBasedLanguages.visualize.label', { + defaultMessage: 'Visualize in Lens', + })} + + + )} + - {!!editField && ( - - editField()} - size="s" - > - {i18n.translate('discover.fieldChooser.addField.label', { - defaultMessage: 'Add a field', - })} - - - )} - {isPlainRecord && ( - - - {i18n.translate('discover.textBasedLanguages.visualize.label', { - defaultMessage: 'Visualize in Lens', - })} - - - )} ); diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.test.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.test.tsx index e6370fb0713b0..26b2216eb0e04 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.test.tsx +++ b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.test.tsx @@ -396,7 +396,8 @@ describe('discover responsive sidebar', function () { findTestSubject(comp, 'discoverFieldListPanelAddExistFilter-extension').simulate('click'); expect(props.onAddFilter).toHaveBeenCalledWith('_exists_', 'extension', '+'); }); - it('should allow filtering by string, and calcFieldCount should just be executed once', async function () { + + it('should allow searching by string, and calcFieldCount should just be executed once', async function () { const comp = await mountComponent(props); expect(findTestSubject(comp, 'fieldListGroupedAvailableFields-count').text()).toBe('3'); @@ -405,7 +406,7 @@ describe('discover responsive sidebar', function () { ); await act(async () => { - await findTestSubject(comp, 'fieldFilterSearchInput').simulate('change', { + await findTestSubject(comp, 'fieldListFiltersFieldSearch').simulate('change', { target: { value: 'bytes' }, }); }); @@ -417,6 +418,34 @@ describe('discover responsive sidebar', function () { expect(mockCalcFieldCounts.mock.calls.length).toBe(1); }); + it('should allow filtering by field type', async function () { + const comp = await mountComponent(props); + + expect(findTestSubject(comp, 'fieldListGroupedAvailableFields-count').text()).toBe('3'); + expect(findTestSubject(comp, 'fieldListGrouped__ariaDescription').text()).toBe( + '1 selected field. 4 popular fields. 3 available fields. 20 empty fields. 2 meta fields.' + ); + + await act(async () => { + await findTestSubject(comp, 'fieldListFiltersFieldTypeFilterToggle').simulate('click'); + }); + + await comp.update(); + + await act(async () => { + await findTestSubject(comp, 'typeFilter-number').simulate('click'); + }); + + await comp.update(); + + expect(findTestSubject(comp, 'fieldListGroupedAvailableFields-count').text()).toBe('2'); + expect(findTestSubject(comp, 'fieldListGrouped__ariaDescription').text()).toBe( + '1 popular field. 2 available fields. 1 empty field. 0 meta fields.' + ); + + expect(mockCalcFieldCounts.mock.calls.length).toBe(1); + }, 10000); + it('should show "Add a field" button to create a runtime field', async () => { const services = createMockServices(); const comp = await mountComponent(props, {}, services); @@ -433,6 +462,11 @@ describe('discover responsive sidebar', function () { fetchStatus: FetchStatus.COMPLETE, recordRawType: RecordRawType.PLAIN, result: getDataTableRecords(stubLogstashDataView), + textBasedQueryColumns: [ + { id: '1', name: 'extension', meta: { type: 'text' } }, + { id: '1', name: 'bytes', meta: { type: 'number' } }, + { id: '1', name: '@timestamp', meta: { type: 'date' } }, + ], }) as DataDocuments$, }; const compInViewerMode = await mountComponent(propsWithTextBasedMode, { @@ -461,15 +495,15 @@ describe('discover responsive sidebar', function () { expect(selectedFieldsCount.text()).toBe('2'); expect(popularFieldsCount.exists()).toBe(false); - expect(availableFieldsCount.text()).toBe('4'); + expect(availableFieldsCount.text()).toBe('3'); expect(emptyFieldsCount.exists()).toBe(false); expect(metaFieldsCount.exists()).toBe(false); expect(unmappedFieldsCount.exists()).toBe(false); - expect(mockCalcFieldCounts.mock.calls.length).toBe(1); + expect(mockCalcFieldCounts.mock.calls.length).toBe(0); expect(findTestSubject(compInViewerMode, 'fieldListGrouped__ariaDescription').text()).toBe( - '2 selected fields. 4 available fields.' + '2 selected fields. 3 available fields.' ); }); diff --git a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.tsx b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.tsx index 7d31fff6e5a2f..b2b2715067d8c 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.tsx +++ b/src/plugins/discover/public/application/main/components/sidebar/discover_sidebar_responsive.tsx @@ -19,7 +19,6 @@ import { EuiIcon, EuiLink, EuiPortal, - EuiProgress, EuiShowFor, EuiTitle, } from '@elastic/eui'; @@ -30,7 +29,6 @@ import { } from '@kbn/unified-field-list-plugin/public'; import { VIEW_MODE } from '../../../../../common/constants'; import { useDiscoverServices } from '../../../../hooks/use_discover_services'; -import { getDefaultFieldFilter } from './lib/field_filter'; import { DiscoverSidebar } from './discover_sidebar'; import { AvailableFields$, @@ -49,6 +47,8 @@ import { DiscoverSidebarReducerStatus, } from './lib/sidebar_reducer'; +const EMPTY_FIELD_COUNTS = {}; + export interface DiscoverSidebarResponsiveProps { /** * Determines whether add/remove buttons are displayed non only when focused @@ -127,7 +127,6 @@ export function DiscoverSidebarResponsive(props: DiscoverSidebarResponsiveProps) (state) => getRawRecordType(state.query) === RecordRawType.PLAIN ); const { selectedDataView, onFieldEdited, onDataViewCreated } = props; - const [fieldFilter, setFieldFilter] = useState(getDefaultFieldFilter()); const [isFlyoutVisible, setIsFlyoutVisible] = useState(false); const [sidebarState, dispatchSidebarStateAction] = useReducer( discoverSidebarReducer, @@ -163,7 +162,10 @@ export function DiscoverSidebarResponsive(props: DiscoverSidebarResponsiveProps) type: DiscoverSidebarReducerActionType.DOCUMENTS_LOADED, payload: { dataView: selectedDataViewRef.current, - fieldCounts: calcFieldCounts(documentState.result), + fieldCounts: isPlainRecordType + ? EMPTY_FIELD_COUNTS + : calcFieldCounts(documentState.result), + textBasedQueryColumns: documentState.textBasedQueryColumns, isPlainRecord: isPlainRecordType, }, }); @@ -173,7 +175,7 @@ export function DiscoverSidebarResponsive(props: DiscoverSidebarResponsiveProps) type: DiscoverSidebarReducerActionType.DOCUMENTS_LOADED, payload: { dataView: selectedDataViewRef.current, - fieldCounts: {}, + fieldCounts: EMPTY_FIELD_COUNTS, isPlainRecord: isPlainRecordType, }, }); @@ -324,13 +326,11 @@ export function DiscoverSidebarResponsive(props: DiscoverSidebarResponsiveProps) <> {!props.isClosed && ( - {isProcessing && } { - return setFieldFilterProp(acc, kv[0], kv[1]); - }, state); - expect(actualState).toMatchInlineSnapshot(` - Object { - "aggregatable": true, - "name": "test", - "searchable": true, - "type": "string", - } - `); - }); - it('filters a given list', () => { - const defaultState = getDefaultFieldFilter(); - const fieldList = [ - { - name: 'bytes', - displayName: 'Bye,bye,Bytes', - type: 'number', - esTypes: ['long'], - count: 10, - scripted: false, - searchable: false, - aggregatable: false, - }, - { - name: 'extension', - displayName: 'Extension', - type: 'string', - esTypes: ['text'], - count: 10, - scripted: true, - searchable: true, - aggregatable: true, - }, - ] as DataViewField[]; - - [ - { filter: {}, result: ['bytes', 'extension'] }, - { filter: { name: 'by' }, result: ['bytes'] }, - { filter: { name: 'Ext' }, result: ['extension'] }, - { filter: { name: 'Bytes' }, result: ['bytes'] }, - { filter: { aggregatable: true }, result: ['extension'] }, - { filter: { aggregatable: true, searchable: false }, result: [] }, - { filter: { type: 'string' }, result: ['extension'] }, - ].forEach((test) => { - const filtered = fieldList - .filter((field) => doesFieldMatchFilters(field, { ...defaultState, ...test.filter })) - .map((field) => field.name); - - expect(filtered).toEqual(test.result); - }); - }); -}); diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/field_filter.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/field_filter.ts deleted file mode 100644 index 1f2ab0b9b64cd..0000000000000 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/field_filter.ts +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { DataViewField } from '@kbn/data-views-plugin/public'; - -export interface FieldFilterState { - type: string; - name: string; - aggregatable: null | boolean; - searchable: null | boolean; -} - -export function getDefaultFieldFilter(): FieldFilterState { - return { - type: 'any', - name: '', - aggregatable: null, - searchable: null, - }; -} - -export function setFieldFilterProp( - state: FieldFilterState, - name: string, - value: string | boolean | null | undefined -): FieldFilterState { - const newState = { ...state }; - if (name === 'aggregatable') { - newState.aggregatable = typeof value !== 'boolean' ? null : value; - } else if (name === 'searchable') { - newState.searchable = typeof value !== 'boolean' ? null : value; - } else if (name === 'name') { - newState.name = String(value); - } else if (name === 'type') { - newState.type = String(value); - } - return newState; -} - -export function doesFieldMatchFilters( - field: DataViewField, - filterState: FieldFilterState -): boolean { - const matchFilter = filterState.type === 'any' || field.type === filterState.type; - const isAggregatable = - filterState.aggregatable === null || field.aggregatable === filterState.aggregatable; - const isSearchable = - filterState.searchable === null || field.searchable === filterState.searchable; - const needle = filterState.name ? filterState.name.toLowerCase() : ''; - const haystack = `${field.name}${field.displayName || ''}`.toLowerCase(); - const matchName = !filterState.name || haystack.indexOf(needle) !== -1; - - return matchFilter && isAggregatable && isSearchable && matchName; -} diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/get_data_view_field_list.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/get_field_list.ts similarity index 59% rename from src/plugins/discover/public/application/main/components/sidebar/lib/get_data_view_field_list.ts rename to src/plugins/discover/public/application/main/components/sidebar/lib/get_field_list.ts index 5d055d94184ed..78823bb0f468f 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/get_data_view_field_list.ts +++ b/src/plugins/discover/public/application/main/components/sidebar/lib/get_field_list.ts @@ -7,16 +7,16 @@ */ import { difference } from 'lodash'; -import type { DataView, DataViewField } from '@kbn/data-views-plugin/public'; +import { type DataView, DataViewField } from '@kbn/data-views-plugin/public'; +import type { DatatableColumn } from '@kbn/expressions-plugin/common'; import { fieldWildcardFilter } from '@kbn/kibana-utils-plugin/public'; import { isNestedFieldParent } from '../../../utils/nested_fields'; export function getDataViewFieldList( dataView: DataView | undefined | null, - fieldCounts: Record | undefined | null, - isPlainRecord: boolean + fieldCounts: Record | undefined | null ): DataViewField[] | null { - if (isPlainRecord && !fieldCounts) { + if (!fieldCounts) { // still loading data return null; } @@ -28,7 +28,7 @@ export function getDataViewFieldList( if (sourceFiltersValues) { const filter = fieldWildcardFilter(sourceFiltersValues, dataView.metaFields); dataViewFields = dataViewFields.filter((field) => { - return filter(field.name) || currentFieldCounts[field.name]; // don't filter out a field which was present in hits (ex. for text-based queries, selected fields) + return filter(field.name) || currentFieldCounts[field.name]; // don't filter out a field which was present in hits (ex. for selected fields) }); } @@ -38,24 +38,42 @@ export function getDataViewFieldList( difference(fieldNamesInDocs, fieldNamesInDataView).forEach((unknownFieldName) => { if (dataView && isNestedFieldParent(unknownFieldName, dataView)) { - unknownFields.push({ - displayName: String(unknownFieldName), - name: String(unknownFieldName), - type: 'nested', - } as DataViewField); + unknownFields.push( + new DataViewField({ + name: String(unknownFieldName), + type: 'nested', + searchable: false, + aggregatable: false, + }) + ); } else { - unknownFields.push({ - displayName: String(unknownFieldName), - name: String(unknownFieldName), - type: 'unknown', - } as DataViewField); + unknownFields.push( + new DataViewField({ + name: String(unknownFieldName), + type: 'unknown', + searchable: false, + aggregatable: false, + }) + ); } }); - return [ - ...(isPlainRecord - ? dataViewFields.filter((field) => currentFieldCounts[field.name]) - : dataViewFields), - ...unknownFields, - ]; + return [...dataViewFields, ...unknownFields]; +} + +export function getTextBasedQueryFieldList( + textBasedQueryColumns?: DatatableColumn[] +): DataViewField[] { + if (!textBasedQueryColumns) { + return []; + } + return textBasedQueryColumns.map( + (column) => + new DataViewField({ + name: column.name, + type: column.meta?.type ?? 'unknown', + searchable: false, + aggregatable: false, + }) + ); } diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/get_field_type_description.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/get_field_type_description.ts deleted file mode 100644 index 3b5b6aaa016ce..0000000000000 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/get_field_type_description.ts +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { DocLinksStart } from '@kbn/core/public'; -import { i18n } from '@kbn/i18n'; -import { KNOWN_FIELD_TYPES } from '../../../../../../common/field_types'; - -const UNKNOWN_FIELD_TYPE_DESC = i18n.translate('discover.fieldNameDescription.unknownField', { - defaultMessage: 'Unknown field', -}); - -export function getFieldTypeDescription(type: string, docLinks: DocLinksStart) { - const knownType: KNOWN_FIELD_TYPES = type as KNOWN_FIELD_TYPES; - switch (knownType) { - case KNOWN_FIELD_TYPES.BOOLEAN: - return i18n.translate('discover.fieldNameDescription.booleanField', { - defaultMessage: 'True and false values.', - }); - case KNOWN_FIELD_TYPES.CONFLICT: - return i18n.translate('discover.fieldNameDescription.conflictField', { - defaultMessage: 'Field has values of different types. Resolve in Management > Data Views.', - }); - case KNOWN_FIELD_TYPES.DATE: - return i18n.translate('discover.fieldNameDescription.dateField', { - defaultMessage: 'A date string or the number of seconds or milliseconds since 1/1/1970.', - }); - case KNOWN_FIELD_TYPES.DATE_RANGE: - return i18n.translate('discover.fieldNameDescription.dateRangeField', { - defaultMessage: 'Range of {dateFieldTypeLink} values. {viewSupportedDateFormatsLink}', - values: { - dateFieldTypeLink: - `    ` + - i18n.translate('discover.fieldNameDescription.dateRangeFieldLinkText', { - defaultMessage: 'date', - }) + - '', - viewSupportedDateFormatsLink: - `` + - i18n.translate('discover.fieldNameDescription.viewSupportedDateFormatsLinkText', { - defaultMessage: 'View supported date formats.', - }) + - '', - }, - }); - case KNOWN_FIELD_TYPES.GEO_POINT: - return i18n.translate('discover.fieldNameDescription.geoPointField', { - defaultMessage: 'Latitude and longitude points.', - }); - case KNOWN_FIELD_TYPES.GEO_SHAPE: - return i18n.translate('discover.fieldNameDescription.geoShapeField', { - defaultMessage: 'Complex shapes, such as polygons.', - }); - case KNOWN_FIELD_TYPES.HISTOGRAM: - return i18n.translate('discover.fieldNameDescription.histogramField', { - defaultMessage: 'Pre-aggregated numerical values in the form of a histogram.', - }); - case KNOWN_FIELD_TYPES.IP: - return i18n.translate('discover.fieldNameDescription.ipAddressField', { - defaultMessage: 'IPv4 and IPv6 addresses.', - }); - case KNOWN_FIELD_TYPES.IP_RANGE: - return i18n.translate('discover.fieldNameDescription.ipAddressRangeField', { - defaultMessage: 'Range of ip values supporting either IPv4 or IPv6 (or mixed) addresses.', - }); - case KNOWN_FIELD_TYPES.MURMUR3: - return i18n.translate('discover.fieldNameDescription.murmur3Field', { - defaultMessage: 'Field that computes and stores hashes of values.', - }); - case KNOWN_FIELD_TYPES.NUMBER: - return i18n.translate('discover.fieldNameDescription.numberField', { - defaultMessage: 'Long, integer, short, byte, double, and float values.', - }); - case KNOWN_FIELD_TYPES.STRING: - return i18n.translate('discover.fieldNameDescription.stringField', { - defaultMessage: 'Full text such as the body of an email or a product description.', - }); - case KNOWN_FIELD_TYPES.TEXT: - return i18n.translate('discover.fieldNameDescription.textField', { - defaultMessage: 'Full text such as the body of an email or a product description.', - }); - case KNOWN_FIELD_TYPES.KEYWORD: - return i18n.translate('discover.fieldNameDescription.keywordField', { - defaultMessage: - 'Structured content such as an ID, email address, hostname, status code, or tag.', - }); - case KNOWN_FIELD_TYPES.NESTED: - return i18n.translate('discover.fieldNameDescription.nestedField', { - defaultMessage: 'JSON object that preserves the relationship between its subfields.', - }); - case KNOWN_FIELD_TYPES.VERSION: - return i18n.translate('discover.fieldNameDescription.versionField', { - defaultMessage: 'Software versions. Supports {SemanticVersioningLink} precedence rules.', - values: { - SemanticVersioningLink: - `` + - i18n.translate( - 'discover.advancedSettings.discover.fieldNameDescription.versionFieldLinkText', - { - defaultMessage: 'Semantic Versioning', - } - ) + - '', - }, - }); - default: - // If you see a typescript error here, that's a sign that there are missing switch cases ^^ - const _exhaustiveCheck: never = knownType; - return UNKNOWN_FIELD_TYPE_DESC || _exhaustiveCheck; - } -} diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.test.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.test.ts index 7dee06ec512bc..53d0bc96d3ca8 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.test.ts +++ b/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.test.ts @@ -12,7 +12,12 @@ import { getSelectedFields, shouldShowField, INITIAL_SELECTED_FIELDS_RESULT } fr describe('group_fields', function () { it('should pick fields as unknown_selected if they are unknown', function () { - const actual = getSelectedFields(dataView, ['currency']); + const actual = getSelectedFields({ + dataView, + columns: ['currency'], + allFields: dataView.fields, + isPlainRecord: false, + }); expect(actual).toMatchInlineSnapshot(` Object { "selectedFields": Array [ @@ -29,13 +34,47 @@ describe('group_fields', function () { `); }); + it('should pick fields as nested for a nested field root', function () { + const actual = getSelectedFields({ + dataView, + columns: ['nested1', 'bytes'], + allFields: [ + { + name: 'nested1', + type: 'nested', + }, + ] as DataViewField[], + isPlainRecord: false, + }); + expect(actual.selectedFieldsMap).toMatchInlineSnapshot(` + Object { + "bytes": true, + "nested1": true, + } + `); + }); + it('should work correctly if no columns selected', function () { - expect(getSelectedFields(dataView, [])).toBe(INITIAL_SELECTED_FIELDS_RESULT); - expect(getSelectedFields(dataView, ['_source'])).toBe(INITIAL_SELECTED_FIELDS_RESULT); + expect( + getSelectedFields({ dataView, columns: [], allFields: dataView.fields, isPlainRecord: false }) + ).toBe(INITIAL_SELECTED_FIELDS_RESULT); + expect( + getSelectedFields({ + dataView, + columns: ['_source'], + allFields: dataView.fields, + isPlainRecord: false, + }) + ).toBe(INITIAL_SELECTED_FIELDS_RESULT); }); it('should pick fields into selected group', function () { - const actual = getSelectedFields(dataView, ['bytes', '@timestamp']); + const actual = getSelectedFields({ + dataView, + columns: ['bytes', '@timestamp'], + allFields: dataView.fields, + isPlainRecord: false, + }); expect(actual.selectedFields.map((field) => field.name)).toEqual(['bytes', '@timestamp']); expect(actual.selectedFieldsMap).toStrictEqual({ bytes: true, @@ -44,7 +83,12 @@ describe('group_fields', function () { }); it('should pick fields into selected group if they contain multifields', function () { - const actual = getSelectedFields(dataView, ['machine.os', 'machine.os.raw']); + const actual = getSelectedFields({ + dataView, + columns: ['machine.os', 'machine.os.raw'], + allFields: dataView.fields, + isPlainRecord: false, + }); expect(actual.selectedFields.map((field) => field.name)).toEqual([ 'machine.os', 'machine.os.raw', @@ -56,7 +100,12 @@ describe('group_fields', function () { }); it('should sort selected fields by columns order', function () { - const actual1 = getSelectedFields(dataView, ['bytes', 'extension.keyword', 'unknown']); + const actual1 = getSelectedFields({ + dataView, + columns: ['bytes', 'extension.keyword', 'unknown'], + allFields: dataView.fields, + isPlainRecord: false, + }); expect(actual1.selectedFields.map((field) => field.name)).toEqual([ 'bytes', 'extension.keyword', @@ -68,7 +117,12 @@ describe('group_fields', function () { unknown: true, }); - const actual2 = getSelectedFields(dataView, ['extension', 'bytes', 'unknown']); + const actual2 = getSelectedFields({ + dataView, + columns: ['extension', 'bytes', 'unknown'], + allFields: dataView.fields, + isPlainRecord: false, + }); expect(actual2.selectedFields.map((field) => field.name)).toEqual([ 'extension', 'bytes', @@ -81,6 +135,33 @@ describe('group_fields', function () { }); }); + it('should pick fields only from allFields instead of data view fields for a text based query', function () { + const actual = getSelectedFields({ + dataView, + columns: ['bytes'], + allFields: [ + { + name: 'bytes', + type: 'text', + }, + ] as DataViewField[], + isPlainRecord: true, + }); + expect(actual).toMatchInlineSnapshot(` + Object { + "selectedFields": Array [ + Object { + "name": "bytes", + "type": "text", + }, + ], + "selectedFieldsMap": Object { + "bytes": true, + }, + } + `); + }); + it('should show any fields if for text-based searches', function () { expect(shouldShowField(dataView.getFieldByName('bytes'), true)).toBe(true); expect(shouldShowField({ type: 'unknown', name: 'unknown' } as DataViewField, true)).toBe(true); diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.tsx b/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.tsx index eaae1c90d3833..11bbd285f4b7e 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.tsx +++ b/src/plugins/discover/public/application/main/components/sidebar/lib/group_fields.tsx @@ -36,22 +36,30 @@ export interface SelectedFieldsResult { selectedFieldsMap: Record; } -export function getSelectedFields( - dataView: DataView | undefined, - columns: string[] -): SelectedFieldsResult { +export function getSelectedFields({ + dataView, + columns, + allFields, + isPlainRecord, +}: { + dataView: DataView | undefined; + columns: string[]; + allFields: DataViewField[] | null; + isPlainRecord: boolean; +}): SelectedFieldsResult { const result: SelectedFieldsResult = { selectedFields: [], selectedFieldsMap: {}, }; - if (!Array.isArray(columns) || !columns.length) { + if (!Array.isArray(columns) || !columns.length || !allFields) { return INITIAL_SELECTED_FIELDS_RESULT; } // add selected columns, that are not part of the data view, to be removable for (const column of columns) { const selectedField = - dataView?.getFieldByName?.(column) || + (!isPlainRecord && dataView?.getFieldByName?.(column)) || + allFields.find((field) => field.name === column) || // for example to pick a `nested` root field or find a selected field in text-based response ({ name: column, displayName: column, diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.test.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.test.ts index 131f9c358317f..c5ea2878f800e 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.test.ts +++ b/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.test.ts @@ -18,6 +18,7 @@ import { getInitialState, } from './sidebar_reducer'; import { DataViewField } from '@kbn/data-views-plugin/common'; +import type { DatatableColumn } from '@kbn/expressions-plugin/common'; describe('sidebar reducer', function () { it('should set an initial state', function () { @@ -84,11 +85,12 @@ describe('sidebar reducer', function () { allFields: [ ...stubDataViewWithoutTimeField.fields, // merging in unmapped fields - { - displayName: unmappedFieldName, + new DataViewField({ name: unmappedFieldName, type: 'unknown', - } as DataViewField, + aggregatable: false, + searchable: false, + }), ], fieldCounts, status: DiscoverSidebarReducerStatus.COMPLETED, @@ -99,33 +101,54 @@ describe('sidebar reducer', function () { payload: { isPlainRecord: true, dataView: stubDataViewWithoutTimeField, - fieldCounts, + fieldCounts: {}, + textBasedQueryColumns: [ + { + id: '1', + name: 'text1', + meta: { + type: 'number', + }, + }, + { + id: '2', + name: 'text2', + meta: { + type: 'keyword', + }, + }, + ] as DatatableColumn[], }, }); expect(resultForTextBasedQuery).toStrictEqual({ dataView: stubDataViewWithoutTimeField, allFields: [ - stubDataViewWithoutTimeField.fields.find((field) => field.name === dataViewFieldName), - // merging in unmapped fields - { - displayName: 'field1', - name: 'field1', - type: 'unknown', - } as DataViewField, + new DataViewField({ + name: 'text1', + type: 'number', + aggregatable: false, + searchable: false, + }), + new DataViewField({ + name: 'text2', + type: 'keyword', + aggregatable: false, + searchable: false, + }), ], - fieldCounts, + fieldCounts: {}, status: DiscoverSidebarReducerStatus.COMPLETED, }); - const resultForTextBasedQueryWhileLoading = discoverSidebarReducer(state, { + const resultWhileLoading = discoverSidebarReducer(state, { type: DiscoverSidebarReducerActionType.DOCUMENTS_LOADED, payload: { - isPlainRecord: true, + isPlainRecord: false, dataView: stubDataViewWithoutTimeField, fieldCounts: null, }, }); - expect(resultForTextBasedQueryWhileLoading).toStrictEqual({ + expect(resultWhileLoading).toStrictEqual({ dataView: stubDataViewWithoutTimeField, allFields: null, fieldCounts: null, diff --git a/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.ts b/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.ts index 0c579275029b1..54e9a2c95ce12 100644 --- a/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.ts +++ b/src/plugins/discover/public/application/main/components/sidebar/lib/sidebar_reducer.ts @@ -7,7 +7,8 @@ */ import { type DataView, type DataViewField } from '@kbn/data-views-plugin/common'; -import { getDataViewFieldList } from './get_data_view_field_list'; +import type { DatatableColumn } from '@kbn/expressions-plugin/common'; +import { getDataViewFieldList, getTextBasedQueryFieldList } from './get_field_list'; export enum DiscoverSidebarReducerActionType { RESET = 'RESET', @@ -39,6 +40,7 @@ type DiscoverSidebarReducerAction = type: DiscoverSidebarReducerActionType.DOCUMENTS_LOADED; payload: { fieldCounts: DiscoverSidebarReducerState['fieldCounts']; + textBasedQueryColumns?: DatatableColumn[]; // from text-based searches isPlainRecord: boolean; dataView: DataView | null | undefined; }; @@ -94,11 +96,9 @@ export function discoverSidebarReducer( status: DiscoverSidebarReducerStatus.PROCESSING, }; case DiscoverSidebarReducerActionType.DOCUMENTS_LOADED: - const mappedAndUnmappedFields = getDataViewFieldList( - action.payload.dataView, - action.payload.fieldCounts, - action.payload.isPlainRecord - ); + const mappedAndUnmappedFields = action.payload.isPlainRecord + ? getTextBasedQueryFieldList(action.payload.textBasedQueryColumns) + : getDataViewFieldList(action.payload.dataView, action.payload.fieldCounts); return { ...state, dataView: action.payload.dataView, diff --git a/src/plugins/discover/public/application/main/services/discover_data_state_container.ts b/src/plugins/discover/public/application/main/services/discover_data_state_container.ts index 5cadb099c483e..0a845dc92315c 100644 --- a/src/plugins/discover/public/application/main/services/discover_data_state_container.ts +++ b/src/plugins/discover/public/application/main/services/discover_data_state_container.ts @@ -7,6 +7,7 @@ */ import { BehaviorSubject, filter, map, Observable, share, Subject, tap } from 'rxjs'; import { AutoRefreshDoneFn } from '@kbn/data-plugin/public'; +import type { DatatableColumn } from '@kbn/expressions-plugin/common'; import { RequestAdapter } from '@kbn/inspector-plugin/common'; import { SavedSearch } from '@kbn/saved-search-plugin/public'; import { AggregateQuery, Query } from '@kbn/es-query'; @@ -68,6 +69,7 @@ export interface DataMainMsg extends DataMsg { export interface DataDocumentsMsg extends DataMsg { result?: DataTableRecord[]; + textBasedQueryColumns?: DatatableColumn[]; // columns from text-based request } export interface DataTotalHitsMsg extends DataMsg { diff --git a/src/plugins/discover/public/application/main/utils/fetch_all.test.ts b/src/plugins/discover/public/application/main/utils/fetch_all.test.ts index 95b1cd7618b4d..40aeb04fb8e95 100644 --- a/src/plugins/discover/public/application/main/utils/fetch_all.test.ts +++ b/src/plugins/discover/public/application/main/utils/fetch_all.test.ts @@ -82,8 +82,8 @@ describe('test fetchAll', () => { }; searchSource = savedSearchMock.searchSource.createChild(); - mockFetchDocuments.mockReset().mockResolvedValue([]); - mockFetchSQL.mockReset().mockResolvedValue([]); + mockFetchDocuments.mockReset().mockResolvedValue({ records: [] }); + mockFetchSQL.mockReset().mockResolvedValue({ records: [] }); }); test('changes of fetchStatus when starting with FetchStatus.UNINITIALIZED', async () => { @@ -108,7 +108,7 @@ describe('test fetchAll', () => { { _id: '2', _index: 'logs' }, ]; const documents = hits.map((hit) => buildDataTableRecord(hit, dataViewMock)); - mockFetchDocuments.mockResolvedValue(documents); + mockFetchDocuments.mockResolvedValue({ records: documents }); fetchAll(subjects, searchSource, false, deps); await waitForNextTick(); expect(await collect()).toEqual([ @@ -130,7 +130,7 @@ describe('test fetchAll', () => { ]; searchSource.getField('index')!.isTimeBased = () => false; const documents = hits.map((hit) => buildDataTableRecord(hit, dataViewMock)); - mockFetchDocuments.mockResolvedValue(documents); + mockFetchDocuments.mockResolvedValue({ records: documents }); subjects.totalHits$.next({ fetchStatus: FetchStatus.LOADING, @@ -181,7 +181,7 @@ describe('test fetchAll', () => { searchSource.getField('index')!.isTimeBased = () => false; const hits = [{ _id: '1', _index: 'logs' }]; const documents = hits.map((hit) => buildDataTableRecord(hit, dataViewMock)); - mockFetchDocuments.mockResolvedValue(documents); + mockFetchDocuments.mockResolvedValue({ records: documents }); subjects.totalHits$.next({ fetchStatus: FetchStatus.LOADING, recordRawType: RecordRawType.DOCUMENT, @@ -248,7 +248,10 @@ describe('test fetchAll', () => { { _id: '2', _index: 'logs' }, ]; const documents = hits.map((hit) => buildDataTableRecord(hit, dataViewMock)); - mockFetchSQL.mockResolvedValue(documents); + mockFetchSQL.mockResolvedValue({ + records: documents, + textBasedQueryColumns: [{ id: '1', name: 'test1', meta: { type: 'number' } }], + }); const query = { sql: 'SELECT * from foo' }; deps = { appStateContainer: { @@ -275,6 +278,7 @@ describe('test fetchAll', () => { fetchStatus: FetchStatus.COMPLETE, recordRawType: 'plain', result: documents, + textBasedQueryColumns: [{ id: '1', name: 'test1', meta: { type: 'number' } }], query, }, ]); diff --git a/src/plugins/discover/public/application/main/utils/fetch_all.ts b/src/plugins/discover/public/application/main/utils/fetch_all.ts index c2a3c0856af06..656957d85f5d6 100644 --- a/src/plugins/discover/public/application/main/utils/fetch_all.ts +++ b/src/plugins/discover/public/application/main/utils/fetch_all.ts @@ -86,32 +86,33 @@ export function fetchAll( sendLoadingMsg(dataSubjects.totalHits$, { recordRawType }); // Start fetching all required requests - const documents = + const response = useSql && query ? fetchSql(query, dataView, data, services.expressions, inspectorAdapters) : fetchDocuments(searchSource.createCopy(), fetchDeps); // Handle results of the individual queries and forward the results to the corresponding dataSubjects - documents - .then((docs) => { + response + .then(({ records, textBasedQueryColumns }) => { // If the total hits (or chart) query is still loading, emit a partial // hit count that's at least our retrieved document count if (dataSubjects.totalHits$.getValue().fetchStatus === FetchStatus.LOADING) { dataSubjects.totalHits$.next({ fetchStatus: FetchStatus.PARTIAL, - result: docs.length, + result: records.length, recordRawType, }); } dataSubjects.documents$.next({ fetchStatus: FetchStatus.COMPLETE, - result: docs, + result: records, + textBasedQueryColumns, recordRawType, query, }); - checkHitCount(dataSubjects.main$, docs.length); + checkHitCount(dataSubjects.main$, records.length); }) // Only the document query should send its errors to main$, to cause the full Discover app // to get into an error state. The other queries will not cause all of Discover to error out diff --git a/src/plugins/discover/public/application/main/utils/fetch_documents.test.ts b/src/plugins/discover/public/application/main/utils/fetch_documents.test.ts index 28738cdc522c9..22415aa782194 100644 --- a/src/plugins/discover/public/application/main/utils/fetch_documents.test.ts +++ b/src/plugins/discover/public/application/main/utils/fetch_documents.test.ts @@ -36,7 +36,9 @@ describe('test fetchDocuments', () => { const documents = hits.map((hit) => buildDataTableRecord(hit, dataViewMock)); savedSearchMock.searchSource.fetch$ = () => of({ rawResponse: { hits: { hits } } } as IKibanaSearchResponse>); - expect(fetchDocuments(savedSearchMock.searchSource, getDeps())).resolves.toEqual(documents); + expect(fetchDocuments(savedSearchMock.searchSource, getDeps())).resolves.toEqual({ + records: documents, + }); }); test('rejects on query failure', () => { diff --git a/src/plugins/discover/public/application/main/utils/fetch_documents.ts b/src/plugins/discover/public/application/main/utils/fetch_documents.ts index 9a2913aea6d0b..db092cb449057 100644 --- a/src/plugins/discover/public/application/main/utils/fetch_documents.ts +++ b/src/plugins/discover/public/application/main/utils/fetch_documents.ts @@ -9,7 +9,7 @@ import { i18n } from '@kbn/i18n'; import { filter, map } from 'rxjs/operators'; import { lastValueFrom } from 'rxjs'; import { isCompleteResponse, ISearchSource } from '@kbn/data-plugin/public'; -import { EsHitRecord } from '../../../types'; +import type { RecordsFetchResponse, EsHitRecord } from '../../../types'; import { buildDataTableRecordList } from '../../../utils/build_data_record'; import { SAMPLE_SIZE_SETTING } from '../../../../common'; import { FetchDeps } from './fetch_all'; @@ -21,7 +21,7 @@ import { FetchDeps } from './fetch_all'; export const fetchDocuments = ( searchSource: ISearchSource, { abortController, inspectorAdapters, searchSessionId, services }: FetchDeps -) => { +): Promise => { searchSource.setField('size', services.uiSettings.get(SAMPLE_SIZE_SETTING)); searchSource.setField('trackTotalHits', false); searchSource.setField('highlightAll', true); @@ -61,5 +61,5 @@ export const fetchDocuments = ( }) ); - return lastValueFrom(fetch$); + return lastValueFrom(fetch$).then((records) => ({ records })); }; diff --git a/src/plugins/discover/public/application/main/utils/fetch_sql.ts b/src/plugins/discover/public/application/main/utils/fetch_sql.ts index b61d5334e4453..60a0831e0d6c9 100644 --- a/src/plugins/discover/public/application/main/utils/fetch_sql.ts +++ b/src/plugins/discover/public/application/main/utils/fetch_sql.ts @@ -14,7 +14,7 @@ import type { ExpressionsStart } from '@kbn/expressions-plugin/public'; import type { Datatable } from '@kbn/expressions-plugin/public'; import type { DataView } from '@kbn/data-views-plugin/common'; import { textBasedQueryStateToAstWithValidation } from '@kbn/data-plugin/common'; -import { DataTableRecord } from '../../../types'; +import type { RecordsFetchResponse, DataTableRecord } from '../../../types'; interface SQLErrorResponse { error: { @@ -31,7 +31,7 @@ export function fetchSql( inspectorAdapters: Adapters, filters?: Filter[], inputQuery?: Query -) { +): Promise { const timeRange = data.query.timefilter.timefilter.getTime(); return textBasedQueryStateToAstWithValidation({ filters, @@ -46,6 +46,7 @@ export function fetchSql( inspectorAdapters, }); let finalData: DataTableRecord[] = []; + let textBasedQueryColumns: Datatable['columns'] | undefined; let error: string | undefined; execution.pipe(pluck('result')).subscribe((resp) => { const response = resp as Datatable | SQLErrorResponse; @@ -54,6 +55,7 @@ export function fetchSql( } else { const table = response as Datatable; const rows = table?.rows ?? []; + textBasedQueryColumns = table?.columns ?? undefined; finalData = rows.map( (row: Record, idx: number) => ({ @@ -68,11 +70,17 @@ export function fetchSql( if (error) { throw new Error(error); } else { - return finalData || []; + return { + records: finalData || [], + textBasedQueryColumns, + }; } }); } - return []; + return { + records: [] as DataTableRecord[], + textBasedQueryColumns: [], + }; }) .catch((err) => { throw new Error(err.message); diff --git a/src/plugins/discover/public/components/field_name/__snapshots__/field_name.test.tsx.snap b/src/plugins/discover/public/components/field_name/__snapshots__/field_name.test.tsx.snap index 21777f772c9a5..e7cf7eddd0b94 100644 --- a/src/plugins/discover/public/components/field_name/__snapshots__/field_name.test.tsx.snap +++ b/src/plugins/discover/public/components/field_name/__snapshots__/field_name.test.tsx.snap @@ -10,9 +10,9 @@ Array [ > - Geo point field + Geo point
    • , @@ -44,9 +44,9 @@ Array [ > - Number field + Number , @@ -78,9 +78,9 @@ Array [ > - String field + String , @@ -146,9 +146,9 @@ Array [ > - Number field + Number , @@ -180,9 +180,9 @@ Array [ > - Number field + Number , diff --git a/src/plugins/discover/public/components/field_name/field_name.tsx b/src/plugins/discover/public/components/field_name/field_name.tsx index ca386d344e42f..488e412eea107 100644 --- a/src/plugins/discover/public/components/field_name/field_name.tsx +++ b/src/plugins/discover/public/components/field_name/field_name.tsx @@ -12,9 +12,8 @@ import { EuiBadge, EuiFlexGroup, EuiFlexItem, EuiToolTip, EuiHighlight } from '@ import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; import { FieldIcon, FieldIconProps } from '@kbn/react-field'; -import { getFieldSubtypeMulti } from '@kbn/data-views-plugin/public'; -import type { DataViewField } from '@kbn/data-views-plugin/public'; -import { getFieldTypeName } from '../../utils/get_field_type_name'; +import { type DataViewField, getFieldSubtypeMulti } from '@kbn/data-views-plugin/public'; +import { getFieldTypeName } from '@kbn/unified-field-list-plugin/public'; interface Props { fieldName: string; diff --git a/src/plugins/discover/public/embeddable/saved_search_embeddable.tsx b/src/plugins/discover/public/embeddable/saved_search_embeddable.tsx index 69a8f4115a45e..a6d8f6cf3edaf 100644 --- a/src/plugins/discover/public/embeddable/saved_search_embeddable.tsx +++ b/src/plugins/discover/public/embeddable/saved_search_embeddable.tsx @@ -240,8 +240,8 @@ export class SavedSearchEmbeddable loading: false, }); - this.searchProps!.rows = result; - this.searchProps!.totalHitCount = result.length; + this.searchProps!.rows = result.records; + this.searchProps!.totalHitCount = result.records.length; this.searchProps!.isLoading = false; this.searchProps!.isPlainRecord = true; this.searchProps!.showTimeCol = false; diff --git a/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/legacy/table.tsx b/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/legacy/table.tsx index 91e3bbc73fdf1..1a63ccf69477e 100644 --- a/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/legacy/table.tsx +++ b/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/legacy/table.tsx @@ -9,7 +9,7 @@ import '../table.scss'; import React, { useCallback, useMemo } from 'react'; import { EuiInMemoryTable } from '@elastic/eui'; -import { getTypeForFieldIcon } from '../../../../../utils/get_type_for_field_icon'; +import { getFieldIconType } from '@kbn/unified-field-list-plugin/public'; import { useDiscoverServices } from '../../../../../hooks/use_discover_services'; import { SHOW_MULTIFIELDS } from '../../../../../../common'; import { DocViewRenderProps, FieldRecordLegacy } from '../../../doc_views_types'; @@ -76,7 +76,7 @@ export const DocViewerLegacyTable = ({ const fieldType = isNestedFieldParent(field, dataView) ? 'nested' : fieldMapping - ? getTypeForFieldIcon(fieldMapping) + ? getFieldIconType(fieldMapping) : undefined; const ignored = getIgnoredReason(fieldMapping ?? field, hit.raw._ignored); return { diff --git a/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/table.tsx b/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/table.tsx index 0eab3a68c8218..56232a31f9a0f 100644 --- a/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/table.tsx +++ b/src/plugins/discover/public/services/doc_views/components/doc_viewer_table/table.tsx @@ -29,7 +29,7 @@ import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; import { debounce } from 'lodash'; import { Storage } from '@kbn/kibana-utils-plugin/public'; -import { getTypeForFieldIcon } from '../../../../utils/get_type_for_field_icon'; +import { getFieldIconType } from '@kbn/unified-field-list-plugin/public'; import { useDiscoverServices } from '../../../../hooks/use_discover_services'; import { usePager } from '../../../../hooks/use_pager'; import { FieldName } from '../../../../components/field_name/field_name'; @@ -166,7 +166,7 @@ export const DocViewerTable = ({ const fieldType = isNestedFieldParent(field, dataView) ? 'nested' : fieldMapping - ? getTypeForFieldIcon(fieldMapping) + ? getFieldIconType(fieldMapping) : undefined; const ignored = getIgnoredReason(fieldMapping ?? field, hit.raw._ignored); diff --git a/src/plugins/discover/public/types.ts b/src/plugins/discover/public/types.ts index f96edccb5f9bf..2419f15b8a429 100644 --- a/src/plugins/discover/public/types.ts +++ b/src/plugins/discover/public/types.ts @@ -7,6 +7,7 @@ */ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { type DatatableColumn } from '@kbn/expressions-plugin/common'; export type ValueToStringConverter = ( rowIndex: number, @@ -38,3 +39,8 @@ export interface DataTableRecord { */ isAnchor?: boolean; } + +export interface RecordsFetchResponse { + records: DataTableRecord[]; + textBasedQueryColumns?: DatatableColumn[]; +} diff --git a/src/plugins/discover/public/utils/get_field_type_name.test.ts b/src/plugins/discover/public/utils/get_field_type_name.test.ts deleted file mode 100644 index bada07e8ad9f7..0000000000000 --- a/src/plugins/discover/public/utils/get_field_type_name.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { getFieldTypeName, UNKNOWN_FIELD_TYPE_MESSAGE } from './get_field_type_name'; -import { KNOWN_FIELD_TYPES } from '../../common/field_types'; - -describe('getFieldTypeName', () => { - describe('known field types should be recognized', () => { - it.each(Object.values(KNOWN_FIELD_TYPES))( - `'%s' should return a string that does not match '${UNKNOWN_FIELD_TYPE_MESSAGE}'`, - (field) => { - const fieldTypeName = getFieldTypeName(field); - expect(typeof fieldTypeName).toBe('string'); - expect(fieldTypeName).not.toBe(UNKNOWN_FIELD_TYPE_MESSAGE); - } - ); - }); - - it(`should return '${UNKNOWN_FIELD_TYPE_MESSAGE}' when passed undefined`, () => { - expect(getFieldTypeName(undefined)).toBe(UNKNOWN_FIELD_TYPE_MESSAGE); - }); - - it(`should return '${UNKNOWN_FIELD_TYPE_MESSAGE}' when passed 'unknown'`, () => { - expect(getFieldTypeName('unknown')).toBe(UNKNOWN_FIELD_TYPE_MESSAGE); - }); - - it('should return the original type string back when passed an unknown field type', () => { - expect(getFieldTypeName('unknown_field_type')).toBe('unknown_field_type'); - }); -}); diff --git a/src/plugins/discover/public/utils/get_field_type_name.ts b/src/plugins/discover/public/utils/get_field_type_name.ts deleted file mode 100644 index 81a4346f63902..0000000000000 --- a/src/plugins/discover/public/utils/get_field_type_name.ts +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import { KBN_FIELD_TYPES } from '@kbn/data-plugin/public'; -import { KNOWN_FIELD_TYPES } from '../../common/field_types'; - -export const UNKNOWN_FIELD_TYPE_MESSAGE = i18n.translate( - 'discover.fieldNameIcons.unknownFieldAriaLabel', - { - defaultMessage: 'Unknown field', - } -); - -export function getFieldTypeName(type?: string) { - if (!type || type === KBN_FIELD_TYPES.UNKNOWN) { - return UNKNOWN_FIELD_TYPE_MESSAGE; - } - - if (type === 'source') { - // TODO: check if we can remove this logic as outdated - - // Note that this type is currently not provided, type for _source is undefined - return i18n.translate('discover.fieldNameIcons.sourceFieldAriaLabel', { - defaultMessage: 'Source field', - }); - } - - const knownType: KNOWN_FIELD_TYPES = type as KNOWN_FIELD_TYPES; - switch (knownType) { - case KNOWN_FIELD_TYPES.BOOLEAN: - return i18n.translate('discover.fieldNameIcons.booleanAriaLabel', { - defaultMessage: 'Boolean field', - }); - case KNOWN_FIELD_TYPES.CONFLICT: - return i18n.translate('discover.fieldNameIcons.conflictFieldAriaLabel', { - defaultMessage: 'Conflicting field', - }); - case KNOWN_FIELD_TYPES.DATE: - return i18n.translate('discover.fieldNameIcons.dateFieldAriaLabel', { - defaultMessage: 'Date field', - }); - case KNOWN_FIELD_TYPES.DATE_RANGE: - return i18n.translate('discover.fieldNameIcons.dateRangeFieldAriaLabel', { - defaultMessage: 'Date range field', - }); - case KNOWN_FIELD_TYPES.GEO_POINT: - return i18n.translate('discover.fieldNameIcons.geoPointFieldAriaLabel', { - defaultMessage: 'Geo point field', - }); - case KNOWN_FIELD_TYPES.GEO_SHAPE: - return i18n.translate('discover.fieldNameIcons.geoShapeFieldAriaLabel', { - defaultMessage: 'Geo shape field', - }); - case KNOWN_FIELD_TYPES.HISTOGRAM: - return i18n.translate('discover.fieldNameIcons.histogramFieldAriaLabel', { - defaultMessage: 'Histogram field', - }); - case KNOWN_FIELD_TYPES.IP: - return i18n.translate('discover.fieldNameIcons.ipAddressFieldAriaLabel', { - defaultMessage: 'IP address field', - }); - case KNOWN_FIELD_TYPES.IP_RANGE: - return i18n.translate('discover.fieldNameIcons.ipRangeFieldAriaLabel', { - defaultMessage: 'IP range field', - }); - case KNOWN_FIELD_TYPES.MURMUR3: - return i18n.translate('discover.fieldNameIcons.murmur3FieldAriaLabel', { - defaultMessage: 'Murmur3 field', - }); - case KNOWN_FIELD_TYPES.NUMBER: - return i18n.translate('discover.fieldNameIcons.numberFieldAriaLabel', { - defaultMessage: 'Number field', - }); - case KNOWN_FIELD_TYPES.STRING: - return i18n.translate('discover.fieldNameIcons.stringFieldAriaLabel', { - defaultMessage: 'String field', - }); - case KNOWN_FIELD_TYPES.TEXT: - return i18n.translate('discover.fieldNameIcons.textFieldAriaLabel', { - defaultMessage: 'Text field', - }); - case KNOWN_FIELD_TYPES.KEYWORD: - return i18n.translate('discover.fieldNameIcons.keywordFieldAriaLabel', { - defaultMessage: 'Keyword field', - }); - case KNOWN_FIELD_TYPES.NESTED: - return i18n.translate('discover.fieldNameIcons.nestedFieldAriaLabel', { - defaultMessage: 'Nested field', - }); - case KNOWN_FIELD_TYPES.VERSION: - return i18n.translate('discover.fieldNameIcons.versionFieldAriaLabel', { - defaultMessage: 'Version field', - }); - default: - // If you see a typescript error here, that's a sign that there are missing switch cases ^^ - const _exhaustiveCheck: never = knownType; - return knownType || _exhaustiveCheck; - } -} diff --git a/src/plugins/discover/public/utils/get_type_for_field_icon.test.ts b/src/plugins/discover/public/utils/get_type_for_field_icon.test.ts deleted file mode 100644 index 33decc463d013..0000000000000 --- a/src/plugins/discover/public/utils/get_type_for_field_icon.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { DataViewField } from '@kbn/data-views-plugin/common'; -import { getTypeForFieldIcon } from './get_type_for_field_icon'; - -describe('getTypeForFieldIcon', () => { - it('extracts type for non-string types', () => { - expect( - getTypeForFieldIcon({ - type: 'not-string', - esTypes: ['bar'], - } as DataViewField) - ).toBe('not-string'); - }); - - it('extracts type when type is string but esTypes is unavailable', () => { - expect( - getTypeForFieldIcon({ - type: 'string', - esTypes: undefined, - } as DataViewField) - ).toBe('string'); - }); - - it('extracts esType when type is string and esTypes is available', () => { - expect( - getTypeForFieldIcon({ - type: 'string', - esTypes: ['version'], - } as DataViewField) - ).toBe('version'); - }); - - it('extracts type for meta fields', () => { - expect( - getTypeForFieldIcon({ - type: 'string', - esTypes: ['_id'], - } as DataViewField) - ).toBe('string'); - }); -}); diff --git a/src/plugins/discover/public/utils/get_type_for_field_icon.ts b/src/plugins/discover/public/utils/get_type_for_field_icon.ts deleted file mode 100644 index 3d05e8365e59c..0000000000000 --- a/src/plugins/discover/public/utils/get_type_for_field_icon.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { DataViewField } from '@kbn/data-views-plugin/common'; - -/** - * Extracts the type from a data view field that will match the right icon. - * - * We define custom logic for Discover in order to distinguish between various "string" types. - */ -export const getTypeForFieldIcon = (field: DataViewField) => { - const esType = field.esTypes?.[0] || null; - if (esType && ['_id', '_index'].includes(esType)) { - return field.type; - } - return field.type === 'string' && esType ? esType : field.type; -}; diff --git a/src/plugins/files/server/audit_events.ts b/src/plugins/files/server/audit_events.ts index 98affff3c0082..702d00d946e7f 100644 --- a/src/plugins/files/server/audit_events.ts +++ b/src/plugins/files/server/audit_events.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { EcsEventOutcome } from '@kbn/ecs'; +import { EcsEvent } from '@kbn/ecs'; import { AuditEvent } from '@kbn/security-plugin/server'; export type AuditAction = 'create' | 'delete'; @@ -15,7 +15,7 @@ interface CreateAuditEventArgs { message: string; action: AuditAction; error?: Error; - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; } export function createAuditEvent({ diff --git a/src/plugins/ftr_apis/README.md b/src/plugins/ftr_apis/README.md new file mode 100644 index 0000000000000..fc620c9ac4f56 --- /dev/null +++ b/src/plugins/ftr_apis/README.md @@ -0,0 +1,8 @@ +# ftrApis plugin + +This plugin exposes a set of APIs used internally during functional tests by the FTR. + +The APIs currently exposed are: +1. APIs used by the `KbnClientSavedObjects` (SO service of the FTR) + +**Remark: these APIs shouldn't be called directly for any reason** diff --git a/packages/kbn-ecs/src/ecs/code_signature.ts b/src/plugins/ftr_apis/jest.config.js similarity index 51% rename from packages/kbn-ecs/src/ecs/code_signature.ts rename to src/plugins/ftr_apis/jest.config.js index ead0a9dc73570..e9dd449c2e308 100644 --- a/packages/kbn-ecs/src/ecs/code_signature.ts +++ b/src/plugins/ftr_apis/jest.config.js @@ -6,19 +6,11 @@ * Side Public License, v 1. */ -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-code_signature.html - * - * @internal - */ -export interface EcsCodeSignature { - digest_algorithm?: string; - exists?: boolean; - signing_id?: string; - status?: string; - subject_name?: string; - timestamp?: string; - team_id?: string; - trusted?: boolean; - valid?: boolean; -} +module.exports = { + preset: '@kbn/test', + rootDir: '../../..', + roots: ['/src/plugins/ftr_apis'], + coverageDirectory: '/target/kibana-coverage/jest/src/plugins/ftr_apis', + coverageReporters: ['text', 'html'], + collectCoverageFrom: ['/src/plugins/ftr_apis/{common,public,server}/**/*.{js,ts,tsx}'], +}; diff --git a/src/plugins/ftr_apis/kibana.json b/src/plugins/ftr_apis/kibana.json new file mode 100644 index 0000000000000..44e77c3900b31 --- /dev/null +++ b/src/plugins/ftr_apis/kibana.json @@ -0,0 +1,11 @@ +{ + "id": "ftrApis", + "owner": { + "name": "Core", + "githubTeam": "kibana-core" + }, + "version": "kibana", + "configPath": ["ftr_apis"], + "server": true, + "ui": false +} diff --git a/src/plugins/ftr_apis/server/config.ts b/src/plugins/ftr_apis/server/config.ts new file mode 100644 index 0000000000000..14d2cbafed9c8 --- /dev/null +++ b/src/plugins/ftr_apis/server/config.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { schema, type TypeOf } from '@kbn/config-schema'; +import type { PluginConfigDescriptor } from '@kbn/core/server'; + +const configSchema = schema.object({ + disableApis: schema.boolean({ defaultValue: false }), +}); + +export type ConfigType = TypeOf; + +export const config: PluginConfigDescriptor = { + schema: configSchema, +}; diff --git a/packages/kbn-ecs/src/ecs/agent.ts b/src/plugins/ftr_apis/server/index.ts similarity index 57% rename from packages/kbn-ecs/src/ecs/agent.ts rename to src/plugins/ftr_apis/server/index.ts index 711880d5989af..5c33f6c4a067a 100644 --- a/packages/kbn-ecs/src/ecs/agent.ts +++ b/src/plugins/ftr_apis/server/index.ts @@ -6,16 +6,11 @@ * Side Public License, v 1. */ -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-agent.html - * - * @internal - */ -export interface EcsAgent { - build?: { original: string }; - ephemeral_id?: string; - id?: string; - name?: string; - type?: string; - version?: string; +import type { PluginInitializerContext } from '@kbn/core/server'; +import { FtrApisPlugin } from './plugin'; + +export function plugin(initializerContext: PluginInitializerContext) { + return new FtrApisPlugin(initializerContext); } + +export { config } from './config'; diff --git a/src/plugins/ftr_apis/server/plugin.ts b/src/plugins/ftr_apis/server/plugin.ts new file mode 100644 index 0000000000000..42fd40212f346 --- /dev/null +++ b/src/plugins/ftr_apis/server/plugin.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { CoreSetup, Plugin, PluginInitializerContext } from '@kbn/core/server'; +import { registerRoutes } from './routes'; +import type { ConfigType } from './config'; + +export class FtrApisPlugin implements Plugin { + private readonly config: ConfigType; + + constructor(initializerContext: PluginInitializerContext) { + this.config = initializerContext.config.get(); + } + + public setup({ http, savedObjects }: CoreSetup) { + const router = http.createRouter(); + if (!this.config.disableApis) { + registerRoutes(router); + } + } + + public start() {} +} diff --git a/packages/kbn-ecs/src/ecs/interface.ts b/src/plugins/ftr_apis/server/routes/index.ts similarity index 63% rename from packages/kbn-ecs/src/ecs/interface.ts rename to src/plugins/ftr_apis/server/routes/index.ts index e1129b60efd24..ae71eb3ee2673 100644 --- a/packages/kbn-ecs/src/ecs/interface.ts +++ b/src/plugins/ftr_apis/server/routes/index.ts @@ -6,13 +6,9 @@ * Side Public License, v 1. */ -/** - * https://www.elastic.co/guide/en/ecs/master/ecs-interface.html - * - * @internal - */ -export interface EcsInterface { - alias?: string; - id?: string; - name?: string; -} +import type { IRouter } from '@kbn/core/server'; +import { registerKbnClientSoRoutes } from './kbn_client_so'; + +export const registerRoutes = (router: IRouter) => { + registerKbnClientSoRoutes(router); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts new file mode 100644 index 0000000000000..1d0af8c799c97 --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerBulkDeleteRoute = (router: IRouter) => { + router.post( + { + path: `${KBN_CLIENT_API_PREFIX}/_bulk_delete`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + body: schema.arrayOf( + schema.object({ + type: schema.string(), + id: schema.string(), + }) + ), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const { savedObjects } = await ctx.core; + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const statuses = await soClient.bulkDelete(req.body, { force: true }); + return res.ok({ body: statuses }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts new file mode 100644 index 0000000000000..479c0403aaabd --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerCreateRoute = (router: IRouter) => { + router.post( + { + path: `${KBN_CLIENT_API_PREFIX}/{type}/{id?}`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + params: schema.object({ + type: schema.string(), + id: schema.maybe(schema.string()), + }), + query: schema.object({ + overwrite: schema.boolean({ defaultValue: false }), + }), + body: schema.object({ + attributes: schema.recordOf(schema.string(), schema.any()), + migrationVersion: schema.maybe(schema.recordOf(schema.string(), schema.string())), + references: schema.maybe( + schema.arrayOf( + schema.object({ + name: schema.string(), + type: schema.string(), + id: schema.string(), + }) + ) + ), + }), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const { type, id } = req.params; + const { overwrite } = req.query; + const { attributes, migrationVersion, references } = req.body; + const { savedObjects } = await ctx.core; + + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const options = { + id, + overwrite, + migrationVersion, + references, + }; + const result = await soClient.create(type, attributes, options); + return res.ok({ body: result }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts new file mode 100644 index 0000000000000..35d16611c48dd --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerDeleteRoute = (router: IRouter) => { + router.delete( + { + path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + params: schema.object({ + type: schema.string(), + id: schema.string(), + }), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const { type, id } = req.params; + const { savedObjects } = await ctx.core; + + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const result = await soClient.delete(type, id, { force: true }); + return res.ok({ body: result }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts new file mode 100644 index 0000000000000..4ded164377646 --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerFindRoute = (router: IRouter) => { + router.get( + { + path: `${KBN_CLIENT_API_PREFIX}/_find`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + query: schema.object({ + per_page: schema.number({ min: 0, defaultValue: 20 }), + page: schema.number({ min: 0, defaultValue: 1 }), + type: schema.oneOf([schema.string(), schema.arrayOf(schema.string())]), + search: schema.maybe(schema.string()), + fields: schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])), + }), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const query = req.query; + + const { savedObjects } = await ctx.core; + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const result = await soClient.find({ + perPage: query.per_page, + page: query.page, + type: Array.isArray(query.type) ? query.type : [query.type], + search: query.search, + fields: typeof query.fields === 'string' ? [query.fields] : query.fields, + }); + + return res.ok({ body: result }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts new file mode 100644 index 0000000000000..ae03e528501a1 --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerGetRoute = (router: IRouter) => { + router.get( + { + path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + params: schema.object({ + type: schema.string(), + id: schema.string(), + }), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const { type, id } = req.params; + const { savedObjects } = await ctx.core; + + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const object = await soClient.get(type, id); + return res.ok({ body: object }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/index.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/index.ts new file mode 100644 index 0000000000000..b22f234d8455b --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/index.ts @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { registerBulkDeleteRoute } from './bulk_delete'; +import { registerCreateRoute } from './create'; +import { registerDeleteRoute } from './delete'; +import { registerFindRoute } from './find'; +import { registerGetRoute } from './get'; +import { registerUpdateRoute } from './update'; + +export const registerKbnClientSoRoutes = (router: IRouter) => { + registerBulkDeleteRoute(router); + registerCreateRoute(router); + registerDeleteRoute(router); + registerFindRoute(router); + registerGetRoute(router); + registerUpdateRoute(router); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts new file mode 100644 index 0000000000000..e6d568771631e --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { IRouter } from '@kbn/core/server'; +import { schema } from '@kbn/config-schema'; +import { KBN_CLIENT_API_PREFIX, listHiddenTypes, catchAndReturnBoomErrors } from './utils'; + +export const registerUpdateRoute = (router: IRouter) => { + router.put( + { + path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`, + options: { + tags: ['access:ftrApis'], + }, + validate: { + params: schema.object({ + type: schema.string(), + id: schema.string(), + }), + body: schema.object({ + attributes: schema.recordOf(schema.string(), schema.any()), + migrationVersion: schema.maybe(schema.string()), + references: schema.maybe( + schema.arrayOf( + schema.object({ + name: schema.string(), + type: schema.string(), + id: schema.string(), + }) + ) + ), + }), + }, + }, + catchAndReturnBoomErrors(async (ctx, req, res) => { + const { type, id } = req.params; + const { attributes, migrationVersion, references } = req.body; + const { savedObjects } = await ctx.core; + + const hiddenTypes = listHiddenTypes(savedObjects.typeRegistry); + const soClient = savedObjects.getClient({ includedHiddenTypes: hiddenTypes }); + + const options = { version: migrationVersion, references }; + const result = await soClient.update(type, id, attributes, options); + return res.ok({ body: result }); + }) + ); +}; diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/utils.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/utils.ts new file mode 100644 index 0000000000000..f4bab0fd7f31c --- /dev/null +++ b/src/plugins/ftr_apis/server/routes/kbn_client_so/utils.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import Boom from '@hapi/boom'; +import type { ISavedObjectTypeRegistry, RequestHandlerWrapper } from '@kbn/core/server'; + +export const KBN_CLIENT_API_PREFIX = '/internal/ftr/kbn_client_so'; + +export const listHiddenTypes = (registry: ISavedObjectTypeRegistry): string[] => { + return registry + .getAllTypes() + .map((type) => type.name) + .filter((typeName) => registry.isHidden(typeName)); +}; + +export const catchAndReturnBoomErrors: RequestHandlerWrapper = (handler) => { + return async (context, request, response) => { + try { + return await handler(context, request, response); + } catch (e) { + if (Boom.isBoom(e) && e.output.statusCode !== 500) { + return response.customError({ + body: e.output.payload, + statusCode: e.output.statusCode, + headers: e.output.headers as { [key: string]: string }, + }); + } + throw e; + } + }; +}; diff --git a/src/plugins/ftr_apis/tsconfig.json b/src/plugins/ftr_apis/tsconfig.json new file mode 100644 index 0000000000000..30044452e0a33 --- /dev/null +++ b/src/plugins/ftr_apis/tsconfig.json @@ -0,0 +1,19 @@ +{ + "extends": "../../../tsconfig.base.json", + "compilerOptions": { + "outDir": "target/types", + "isolatedModules": true + }, + "include": [ + "common/**/*", + "public/**/*", + "server/**/*" + ], + "exclude": [ + "target/**/*", + ], + "kbn_references": [ + "@kbn/core", + "@kbn/config-schema", + ] +} diff --git a/src/plugins/guided_onboarding/assets/panel_bg_bottom.svg b/src/plugins/guided_onboarding/assets/panel_bg_bottom.svg new file mode 100644 index 0000000000000..e2b1f7f2f643b --- /dev/null +++ b/src/plugins/guided_onboarding/assets/panel_bg_bottom.svg @@ -0,0 +1,2739 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/plugins/guided_onboarding/assets/panel_bg_bottom_dark.svg b/src/plugins/guided_onboarding/assets/panel_bg_bottom_dark.svg new file mode 100644 index 0000000000000..521500b7d1352 --- /dev/null +++ b/src/plugins/guided_onboarding/assets/panel_bg_bottom_dark.svg @@ -0,0 +1,2720 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/plugins/guided_onboarding/assets/panel_bg_top.svg b/src/plugins/guided_onboarding/assets/panel_bg_top.svg new file mode 100644 index 0000000000000..561d57f3fb773 --- /dev/null +++ b/src/plugins/guided_onboarding/assets/panel_bg_top.svg @@ -0,0 +1,573 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/plugins/guided_onboarding/public/components/guide_panel.styles.ts b/src/plugins/guided_onboarding/public/components/guide_panel.styles.ts index 4768d4112bcea..fe889ce580249 100644 --- a/src/plugins/guided_onboarding/public/components/guide_panel.styles.ts +++ b/src/plugins/guided_onboarding/public/components/guide_panel.styles.ts @@ -8,6 +8,9 @@ import { EuiThemeComputed } from '@elastic/eui'; import { css } from '@emotion/react'; +import panelBgTop from '../../assets/panel_bg_top.svg'; +import panelBgBottom from '../../assets/panel_bg_bottom.svg'; +import panelBgBottomDark from '../../assets/panel_bg_bottom_dark.svg'; /** * @@ -16,16 +19,24 @@ import { css } from '@emotion/react'; * In order to leverage a11y features, we are using the EuiFlyout and applying customizations * See https://github.com/elastic/eui/issues/6241 for more details */ -export const getGuidePanelStyles = (euiTheme: EuiThemeComputed) => ({ +export const getGuidePanelStyles = ({ + euiTheme, + isDarkTheme, +}: { + euiTheme: EuiThemeComputed; + isDarkTheme: boolean; +}) => ({ setupButton: css` margin-right: ${euiTheme.size.m}; `, flyoutOverrides: { + flyoutHeader: css` + background: url(${panelBgTop}) top right no-repeat; + `, flyoutContainer: css` top: 55px !important; // Unsetting bottom and height default values to create auto height bottom: unset !important; - height: unset !important; right: calc(${euiTheme.size.s} + 128px); // Accounting for margin on button border-radius: 6px; animation: euiModal 350ms cubic-bezier(0.34, 1.61, 0.7, 1); @@ -47,8 +58,9 @@ export const getGuidePanelStyles = (euiTheme: EuiThemeComputed) => ({ `, flyoutFooter: css` border-radius: 0 0 6px 6px; - background: transparent; + background: url(${isDarkTheme ? panelBgBottomDark : panelBgBottom}) 0 7px no-repeat; padding: 24px 30px; + height: 125px; `, flyoutFooterLink: css` color: ${euiTheme.colors.darkShade}; diff --git a/src/plugins/guided_onboarding/public/components/guide_panel.test.tsx b/src/plugins/guided_onboarding/public/components/guide_panel.test.tsx index d9cce292ad340..7b0fd713c09cc 100644 --- a/src/plugins/guided_onboarding/public/components/guide_panel.test.tsx +++ b/src/plugins/guided_onboarding/public/components/guide_panel.test.tsx @@ -31,10 +31,15 @@ import { mockPluginStateInProgress, } from '../services/api.mocks'; import { GuidePanel } from './guide_panel'; +import { IUiSettingsClient } from '@kbn/core/public'; const applicationMock = applicationServiceMock.createStartContract(); const notificationsMock = notificationServiceMock.createStartContract(); +const uiSettingsMock = { + get: jest.fn(), +} as unknown as IUiSettingsClient; + const mockGetResponse = (path: string, pluginState: PluginState) => { if (path === `${API_BASE_PATH}/configs/${testGuideId}`) { return Promise.resolve({ @@ -57,7 +62,12 @@ const setupComponentWithPluginStateMock = async ( const setupGuidePanelComponent = async (api: GuidedOnboardingApi) => { let testBed: TestBed; const GuidePanelComponent = () => ( - + ); await act(async () => { testBed = registerTestBed(GuidePanelComponent)(); diff --git a/src/plugins/guided_onboarding/public/components/guide_panel.tsx b/src/plugins/guided_onboarding/public/components/guide_panel.tsx index 7b84e9b586b7b..c04ba2e9e35be 100644 --- a/src/plugins/guided_onboarding/public/components/guide_panel.tsx +++ b/src/plugins/guided_onboarding/public/components/guide_panel.tsx @@ -29,7 +29,7 @@ import { import { i18n } from '@kbn/i18n'; -import { ApplicationStart, NotificationsStart } from '@kbn/core/public'; +import { ApplicationStart, NotificationsStart, IUiSettingsClient } from '@kbn/core/public'; import type { GuideState, GuideStep as GuideStepStatus } from '@kbn/guided-onboarding'; import type { GuideId, GuideConfig, StepConfig } from '@kbn/guided-onboarding'; @@ -46,6 +46,7 @@ interface GuidePanelProps { api: GuidedOnboardingApi; application: ApplicationStart; notifications: NotificationsStart; + uiSettings: IUiSettingsClient; } const getProgress = (state?: GuideState): number => { @@ -95,7 +96,7 @@ const errorSection = ( /> ); -export const GuidePanel = ({ api, application, notifications }: GuidePanelProps) => { +export const GuidePanel = ({ api, application, notifications, uiSettings }: GuidePanelProps) => { const { euiTheme } = useEuiTheme(); const [isGuideOpen, setIsGuideOpen] = useState(false); const [isQuitGuideModalOpen, setIsQuitGuideModalOpen] = useState(false); @@ -103,7 +104,8 @@ export const GuidePanel = ({ api, application, notifications }: GuidePanelProps) const [guideConfig, setGuideConfig] = useState(undefined); const [isLoading, setIsLoading] = useState(false); - const styles = getGuidePanelStyles(euiTheme); + const isDarkTheme = uiSettings.get('theme:darkMode'); + const styles = getGuidePanelStyles({ euiTheme, isDarkTheme }); const toggleGuide = () => { setIsGuideOpen((prevIsGuideOpen) => !prevIsGuideOpen); @@ -257,7 +259,7 @@ export const GuidePanel = ({ api, application, notifications }: GuidePanelProps) > {guideConfig && pluginState && pluginState.status !== 'error' ? ( <> - + {backToGuidesButton}

    diff --git a/src/plugins/guided_onboarding/public/plugin.tsx b/src/plugins/guided_onboarding/public/plugin.tsx index dee46bfb9b382..4c5e02ddac9c4 100755 --- a/src/plugins/guided_onboarding/public/plugin.tsx +++ b/src/plugins/guided_onboarding/public/plugin.tsx @@ -17,6 +17,7 @@ import { CoreTheme, ApplicationStart, NotificationsStart, + IUiSettingsClient, } from '@kbn/core/public'; import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; @@ -40,7 +41,7 @@ export class GuidedOnboardingPlugin core: CoreStart, { cloud }: AppPluginStartDependencies ): GuidedOnboardingPluginStart { - const { chrome, http, theme, application, notifications } = core; + const { chrome, http, theme, application, notifications, uiSettings } = core; // Initialize services apiService.setup(http, !!cloud?.isCloudEnabled); @@ -56,6 +57,7 @@ export class GuidedOnboardingPlugin api: apiService, application, notifications, + uiSettings, }), }); } @@ -74,17 +76,24 @@ export class GuidedOnboardingPlugin api, application, notifications, + uiSettings, }: { targetDomElement: HTMLElement; theme$: Rx.Observable; api: ApiService; application: ApplicationStart; notifications: NotificationsStart; + uiSettings: IUiSettingsClient; }) { ReactDOM.render( - + , targetDomElement diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts index 75bd45dba4845..ec389fda1f084 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts @@ -518,10 +518,6 @@ export const stackManagementSchema: MakeSchemaFrom = { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, }, - 'lens:useFieldExistenceSampling': { - type: 'boolean', - _meta: { description: 'Non-default value of setting.' }, - }, 'metrics:allowCheckingForFailedShards': { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts index ac7386e4beda1..6a0743256465f 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts @@ -141,7 +141,6 @@ export interface UsageStats { 'discover:rowHeightOption': number; hideAnnouncements: boolean; isDefaultIndexMigrated: boolean; - 'lens:useFieldExistenceSampling': boolean; 'metrics:allowCheckingForFailedShards': boolean; 'observability:apmLabsButton': boolean; 'observability:enableAwsLambdaMetrics': boolean; diff --git a/src/plugins/share/public/components/__snapshots__/share_context_menu.test.tsx.snap b/src/plugins/share/public/components/__snapshots__/share_context_menu.test.tsx.snap index 6bbcd15168727..a88572a99a1e3 100644 --- a/src/plugins/share/public/components/__snapshots__/share_context_menu.test.tsx.snap +++ b/src/plugins/share/public/components/__snapshots__/share_context_menu.test.tsx.snap @@ -14,7 +14,7 @@ exports[`shareContextMenuExtensions should render a custom panel title when prov urlService={Object {}} />, "id": 1, - "title": "Permalink", + "title": "Get link", }, Object { "content": , "id": 1, - "title": "Permalink", + "title": "Get link", }, Object { "content":
    @@ -113,7 +113,7 @@ exports[`shareContextMenuExtensions should sort ascending on sort order first an "data-test-subj": "sharePanel-Permalinks", "disabled": false, "icon": "link", - "name": "Permalinks", + "name": "Get links", "panel": 1, }, Object { @@ -150,7 +150,7 @@ exports[`should disable the share URL when set 1`] = ` urlService={Object {}} />, "id": 1, - "title": "Permalink", + "title": "Get link", }, Object { "content": , "id": 1, - "title": "Permalink", + "title": "Get link", }, ] } @@ -225,7 +225,7 @@ exports[`should render context menu panel when there are more than one panel 1`] urlService={Object {}} />, "id": 1, - "title": "Permalink", + "title": "Get link", }, Object { "content": { const permalinkPanel = { id: panels.length + 1, title: i18n.translate('share.contextMenu.permalinkPanelTitle', { - defaultMessage: 'Permalink', + defaultMessage: 'Get link', }), content: ( { }; menuItems.push({ name: i18n.translate('share.contextMenu.permalinksLabel', { - defaultMessage: 'Permalinks', + defaultMessage: 'Get links', }), icon: 'link', panel: permalinkPanel.id, sortOrder: 0, disabled: Boolean(this.props.disabledShareUrl), + // do not break functional tests + 'data-test-subj': 'Permalinks', }); panels.push(permalinkPanel); @@ -157,7 +159,9 @@ export class ShareContextMenu extends Component { return -1; }) .map((menuItem) => { - menuItem['data-test-subj'] = `sharePanel-${menuItem.name.replace(' ', '')}`; + menuItem['data-test-subj'] = `sharePanel-${ + menuItem['data-test-subj'] ?? menuItem.name.replace(' ', '') + }`; delete menuItem.sortOrder; return menuItem; }), diff --git a/src/plugins/share/public/components/url_panel_content.tsx b/src/plugins/share/public/components/url_panel_content.tsx index fb2de6811b4d5..f145a6ebece4e 100644 --- a/src/plugins/share/public/components/url_panel_content.tsx +++ b/src/plugins/share/public/components/url_panel_content.tsx @@ -481,7 +481,7 @@ export class UrlPanelContent extends Component { const generateLinkAsHelp = this.isNotSaved() ? ( ) : undefined; diff --git a/src/plugins/telemetry/schema/oss_plugins.json b/src/plugins/telemetry/schema/oss_plugins.json index 939f9a5d05901..1219d8c7aad4e 100644 --- a/src/plugins/telemetry/schema/oss_plugins.json +++ b/src/plugins/telemetry/schema/oss_plugins.json @@ -9036,12 +9036,6 @@ "description": "Non-default value of setting." } }, - "lens:useFieldExistenceSampling": { - "type": "boolean", - "_meta": { - "description": "Non-default value of setting." - } - }, "metrics:allowCheckingForFailedShards": { "type": "boolean", "_meta": { diff --git a/src/plugins/unified_field_list/common/index.ts b/src/plugins/unified_field_list/common/index.ts index 72274d44a7263..747db7a56bbae 100755 --- a/src/plugins/unified_field_list/common/index.ts +++ b/src/plugins/unified_field_list/common/index.ts @@ -7,4 +7,3 @@ */ export const PLUGIN_ID = 'unifiedFieldList'; -export const FIELD_EXISTENCE_SETTING = 'lens:useFieldExistenceSampling'; diff --git a/src/plugins/unified_field_list/common/utils/field_existing_utils.ts b/src/plugins/unified_field_list/common/utils/field_existing_utils.ts index 334de4aca95df..f89338404730e 100644 --- a/src/plugins/unified_field_list/common/utils/field_existing_utils.ts +++ b/src/plugins/unified_field_list/common/utils/field_existing_utils.ts @@ -19,7 +19,6 @@ export type SearchHandler = ( /** * The number of docs to sample to determine field empty status. */ -const SAMPLE_SIZE = 500; export interface Field { name: string; @@ -40,7 +39,6 @@ export async function fetchFieldExistence({ timeFieldName, includeFrozen, metaFields, - useSampling, }: { search: SearchHandler; dataView: DataView; @@ -49,24 +47,9 @@ export async function fetchFieldExistence({ toDate?: string; timeFieldName?: string; includeFrozen: boolean; - useSampling: boolean; metaFields: string[]; dataViewsService: DataViewsContract; }) { - if (useSampling) { - return legacyFetchFieldExistenceSampling({ - search, - metaFields, - dataView, - dataViewsService, - dslQuery, - fromDate, - toDate, - timeFieldName, - includeFrozen, - }); - } - const allFields = buildFieldList(dataView, metaFields); const existingFieldList = await dataViewsService.getFieldsForIndexPattern(dataView, { // filled in by data views service @@ -79,47 +62,6 @@ export async function fetchFieldExistence({ }; } -async function legacyFetchFieldExistenceSampling({ - search, - metaFields, - dataView, - dslQuery, - fromDate, - toDate, - timeFieldName, - includeFrozen, -}: { - search: SearchHandler; - metaFields: string[]; - dataView: DataView; - dataViewsService: DataViewsContract; - dslQuery: object; - fromDate?: string; - toDate?: string; - timeFieldName?: string; - includeFrozen: boolean; -}) { - const fields = buildFieldList(dataView, metaFields); - const runtimeMappings = dataView.getRuntimeMappings(); - - const docs = await fetchDataViewStats({ - search, - fromDate, - toDate, - dslQuery, - index: dataView.title, - timeFieldName: timeFieldName || dataView.timeFieldName, - fields, - runtimeMappings, - includeFrozen, - }); - - return { - indexPatternTitle: dataView.title, - existingFieldNames: legacyExistingFields(docs, fields), - }; -} - /** * Exported only for unit tests. */ @@ -138,60 +80,6 @@ export function buildFieldList(indexPattern: DataView, metaFields: string[]): Fi }); } -async function fetchDataViewStats({ - search, - index, - dslQuery, - timeFieldName, - fromDate, - toDate, - fields, - runtimeMappings, - includeFrozen, -}: { - search: SearchHandler; - index: string; - dslQuery: object; - timeFieldName?: string; - fromDate?: string; - toDate?: string; - fields: Field[]; - runtimeMappings: estypes.MappingRuntimeFields; - includeFrozen: boolean; -}) { - const query = toQuery(timeFieldName, fromDate, toDate, dslQuery); - - const scriptedFields = fields.filter((f) => f.isScript); - const response = await search({ - index, - ...(includeFrozen ? { ignore_throttled: false } : {}), - body: { - size: SAMPLE_SIZE, - query, - // Sorted queries are usually able to skip entire shards that don't match - sort: timeFieldName && fromDate && toDate ? [{ [timeFieldName]: 'desc' }] : [], - fields: ['*'], - _source: false, - runtime_mappings: runtimeMappings, - script_fields: scriptedFields.reduce((acc, field) => { - acc[field.name] = { - script: { - lang: field.lang!, - source: field.script!, - }, - }; - return acc; - }, {} as Record), - // Small improvement because there is overhead in counting - track_total_hits: false, - // Per-shard timeout, must be lower than overall. Shards return partial results on timeout - timeout: '4500ms', - }, - }); - - return response?.hits.hits; -} - function toQuery( timeFieldName: string | undefined, fromDate: string | undefined, diff --git a/src/plugins/unified_field_list/public/components/field_icon/__snapshots__/field_icon.test.tsx.snap b/src/plugins/unified_field_list/public/components/field_icon/__snapshots__/field_icon.test.tsx.snap index 89bde8769a0c7..66a9236679abc 100644 --- a/src/plugins/unified_field_list/public/components/field_icon/__snapshots__/field_icon.test.tsx.snap +++ b/src/plugins/unified_field_list/public/components/field_icon/__snapshots__/field_icon.test.tsx.snap @@ -16,13 +16,6 @@ exports[`UnifiedFieldList renders Document type properly 1`] = ` /> `; -exports[`UnifiedFieldList renders Histogram type properly 1`] = ` - -`; - exports[`UnifiedFieldList renders properly 1`] = ` ', () => { const component = shallow(); expect(component).toMatchSnapshot(); }); - - test('renders Histogram type properly', () => { - const component = shallow(); - expect(component).toMatchSnapshot(); - }); }); diff --git a/src/plugins/unified_field_list/public/components/field_icon/field_icon.tsx b/src/plugins/unified_field_list/public/components/field_icon/field_icon.tsx index 1485ebe1c8d02..070716911706c 100644 --- a/src/plugins/unified_field_list/public/components/field_icon/field_icon.tsx +++ b/src/plugins/unified_field_list/public/components/field_icon/field_icon.tsx @@ -24,8 +24,5 @@ const FieldIcon = React.memo(InnerFieldIcon) as GenericFieldIcon; export default FieldIcon; function normalizeFieldType(type: string) { - if (type === 'histogram') { - return 'number'; - } return type === 'document' ? 'number' : type; } diff --git a/src/plugins/unified_field_list/public/components/field_list_filters/field_type_filter.test.tsx b/src/plugins/unified_field_list/public/components/field_list_filters/field_type_filter.test.tsx index 01bc1c4147f15..7a9701f31a9d1 100644 --- a/src/plugins/unified_field_list/public/components/field_list_filters/field_type_filter.test.tsx +++ b/src/plugins/unified_field_list/public/components/field_list_filters/field_type_filter.test.tsx @@ -59,7 +59,7 @@ describe('UnifiedFieldList ', () => { await openPopover(wrapper, props); - expect(wrapper.find(EuiContextMenuItem)?.length).toBe(11); + expect(wrapper.find(EuiContextMenuItem)?.length).toBe(10); expect( wrapper .find(EuiContextMenuItem) @@ -67,7 +67,7 @@ describe('UnifiedFieldList ', () => { .join(', ') ).toBe( // format:type_icon type_name help_icon count - 'BooleanBooleanInfo1, ConflictConflictInfo1, DateDateInfo4, Geo pointGeo pointInfo2, Geo shapeGeo shapeInfo1, IP addressIP addressInfo1, KeywordKeywordInfo4, Murmur3Murmur3Info2, NumberNumberInfo3, StringStringInfo1, TextTextInfo5' + 'BooleanBooleanInfo1, ConflictConflictInfo1, DateDateInfo4, Geo pointGeo pointInfo2, Geo shapeGeo shapeInfo1, IP addressIP addressInfo1, KeywordKeywordInfo5, Murmur3Murmur3Info2, NumberNumberInfo3, TextTextInfo5' ); expect(props.getCustomFieldType).toHaveBeenCalledTimes(props.allFields?.length ?? 0); expect(props.onChange).not.toBeCalled(); @@ -111,7 +111,7 @@ describe('UnifiedFieldList ', () => { await openPopover(wrapper, props); const clearAllButton = findClearAllButton(wrapper, props)?.first(); - expect(wrapper.find(EuiContextMenuItem)?.length).toBe(11); + expect(wrapper.find(EuiContextMenuItem)?.length).toBe(10); expect(clearAllButton?.length).toBe(1); expect( wrapper @@ -120,7 +120,7 @@ describe('UnifiedFieldList ', () => { .join(', ') ).toBe( // format:selection_icon type_icon type_name help_icon count - 'empty-BooleanBooleanInfo1, empty-ConflictConflictInfo1, check-DateDateInfo4, empty-Geo pointGeo pointInfo2, empty-Geo shapeGeo shapeInfo1, empty-IP addressIP addressInfo1, empty-KeywordKeywordInfo4, empty-Murmur3Murmur3Info2, check-NumberNumberInfo3, empty-StringStringInfo1, empty-TextTextInfo5' + 'empty-BooleanBooleanInfo1, empty-ConflictConflictInfo1, check-DateDateInfo4, empty-Geo pointGeo pointInfo2, empty-Geo shapeGeo shapeInfo1, empty-IP addressIP addressInfo1, empty-KeywordKeywordInfo5, empty-Murmur3Murmur3Info2, check-NumberNumberInfo3, empty-TextTextInfo5' ); await toggleType(wrapper, 'boolean'); diff --git a/src/plugins/unified_field_list/public/components/field_list_grouped/field_list_grouped.test.tsx b/src/plugins/unified_field_list/public/components/field_list_grouped/field_list_grouped.test.tsx index 9190c6de2859e..7cabd28bc171d 100644 --- a/src/plugins/unified_field_list/public/components/field_list_grouped/field_list_grouped.test.tsx +++ b/src/plugins/unified_field_list/public/components/field_list_grouped/field_list_grouped.test.tsx @@ -16,6 +16,7 @@ import { ReactWrapper } from 'enzyme'; import { dataViewPluginMocks } from '@kbn/data-views-plugin/public/mocks'; import { coreMock } from '@kbn/core/public/mocks'; import FieldListGrouped, { type FieldListGroupedProps } from './field_list_grouped'; +import { FieldListFilters } from '../field_list_filters'; import { ExistenceFetchStatus } from '../../types'; import { FieldsAccordion } from './fields_accordion'; import { NoFieldsCallout } from './no_fields_callout'; @@ -68,13 +69,19 @@ describe('UnifiedFieldList + useGroupedFields()', () => { async function mountGroupedList({ listProps, hookParams }: WrapperProps): Promise { const Wrapper: React.FC = (props) => { const { + fieldListFiltersProps, fieldListGroupedProps: { fieldGroups }, } = useGroupedFields({ ...props.hookParams, services: mockedServices, }); - return ; + return ( + <> + + + + ); }; let wrapper: ReactWrapper; @@ -301,7 +308,7 @@ describe('UnifiedFieldList + useGroupedFields()', () => { ).toStrictEqual([25, 88, 0, 0]); }); - it('renders correctly when filtered', async () => { + it('renders correctly when fields are searched and filtered', async () => { const hookParams = { dataViewId: dataView.id!, allFields: manyFields, @@ -319,12 +326,12 @@ describe('UnifiedFieldList + useGroupedFields()', () => { ); await act(async () => { - await wrapper.setProps({ - hookParams: { - ...hookParams, - onFilterField: (field: DataViewField) => field.name.startsWith('@'), - }, - }); + await wrapper + .find('[data-test-subj="fieldListFiltersFieldSearch"]') + .last() + .simulate('change', { + target: { value: '@' }, + }); await wrapper.update(); }); @@ -333,17 +340,34 @@ describe('UnifiedFieldList + useGroupedFields()', () => { ); await act(async () => { - await wrapper.setProps({ - hookParams: { - ...hookParams, - onFilterField: (field: DataViewField) => field.name.startsWith('_'), - }, - }); + await wrapper + .find('[data-test-subj="fieldListFiltersFieldSearch"]') + .last() + .simulate('change', { + target: { value: '_' }, + }); + await wrapper.update(); + }); + + expect(wrapper.find(`#${defaultProps.screenReaderDescriptionId}`).first().text()).toBe( + '3 available fields. 24 unmapped fields. 0 empty fields. 3 meta fields.' + ); + + await act(async () => { + await wrapper + .find('[data-test-subj="fieldListFiltersFieldTypeFilterToggle"]') + .last() + .simulate('click'); + await wrapper.update(); + }); + + await act(async () => { + await wrapper.find('[data-test-subj="typeFilter-date"]').first().simulate('click'); await wrapper.update(); }); expect(wrapper.find(`#${defaultProps.screenReaderDescriptionId}`).first().text()).toBe( - '0 available fields. 12 unmapped fields. 0 empty fields. 3 meta fields.' + '1 available field. 4 unmapped fields. 0 empty fields. 0 meta fields.' ); }); diff --git a/src/plugins/unified_field_list/public/hooks/use_grouped_fields.test.tsx b/src/plugins/unified_field_list/public/hooks/use_grouped_fields.test.tsx index 5fa7344955b52..053e7d912d375 100644 --- a/src/plugins/unified_field_list/public/hooks/use_grouped_fields.test.tsx +++ b/src/plugins/unified_field_list/public/hooks/use_grouped_fields.test.tsx @@ -6,8 +6,7 @@ * Side Public License, v 1. */ -import { renderHook } from '@testing-library/react-hooks'; -import { act } from 'react-test-renderer'; +import { renderHook, act } from '@testing-library/react-hooks'; import { stubDataViewWithoutTimeField, stubLogstashDataView as dataView, @@ -168,6 +167,7 @@ describe('UnifiedFieldList useGroupedFields()', () => { let fieldListGroupedProps = result.current.fieldListGroupedProps; const fieldGroups = fieldListGroupedProps.fieldGroups; + const scrollToTopResetCounter1 = fieldListGroupedProps.scrollToTopResetCounter; expect( Object.keys(fieldGroups!).map( @@ -195,25 +195,26 @@ describe('UnifiedFieldList useGroupedFields()', () => { fieldListGroupedProps = result.current.fieldListGroupedProps; expect(fieldListGroupedProps.fieldsExistenceStatus).toBe(ExistenceFetchStatus.succeeded); expect(fieldListGroupedProps.fieldsExistInIndex).toBe(true); + expect(result.current.fieldListGroupedProps.scrollToTopResetCounter).not.toBe( + scrollToTopResetCounter1 + ); (ExistenceApi.useExistingFieldsReader as jest.Mock).mockRestore(); }); - it('should work correctly when filtered', async () => { + it('should work correctly when searched and filtered', async () => { const props: GroupedFieldsParams = { dataViewId: dataView.id!, allFields: allFieldsIncludingUnmapped, services: mockedServices, }; - const { result, waitForNextUpdate, rerender } = renderHook(useGroupedFields, { + const { result, waitForNextUpdate } = renderHook(useGroupedFields, { initialProps: props, }); await waitForNextUpdate(); - const fieldListGroupedProps = result.current.fieldListGroupedProps; - let fieldGroups = fieldListGroupedProps.fieldGroups; - const scrollToTopResetCounter1 = fieldListGroupedProps.scrollToTopResetCounter; + let fieldGroups = result.current.fieldListGroupedProps.fieldGroups; expect( Object.keys(fieldGroups!).map( @@ -232,9 +233,8 @@ describe('UnifiedFieldList useGroupedFields()', () => { 'MetaFields-3-3', ]); - rerender({ - ...props, - onFilterField: (field: DataViewField) => field.name.startsWith('@'), + act(() => { + result.current.fieldListFiltersProps.onChangeNameFilter('@'); }); fieldGroups = result.current.fieldListGroupedProps.fieldGroups; @@ -256,9 +256,28 @@ describe('UnifiedFieldList useGroupedFields()', () => { 'MetaFields-0-3', ]); - expect(result.current.fieldListGroupedProps.scrollToTopResetCounter).not.toBe( - scrollToTopResetCounter1 - ); + act(() => { + result.current.fieldListFiltersProps.onChangeFieldTypes(['date']); + }); + + fieldGroups = result.current.fieldListGroupedProps.fieldGroups; + + expect( + Object.keys(fieldGroups!).map( + (key) => + `${key}-${fieldGroups![key as FieldsGroupNames]?.fields.length}-${ + fieldGroups![key as FieldsGroupNames]?.fieldCount + }` + ) + ).toStrictEqual([ + 'SpecialFields-0-0', + 'SelectedFields-0-0', + 'PopularFields-0-0', + 'AvailableFields-1-25', + 'UnmappedFields-1-28', + 'EmptyFields-0-0', + 'MetaFields-0-3', + ]); }); it('should not change the scroll position if fields list is extended', async () => { diff --git a/src/plugins/unified_field_list/public/hooks/use_grouped_fields.ts b/src/plugins/unified_field_list/public/hooks/use_grouped_fields.ts index 9ac24aaa86063..1209ed64f1eb5 100644 --- a/src/plugins/unified_field_list/public/hooks/use_grouped_fields.ts +++ b/src/plugins/unified_field_list/public/hooks/use_grouped_fields.ts @@ -43,7 +43,6 @@ export interface GroupedFieldsParams { ) => Partial | undefined | null; onSupportedFieldFilter?: (field: T) => boolean; onSelectedFieldFilter?: (field: T) => boolean; - onFilterField?: (field: T) => boolean; // TODO: deprecate after integrating the unified field search and field filters into Discover } export interface GroupedFieldsResult { @@ -68,7 +67,6 @@ export function useGroupedFields({ onOverrideFieldGroupDetails, onSupportedFieldFilter, onSelectedFieldFilter, - onFilterField, }: GroupedFieldsParams): GroupedFieldsResult { const fieldsExistenceReader = useExistingFieldsReader(); const fieldListFilters = useFieldFilters({ @@ -77,7 +75,7 @@ export function useGroupedFields({ getCustomFieldType, onSupportedFieldFilter, }); - const onFilterFieldList = onFilterField ?? fieldListFilters.onFilterField; + const onFilterFieldList = fieldListFilters.onFilterField; const [dataView, setDataView] = useState(null); const isAffectedByTimeFilter = Boolean(dataView?.timeFieldName); const fieldsExistenceInfoUnavailable: boolean = dataViewId @@ -132,6 +130,10 @@ export function useGroupedFields({ if (dataView?.metaFields?.includes(field.name)) { return 'metaFields'; } + // `nested` root fields are not a part of data view fields list, so we need to check them separately + if (field.type === 'nested') { + return 'availableFields'; + } if (dataView?.getFieldByName && !dataView.getFieldByName(field.name)) { return 'unmappedFields'; } diff --git a/src/plugins/unified_field_list/public/services/field_existing/load_field_existing.ts b/src/plugins/unified_field_list/public/services/field_existing/load_field_existing.ts index f8e369838c51a..0040df5c2a4e1 100644 --- a/src/plugins/unified_field_list/public/services/field_existing/load_field_existing.ts +++ b/src/plugins/unified_field_list/public/services/field_existing/load_field_existing.ts @@ -10,7 +10,6 @@ import { IUiSettingsClient } from '@kbn/core/public'; import { DataPublicPluginStart, UI_SETTINGS } from '@kbn/data-plugin/public'; import type { DataView, DataViewsContract } from '@kbn/data-views-plugin/common'; import { lastValueFrom } from 'rxjs'; -import { FIELD_EXISTENCE_SETTING } from '../../../common'; import { fetchFieldExistence } from '../../../common/utils/field_existing_utils'; interface FetchFieldExistenceParams { @@ -40,7 +39,6 @@ export const loadFieldExisting: LoadFieldExistingHandler = async ({ dataView, }) => { const includeFrozen = uiSettingsClient.get(UI_SETTINGS.SEARCH_INCLUDE_FROZEN); - const useSampling = uiSettingsClient.get(FIELD_EXISTENCE_SETTING); const metaFields = uiSettingsClient.get(UI_SETTINGS.META_FIELDS); return await fetchFieldExistence({ @@ -50,7 +48,6 @@ export const loadFieldExisting: LoadFieldExistingHandler = async ({ timeFieldName, dataViewsService, includeFrozen, - useSampling, metaFields, dataView, search: async (params) => { diff --git a/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.test.ts b/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.test.ts index 82da142c03d3b..70f54ba84685e 100644 --- a/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.test.ts +++ b/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.test.ts @@ -43,6 +43,6 @@ describe('UnifiedFieldList getFieldIconType()', () => { type: 'string', esTypes: ['_id'], } as DataViewField) - ).toBe('string'); + ).toBe('keyword'); }); }); diff --git a/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.ts b/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.ts index ef843012e0c48..e548d4bf1744b 100644 --- a/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.ts +++ b/src/plugins/unified_field_list/public/utils/field_types/get_field_icon_type.ts @@ -22,8 +22,8 @@ export function getFieldIconType( ): string { const type = getCustomFieldType ? getCustomFieldType(field) : getFieldType(field); const esType = field.esTypes?.[0] || null; - if (esType && ['_id', '_index'].includes(esType)) { - return type; + if (esType && ['_id', '_index'].includes(esType) && type === 'string') { + return 'keyword'; } return type === 'string' && esType ? esType : type; } diff --git a/src/plugins/unified_field_list/server/plugin.ts b/src/plugins/unified_field_list/server/plugin.ts index 1171eb4c69be7..7d27861ae6b5b 100644 --- a/src/plugins/unified_field_list/server/plugin.ts +++ b/src/plugins/unified_field_list/server/plugin.ts @@ -14,7 +14,6 @@ import { PluginSetup, } from './types'; import { defineRoutes } from './routes'; -import { getUiSettings } from './ui_settings'; export class UnifiedFieldListPlugin implements Plugin @@ -27,7 +26,6 @@ export class UnifiedFieldListPlugin public setup(core: CoreSetup, plugins: PluginSetup) { this.logger.debug('unifiedFieldList: Setup'); - core.uiSettings.register(getUiSettings()); defineRoutes(core, this.logger); diff --git a/src/plugins/unified_field_list/server/routes/existing_fields.ts b/src/plugins/unified_field_list/server/routes/existing_fields.ts index e17048e217e77..9310b436b6a30 100644 --- a/src/plugins/unified_field_list/server/routes/existing_fields.ts +++ b/src/plugins/unified_field_list/server/routes/existing_fields.ts @@ -14,7 +14,6 @@ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { fetchFieldExistence, isBoomError } from '../../common/utils/field_existing_utils'; import { FIELD_EXISTING_API_PATH } from '../../common/constants'; -import { FIELD_EXISTENCE_SETTING } from '../../common'; import { PluginStart } from '../types'; export async function existingFieldsRoute(setup: CoreSetup, logger: Logger) { @@ -40,9 +39,8 @@ export async function existingFieldsRoute(setup: CoreSetup, logger: await setup.getStartServices(); const savedObjectsClient = savedObjects.getScopedClient(req); const uiSettingsClient = uiSettings.asScopedToClient(savedObjectsClient); - const [includeFrozen, useSampling, metaFields] = await Promise.all([ + const [includeFrozen, metaFields] = await Promise.all([ uiSettingsClient.get(UI_SETTINGS.SEARCH_INCLUDE_FROZEN), - uiSettingsClient.get(FIELD_EXISTENCE_SETTING), uiSettingsClient.get(UI_SETTINGS.META_FIELDS), ]); const esClient = elasticsearch.client.asScoped(req).asCurrentUser; @@ -56,7 +54,6 @@ export async function existingFieldsRoute(setup: CoreSetup, logger: ...req.body, dataViewsService, includeFrozen, - useSampling, metaFields, dataView: await dataViewsService.get(req.params.dataViewId), search: async (params) => { diff --git a/src/plugins/unified_field_list/server/ui_settings.ts b/src/plugins/unified_field_list/server/ui_settings.ts deleted file mode 100644 index fe46b7925bfa0..0000000000000 --- a/src/plugins/unified_field_list/server/ui_settings.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import { schema } from '@kbn/config-schema'; - -import { UiSettingsParams } from '@kbn/core/server'; -import { FIELD_EXISTENCE_SETTING } from '../common'; - -export const getUiSettings: () => Record = () => ({ - [FIELD_EXISTENCE_SETTING]: { - name: i18n.translate('unifiedFieldList.advancedSettings.useFieldExistenceSampling.title', { - defaultMessage: 'Use field existence sampling', - }), - value: false, - description: i18n.translate( - 'unifiedFieldList.advancedSettings.useFieldExistenceSampling.description', - { - defaultMessage: - 'If enabled, document sampling is used to determine field existence (available or empty) for the Lens field list instead of relying on index mappings.', - } - ), - deprecation: { - message: i18n.translate( - 'unifiedFieldList.advancedSettings.useFieldExistenceSampling.deprecation', - { - defaultMessage: 'This setting is deprecated and will not be supported as of 8.6.', - } - ), - docLinksKey: 'visualizationSettings', - }, - category: ['visualization'], - schema: schema.boolean(), - }, -}); diff --git a/src/plugins/unified_search/public/filter_bar/filter_editor/phrases_values_input.tsx b/src/plugins/unified_search/public/filter_bar/filter_editor/phrases_values_input.tsx index 5bc71be112175..c1cb11f816535 100644 --- a/src/plugins/unified_search/public/filter_bar/filter_editor/phrases_values_input.tsx +++ b/src/plugins/unified_search/public/filter_bar/filter_editor/phrases_values_input.tsx @@ -55,6 +55,7 @@ class PhrasesValuesInputUI extends PhraseSuggestorUI { defaultMessage: 'Select values', })} delimiter="," + isCaseSensitive={true} options={options} getLabel={(option) => option} selectedOptions={values || []} diff --git a/test/api_integration/apis/unified_field_list/index.ts b/test/api_integration/apis/unified_field_list/index.ts index bf146349d4b1a..45b657c0e5496 100644 --- a/test/api_integration/apis/unified_field_list/index.ts +++ b/test/api_integration/apis/unified_field_list/index.ts @@ -11,7 +11,6 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function lensApiIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('UnifiedFieldList', () => { loadTestFile(require.resolve('./existing_fields')); - loadTestFile(require.resolve('./legacy_existing_fields')); loadTestFile(require.resolve('./field_stats')); }); } diff --git a/test/api_integration/apis/unified_field_list/legacy_existing_fields.ts b/test/api_integration/apis/unified_field_list/legacy_existing_fields.ts deleted file mode 100644 index 7791f45eee107..0000000000000 --- a/test/api_integration/apis/unified_field_list/legacy_existing_fields.ts +++ /dev/null @@ -1,275 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import expect from '@kbn/expect'; - -import { FtrProviderContext } from '../../ftr_provider_context'; - -const TEST_START_TIME = '2015-09-19T06:31:44.000'; -const TEST_END_TIME = '2015-09-23T18:31:44.000'; -const COMMON_HEADERS = { - 'kbn-xsrf': 'some-xsrf-token', -}; - -const fieldsWithData = [ - '@message', - '@message.raw', - '@tags', - '@tags.raw', - '@timestamp', - '_id', - '_index', - 'agent', - 'agent.raw', - 'bytes', - 'clientip', - 'extension', - 'extension.raw', - 'geo.coordinates', - 'geo.dest', - 'geo.src', - 'geo.srcdest', - 'headings', - 'headings.raw', - 'host', - 'host.raw', - 'index', - 'index.raw', - 'ip', - 'links', - 'links.raw', - 'machine.os', - 'machine.os.raw', - 'machine.ram', - 'machine.ram_range', - 'memory', - 'phpmemory', - 'referer', - 'request', - 'request.raw', - 'response', - 'response.raw', - 'spaces', - 'spaces.raw', - 'type', - 'url', - 'url.raw', - 'utc_time', - 'xss', - 'xss.raw', - 'runtime_number', - - 'relatedContent.article:modified_time', - 'relatedContent.article:published_time', - 'relatedContent.article:section', - 'relatedContent.article:section.raw', - 'relatedContent.article:tag', - 'relatedContent.article:tag.raw', - 'relatedContent.og:description', - 'relatedContent.og:description.raw', - 'relatedContent.og:image', - 'relatedContent.og:image.raw', - 'relatedContent.og:image:height', - 'relatedContent.og:image:height.raw', - 'relatedContent.og:image:width', - 'relatedContent.og:image:width.raw', - 'relatedContent.og:site_name', - 'relatedContent.og:site_name.raw', - 'relatedContent.og:title', - 'relatedContent.og:title.raw', - 'relatedContent.og:type', - 'relatedContent.og:type.raw', - 'relatedContent.og:url', - 'relatedContent.og:url.raw', - 'relatedContent.twitter:card', - 'relatedContent.twitter:card.raw', - 'relatedContent.twitter:description', - 'relatedContent.twitter:description.raw', - 'relatedContent.twitter:image', - 'relatedContent.twitter:image.raw', - 'relatedContent.twitter:site', - 'relatedContent.twitter:site.raw', - 'relatedContent.twitter:title', - 'relatedContent.twitter:title.raw', - 'relatedContent.url', - 'relatedContent.url.raw', -]; - -const metricBeatData = [ - '@timestamp', - '_id', - '_index', - 'agent.ephemeral_id', - 'agent.ephemeral_id.keyword', - 'agent.hostname', - 'agent.hostname.keyword', - 'agent.id', - 'agent.id.keyword', - 'agent.type', - 'agent.type.keyword', - 'agent.version', - 'agent.version.keyword', - 'ecs.version', - 'ecs.version.keyword', - 'event.dataset', - 'event.dataset.keyword', - 'event.duration', - 'event.module', - 'event.module.keyword', - 'host.architecture', - 'host.architecture.keyword', - 'host.hostname', - 'host.hostname.keyword', - 'host.id', - 'host.id.keyword', - 'host.name', - 'host.name.keyword', - 'host.os.build', - 'host.os.build.keyword', - 'host.os.family', - 'host.os.family.keyword', - 'host.os.kernel', - 'host.os.kernel.keyword', - 'host.os.name', - 'host.os.name.keyword', - 'host.os.platform', - 'host.os.platform.keyword', - 'host.os.version', - 'host.os.version.keyword', - 'metricset.name', - 'metricset.name.keyword', - 'service.type', - 'service.type.keyword', - 'system.cpu.cores', - 'system.cpu.idle.pct', - 'system.cpu.iowait.pct', - 'system.cpu.irq.pct', - 'system.cpu.nice.pct', - 'system.cpu.softirq.pct', - 'system.cpu.steal.pct', - 'system.cpu.system.pct', - 'system.cpu.total.pct', - 'system.cpu.user.pct', -]; - -export default ({ getService }: FtrProviderContext) => { - const esArchiver = getService('esArchiver'); - const supertest = getService('supertest'); - const kibanaServer = getService('kibanaServer'); - - describe('existing_fields apis legacy', () => { - before(async () => { - await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/logstash_functional'); - await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/visualize/default'); - await kibanaServer.savedObjects.cleanStandardList(); - await kibanaServer.importExport.load( - 'x-pack/test/functional/fixtures/kbn_archiver/visualize/default' - ); - await kibanaServer.uiSettings.update({ - 'lens:useFieldExistenceSampling': true, - }); - }); - after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/logstash_functional'); - await esArchiver.unload('x-pack/test/functional/es_archives/visualize/default'); - await kibanaServer.savedObjects.cleanStandardList(); - await kibanaServer.uiSettings.update({ - 'lens:useFieldExistenceSampling': false, - }); - }); - - describe('existence', () => { - it('should find which fields exist in the sample documents', async () => { - const { body } = await supertest - .post(`/api/unified_field_list/existing_fields/${encodeURIComponent('logstash-*')}`) - .set(COMMON_HEADERS) - .send({ - dslQuery: { - bool: { - filter: [{ match_all: {} }], - }, - }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - }) - .expect(200); - - expect(body.indexPatternTitle).to.eql('logstash-*'); - expect(body.existingFieldNames.sort()).to.eql(fieldsWithData.sort()); - }); - - it('should succeed for thousands of fields', async () => { - const { body } = await supertest - .post(`/api/unified_field_list/existing_fields/${encodeURIComponent('metricbeat-*')}`) - .set(COMMON_HEADERS) - .send({ - dslQuery: { match_all: {} }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - }) - .expect(200); - - expect(body.indexPatternTitle).to.eql('metricbeat-*'); - expect(body.existingFieldNames.sort()).to.eql(metricBeatData.sort()); - }); - - it('should return fields filtered by query and filters', async () => { - const expectedFieldNames = [ - '@message', - '@message.raw', - '@tags', - '@tags.raw', - '@timestamp', - '_id', - '_index', - 'agent', - 'agent.raw', - 'bytes', - 'clientip', - 'extension', - 'extension.raw', - 'headings', - 'headings.raw', - 'host', - 'host.raw', - 'index', - 'index.raw', - 'referer', - 'request', - 'request.raw', - 'response', - 'response.raw', - 'runtime_number', - 'spaces', - 'spaces.raw', - 'type', - 'url', - 'url.raw', - 'utc_time', - 'xss', - 'xss.raw', - ]; - - const { body } = await supertest - .post(`/api/unified_field_list/existing_fields/${encodeURIComponent('logstash-*')}`) - .set(COMMON_HEADERS) - .send({ - dslQuery: { - bool: { - filter: [{ match: { referer: 'https://www.taylorswift.com/' } }], - }, - }, - fromDate: TEST_START_TIME, - toDate: TEST_END_TIME, - }) - .expect(200); - expect(body.existingFieldNames.sort()).to.eql(expectedFieldNames.sort()); - }); - }); - }); -}; diff --git a/test/functional/apps/dashboard/group4/dashboard_empty.ts b/test/functional/apps/dashboard/group4/dashboard_empty.ts index 02437b0685694..a0c5202fb4b43 100644 --- a/test/functional/apps/dashboard/group4/dashboard_empty.ts +++ b/test/functional/apps/dashboard/group4/dashboard_empty.ts @@ -26,7 +26,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('saveIndexPatternButton'); }; - describe('dashboard empty state', () => { + // FLAKY: https://github.com/elastic/kibana/issues/149256 + describe.skip('dashboard empty state', () => { const kbnDirectory = 'test/functional/fixtures/kbn_archiver/dashboard/current/kibana'; before(async function () { diff --git a/test/functional/apps/discover/group1/_sidebar.ts b/test/functional/apps/discover/group1/_sidebar.ts index a62a379c20224..9d0878b107073 100644 --- a/test/functional/apps/discover/group1/_sidebar.ts +++ b/test/functional/apps/discover/group1/_sidebar.ts @@ -25,6 +25,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const monacoEditor = getService('monacoEditor'); const filterBar = getService('filterBar'); const fieldEditor = getService('fieldEditor'); + const retry = getService('retry'); + const INITIAL_FIELD_LIST_SUMMARY = '53 available fields. 0 empty fields. 3 meta fields.'; describe('discover sidebar', function describeIndexTests() { before(async function () { @@ -53,6 +55,109 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.openSidebarFieldFilter(); await PageObjects.discover.closeSidebarFieldFilter(); }); + + it('should filter by field type', async function () { + await PageObjects.header.waitUntilLoadingHasFinished(); + await PageObjects.discover.waitUntilSidebarHasLoaded(); + await PageObjects.discover.openSidebarFieldFilter(); + + expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( + INITIAL_FIELD_LIST_SUMMARY + ); + + await testSubjects.click('typeFilter-keyword'); + + await retry.waitFor('first updates', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === + '7 available fields. 0 empty fields. 2 meta fields.' + ); + }); + + await testSubjects.click('typeFilter-number'); + + await retry.waitFor('second updates', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === + '13 available fields. 0 empty fields. 3 meta fields.' + ); + }); + + await testSubjects.click('fieldListFiltersFieldTypeFilterClearAll'); + + await retry.waitFor('reset', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === INITIAL_FIELD_LIST_SUMMARY + ); + }); + }); + + it('should show filters by type in text-based view', async function () { + await kibanaServer.uiSettings.update({ 'discover:enableSql': true }); + await browser.refresh(); + + await PageObjects.discover.waitUntilSidebarHasLoaded(); + await PageObjects.discover.openSidebarFieldFilter(); + let options = await find.allByCssSelector('[data-test-subj*="typeFilter"]'); + expect(options).to.have.length(6); + await PageObjects.discover.closeSidebarFieldFilter(); + + await PageObjects.discover.selectTextBaseLang('SQL'); + + await PageObjects.discover.waitUntilSidebarHasLoaded(); + await PageObjects.discover.openSidebarFieldFilter(); + options = await find.allByCssSelector('[data-test-subj*="typeFilter"]'); + expect(options).to.have.length(3); + + expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( + '50 selected fields. 51 available fields.' + ); + + await testSubjects.click('typeFilter-number'); + + await retry.waitFor('updates', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === + '6 selected fields. 6 available fields.' + ); + }); + }); + + it('should be able to search by string', async function () { + await PageObjects.header.waitUntilLoadingHasFinished(); + await PageObjects.discover.waitUntilSidebarHasLoaded(); + + expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( + INITIAL_FIELD_LIST_SUMMARY + ); + + await PageObjects.discover.findFieldByName('i'); + + await retry.waitFor('first updates', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === + '30 available fields. 0 empty fields. 2 meta fields.' + ); + }); + + await PageObjects.discover.findFieldByName('p'); + + await retry.waitFor('second updates', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === + '4 available fields. 0 empty fields. 0 meta fields.' + ); + }); + + const fieldSearch = await testSubjects.find('clearSearchButton'); + await fieldSearch.click(); + + await retry.waitFor('reset', async () => { + return ( + (await PageObjects.discover.getSidebarAriaDescription()) === INITIAL_FIELD_LIST_SUMMARY + ); + }); + }); }); describe('field stats', function () { @@ -154,7 +259,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { ); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); }); @@ -253,7 +358,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.selectTextBaseLang('SQL'); @@ -309,7 +414,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.selectIndexPattern('with-timefield'); @@ -335,7 +440,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await kibanaServer.importExport.unload( 'test/functional/fixtures/kbn_archiver/index_pattern_without_timefield' @@ -354,7 +459,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.selectIndexPattern('without-timefield'); @@ -386,7 +491,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await kibanaServer.importExport.unload( @@ -402,7 +507,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.header.waitUntilLoadingHasFinished(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.clickFieldListItem('extension'); @@ -415,7 +520,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); // check that the filter was passed down to the sidebar @@ -433,7 +538,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.selectIndexPattern('indices-stats*'); @@ -451,7 +556,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await kibanaServer.importExport.unload( @@ -465,7 +570,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.header.waitUntilLoadingHasFinished(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.addRuntimeField( @@ -503,7 +608,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); allFields = await PageObjects.discover.getAllFieldNames(); @@ -517,7 +622,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.missingOrFail('discoverNoResultsError'); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.addRuntimeField('_invalid-runtimefield', `emit(‘’);`); @@ -564,7 +669,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.waitUntilSidebarHasLoaded(); expect(await PageObjects.discover.getSidebarAriaDescription()).to.be( - '53 available fields. 0 empty fields. 3 meta fields.' + INITIAL_FIELD_LIST_SUMMARY ); await PageObjects.discover.selectIndexPattern('with-timefield'); diff --git a/test/functional/apps/discover/group2/_sql_view.ts b/test/functional/apps/discover/group2/_sql_view.ts index 4ae63f0e6b1f1..1f567ec67ddff 100644 --- a/test/functional/apps/discover/group2/_sql_view.ts +++ b/test/functional/apps/discover/group2/_sql_view.ts @@ -39,6 +39,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { describe('test', () => { it('should render sql view correctly', async function () { + await PageObjects.discover.waitUntilSidebarHasLoaded(); + expect(await testSubjects.exists('showQueryBarMenu')).to.be(true); expect(await testSubjects.exists('superDatePickerToggleQuickMenuButton')).to.be(true); expect(await testSubjects.exists('addFilter')).to.be(true); @@ -49,15 +51,15 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { expect(await testSubjects.exists('shareTopNavButton')).to.be(true); expect(await testSubjects.exists('docTableExpandToggleColumn')).to.be(true); expect(await testSubjects.exists('dataGridColumnSortingButton')).to.be(true); - expect(await testSubjects.exists('fieldFilterSearchInput')).to.be(true); - expect(await testSubjects.exists('toggleFieldFilterButton')).to.be(true); - expect(await testSubjects.exists('fieldTypesHelpButton')).to.be(true); + expect(await testSubjects.exists('fieldListFiltersFieldSearch')).to.be(true); + expect(await testSubjects.exists('fieldListFiltersFieldTypeFilterToggle')).to.be(true); await testSubjects.click('field-@message-showDetails'); expect(await testSubjects.exists('discoverFieldListPanelEdit-@message')).to.be(true); await PageObjects.discover.selectTextBaseLang('SQL'); + await PageObjects.discover.waitUntilSidebarHasLoaded(); - expect(await testSubjects.exists('fieldFilterSearchInput')).to.be(true); + expect(await testSubjects.exists('fieldListFiltersFieldSearch')).to.be(true); expect(await testSubjects.exists('unifiedTextLangEditor')).to.be(true); expect(await testSubjects.exists('superDatePickerToggleQuickMenuButton')).to.be(true); @@ -70,8 +72,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { expect(await testSubjects.exists('shareTopNavButton')).to.be(false); expect(await testSubjects.exists('docTableExpandToggleColumn')).to.be(false); expect(await testSubjects.exists('dataGridColumnSortingButton')).to.be(false); - expect(await testSubjects.exists('toggleFieldFilterButton')).to.be(false); - expect(await testSubjects.exists('fieldTypesHelpButton')).to.be(false); + expect(await testSubjects.exists('fieldListFiltersFieldTypeFilterToggle')).to.be(true); await testSubjects.click('field-@message-showDetails'); expect(await testSubjects.exists('discoverFieldListPanelEditItem')).to.be(false); }); diff --git a/test/functional/page_objects/discover_page.ts b/test/functional/page_objects/discover_page.ts index 7db95f8063c12..46d2bd94423f9 100644 --- a/test/functional/page_objects/discover_page.ts +++ b/test/functional/page_objects/discover_page.ts @@ -46,12 +46,12 @@ export class DiscoverPageObject extends FtrService { } public async findFieldByName(name: string) { - const fieldSearch = await this.testSubjects.find('fieldFilterSearchInput'); + const fieldSearch = await this.testSubjects.find('fieldListFiltersFieldSearch'); await fieldSearch.type(name); } public async clearFieldSearchInput() { - const fieldSearch = await this.testSubjects.find('fieldFilterSearchInput'); + const fieldSearch = await this.testSubjects.find('fieldListFiltersFieldSearch'); await fieldSearch.clearValue(); } @@ -598,7 +598,13 @@ export class DiscoverPageObject extends FtrService { } await this.waitUntilFieldPopoverIsOpen(); - await this.testSubjects.click(`fieldVisualize-${fieldName}`); + const visualizeButtonTestSubject = `fieldVisualize-${fieldName}`; + // wrap visualize button click in retry to ensure button is clicked and retry if button click is not registered + await this.retry.try(async () => { + await this.testSubjects.click(visualizeButtonTestSubject); + await this.testSubjects.waitForDeleted(visualizeButtonTestSubject); + await this.testSubjects.missingOrFail(visualizeButtonTestSubject); + }); await this.header.waitUntilLoadingHasFinished(); } @@ -665,15 +671,15 @@ export class DiscoverPageObject extends FtrService { } public async openSidebarFieldFilter() { - await this.testSubjects.click('toggleFieldFilterButton'); - await this.testSubjects.existOrFail('filterSelectionPanel'); + await this.testSubjects.click('fieldListFiltersFieldTypeFilterToggle'); + await this.testSubjects.existOrFail('fieldListFiltersFieldTypeFilterOptions'); } public async closeSidebarFieldFilter() { - await this.testSubjects.click('toggleFieldFilterButton'); + await this.testSubjects.click('fieldListFiltersFieldTypeFilterToggle'); await this.retry.waitFor('sidebar filter closed', async () => { - return !(await this.testSubjects.exists('filterSelectionPanel')); + return !(await this.testSubjects.exists('fieldListFiltersFieldTypeFilterOptions')); }); } diff --git a/test/functional/services/listing_table.ts b/test/functional/services/listing_table.ts index ce210be9d222e..96e9ba2e49d34 100644 --- a/test/functional/services/listing_table.ts +++ b/test/functional/services/listing_table.ts @@ -20,6 +20,12 @@ export class ListingTableService extends FtrService { private readonly common = this.ctx.getPageObject('common'); private readonly header = this.ctx.getPageObject('header'); + private readonly tagPopoverToggle = this.ctx.getService('menuToggle').create({ + name: 'Tag Popover', + menuTestSubject: 'tagSelectableList', + toggleButtonTestSubject: 'tagFilterPopoverButton', + }); + private async getSearchFilter() { return await this.testSubjects.find('tableListSearchBox'); } @@ -72,6 +78,7 @@ export class ListingTableService extends FtrService { } else { throw new Error('Waiting'); } + await this.header.waitUntilLoadingHasFinished(); }); } @@ -92,12 +99,35 @@ export class ListingTableService extends FtrService { ); if (morePages) { await this.testSubjects.click('pagerNextButton'); - await this.header.waitUntilLoadingHasFinished(); + await this.waitUntilTableIsLoaded(); } } return visualizationNames; } + /** + * Select tags in the searchbar's tag filter. + */ + public async selectFilterTags(...tagNames: string[]): Promise { + await this.openTagPopover(); + // select the tags + for (const tagName of tagNames) { + await this.testSubjects.click(`tag-searchbar-option-${tagName.replace(' ', '_')}`); + } + await this.closeTagPopover(); + await this.waitUntilTableIsLoaded(); + } + + public async openTagPopover(): Promise { + this.log.debug('ListingTable.openTagPopover'); + await this.tagPopoverToggle.open(); + } + + public async closeTagPopover(): Promise { + this.log.debug('ListingTable.closeTagPopover'); + await this.tagPopoverToggle.close(); + } + /** * Navigates through all pages on Landing page and returns array of items names */ @@ -112,7 +142,7 @@ export class ListingTableService extends FtrService { ); if (morePages) { await this.testSubjects.click('pagerNextButton'); - await this.header.waitUntilLoadingHasFinished(); + await this.waitUntilTableIsLoaded(); } } return visualizationNames; @@ -154,7 +184,7 @@ export class ListingTableService extends FtrService { await this.common.pressEnterKey(); }); - await this.header.waitUntilLoadingHasFinished(); + await this.waitUntilTableIsLoaded(); } /** diff --git a/tsconfig.base.json b/tsconfig.base.json index ca0c15d5a7cac..fd9ea4a507cc5 100644 --- a/tsconfig.base.json +++ b/tsconfig.base.json @@ -106,6 +106,8 @@ "@kbn/ci-stats-performance-metrics/*": ["packages/kbn-ci-stats-performance-metrics/*"], "@kbn/ci-stats-reporter": ["packages/kbn-ci-stats-reporter"], "@kbn/ci-stats-reporter/*": ["packages/kbn-ci-stats-reporter/*"], + "@kbn/ci-stats-shipper-cli": ["packages/kbn-ci-stats-shipper-cli"], + "@kbn/ci-stats-shipper-cli/*": ["packages/kbn-ci-stats-shipper-cli/*"], "@kbn/cli-dev-mode": ["packages/kbn-cli-dev-mode"], "@kbn/cli-dev-mode/*": ["packages/kbn-cli-dev-mode/*"], "@kbn/cloud-chat-plugin": ["x-pack/plugins/cloud_integrations/cloud_chat"], @@ -696,6 +698,8 @@ "@kbn/fleet-plugin/*": ["x-pack/plugins/fleet/*"], "@kbn/flot-charts": ["packages/kbn-flot-charts"], "@kbn/flot-charts/*": ["packages/kbn-flot-charts/*"], + "@kbn/ftr-apis-plugin": ["src/plugins/ftr_apis"], + "@kbn/ftr-apis-plugin/*": ["src/plugins/ftr_apis/*"], "@kbn/ftr-common-functional-services": ["packages/kbn-ftr-common-functional-services"], "@kbn/ftr-common-functional-services/*": ["packages/kbn-ftr-common-functional-services/*"], "@kbn/ftr-screenshot-filename": ["packages/kbn-ftr-screenshot-filename"], diff --git a/x-pack/plugins/actions/server/lib/audit_events.ts b/x-pack/plugins/actions/server/lib/audit_events.ts index 5c2cf6fb7cc08..185c11c89c45b 100644 --- a/x-pack/plugins/actions/server/lib/audit_events.ts +++ b/x-pack/plugins/actions/server/lib/audit_events.ts @@ -5,8 +5,9 @@ * 2.0. */ -import type { EcsEventOutcome, EcsEventType } from '@kbn/core/server'; +import type { EcsEvent } from '@kbn/core/server'; import { AuditEvent } from '@kbn/security-plugin/server'; +import { ArrayElement } from '@kbn/utility-types'; export enum ConnectorAuditAction { CREATE = 'connector_create', @@ -32,7 +33,7 @@ const eventVerbs: Record = { connector_get_global_execution_kpi: ['access', 'accessing', 'accessed'], }; -const eventTypes: Record = { +const eventTypes: Record | undefined> = { connector_create: 'creation', connector_get: 'access', connector_update: 'change', @@ -45,7 +46,7 @@ const eventTypes: Record = { export interface ConnectorAuditEventParams { action: ConnectorAuditAction; - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; savedObject?: NonNullable['saved_object']; error?: Error; } diff --git a/x-pack/plugins/actions/server/lib/request_oauth_client_credentials_token.test.ts b/x-pack/plugins/actions/server/lib/request_oauth_client_credentials_token.test.ts index 223c8c28b55bc..20896e2691f10 100644 --- a/x-pack/plugins/actions/server/lib/request_oauth_client_credentials_token.test.ts +++ b/x-pack/plugins/actions/server/lib/request_oauth_client_credentials_token.test.ts @@ -74,7 +74,6 @@ describe('requestOAuthClientCredentialsToken', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, diff --git a/x-pack/plugins/actions/server/lib/request_oauth_jwt_token.test.ts b/x-pack/plugins/actions/server/lib/request_oauth_jwt_token.test.ts index af65bcf67d3db..318775762bbbd 100644 --- a/x-pack/plugins/actions/server/lib/request_oauth_jwt_token.test.ts +++ b/x-pack/plugins/actions/server/lib/request_oauth_jwt_token.test.ts @@ -75,7 +75,6 @@ describe('requestOAuthJWTToken', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, diff --git a/x-pack/plugins/actions/server/lib/request_oauth_token.test.ts b/x-pack/plugins/actions/server/lib/request_oauth_token.test.ts index 9843783aadf8d..cc9ea6a74517a 100644 --- a/x-pack/plugins/actions/server/lib/request_oauth_token.test.ts +++ b/x-pack/plugins/actions/server/lib/request_oauth_token.test.ts @@ -82,7 +82,6 @@ describe('requestOAuthToken', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, diff --git a/x-pack/plugins/alerting/server/rules_client/common/audit_events.ts b/x-pack/plugins/alerting/server/rules_client/common/audit_events.ts index 30b759c895c46..4909a71b89b8c 100644 --- a/x-pack/plugins/alerting/server/rules_client/common/audit_events.ts +++ b/x-pack/plugins/alerting/server/rules_client/common/audit_events.ts @@ -5,8 +5,9 @@ * 2.0. */ -import { EcsEventOutcome, EcsEventType } from '@kbn/core/server'; +import { EcsEvent } from '@kbn/core/server'; import { AuditEvent } from '@kbn/security-plugin/server'; +import { ArrayElement } from '@kbn/utility-types'; export enum RuleAuditAction { CREATE = 'rule_create', @@ -82,7 +83,7 @@ const eventVerbs: Record = { ], }; -const eventTypes: Record = { +const eventTypes: Record> = { rule_create: 'creation', rule_get: 'access', rule_resolve: 'access', @@ -110,7 +111,7 @@ const eventTypes: Record = { export interface RuleAuditEventParams { action: RuleAuditAction; - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; savedObject?: NonNullable['saved_object']; error?: Error; } diff --git a/x-pack/plugins/apm/server/routes/fleet/api_keys/create_apm_api_keys.ts b/x-pack/plugins/apm/server/routes/fleet/api_keys/create_apm_api_keys.ts index 0f78985b419b1..7f69b7525e214 100644 --- a/x-pack/plugins/apm/server/routes/fleet/api_keys/create_apm_api_keys.ts +++ b/x-pack/plugins/apm/server/routes/fleet/api_keys/create_apm_api_keys.ts @@ -6,6 +6,10 @@ */ import { CoreStart, Logger } from '@kbn/core/server'; +import { + APM_AGENT_CONFIGURATION_INDEX, + APM_SOURCE_MAP_INDEX, +} from '../../settings/apm_indices/get_apm_indices'; const apiKeyMetadata = { application: 'apm', @@ -41,7 +45,7 @@ export async function createApmSourceMapApiKey({ apmSystemIndices: { index: [ { - names: ['.apm-source-map'], + names: [APM_SOURCE_MAP_INDEX], privileges: indexLevelPrivileges, allow_restricted_indices: true, }, @@ -82,7 +86,7 @@ export async function createApmAgentConfigApiKey({ apmSystemIndices: { index: [ { - names: ['.apm-agent-configuration'], + names: [APM_AGENT_CONFIGURATION_INDEX], privileges: indexLevelPrivileges, allow_restricted_indices: true, }, diff --git a/x-pack/plugins/apm/server/routes/source_maps/schedule_source_map_migration.ts b/x-pack/plugins/apm/server/routes/source_maps/schedule_source_map_migration.ts index d7323dd7e2eb7..08c8a29ef6712 100644 --- a/x-pack/plugins/apm/server/routes/source_maps/schedule_source_map_migration.ts +++ b/x-pack/plugins/apm/server/routes/source_maps/schedule_source_map_migration.ts @@ -41,8 +41,7 @@ export async function scheduleSourceMapMigration({ taskManager.registerTaskDefinitions({ [TASK_TYPE]: { title: 'Migrate fleet source map artifacts', - description: - 'Migrates fleet source map artifacts to `.apm-source-map` index', + description: `Migrates fleet source map artifacts to "${APM_SOURCE_MAP_INDEX}" index`, timeout: '1h', maxAttempts: 5, maxConcurrency: 1, diff --git a/x-pack/plugins/canvas/scripts/shareable_runtime.js b/x-pack/plugins/canvas/scripts/shareable_runtime.js index f3e1e66c1744a..a0b8421f8da01 100644 --- a/x-pack/plugins/canvas/scripts/shareable_runtime.js +++ b/x-pack/plugins/canvas/scripts/shareable_runtime.js @@ -55,7 +55,6 @@ run( execa.sync( process.execPath, [ - '--openssl-legacy-provider', require.resolve('webpack-dev-server/bin/webpack-dev-server'), '--config', webpackConfig, @@ -89,7 +88,6 @@ run( execa.sync( process.execPath, [ - '--openssl-legacy-provider', require.resolve('webpack/bin/webpack'), '--config', webpackConfig, diff --git a/x-pack/plugins/cases/common/api/cases/case.ts b/x-pack/plugins/cases/common/api/cases/case.ts index 1463f3cb12d50..2ecc7143f4a89 100644 --- a/x-pack/plugins/cases/common/api/cases/case.ts +++ b/x-pack/plugins/cases/common/api/cases/case.ts @@ -11,7 +11,7 @@ import { NumberFromString } from '../saved_object'; import { UserRT } from '../user'; import { CommentResponseRt } from './comment'; import { CasesStatusResponseRt, CaseStatusRt } from './status'; -import { CaseConnectorRt } from '../connectors'; +import { CaseConnectorRt } from '../connectors/connector'; import { CaseAssigneesRt } from './assignee'; export const AttachmentTotalsRt = rt.type({ diff --git a/x-pack/plugins/cases/common/api/connectors/connector.ts b/x-pack/plugins/cases/common/api/connectors/connector.ts new file mode 100644 index 0000000000000..f3c733c85cd8c --- /dev/null +++ b/x-pack/plugins/cases/common/api/connectors/connector.ts @@ -0,0 +1,119 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as rt from 'io-ts'; + +import type { ActionType } from '@kbn/actions-plugin/common'; +import type { ActionResult } from '@kbn/actions-plugin/server/types'; +import { JiraFieldsRT } from './jira'; +import { ResilientFieldsRT } from './resilient'; +import { ServiceNowITSMFieldsRT } from './servicenow_itsm'; +import { ServiceNowSIRFieldsRT } from './servicenow_sir'; +import { SwimlaneFieldsRT } from './swimlane'; + +export type ActionConnector = ActionResult; +export type ActionTypeConnector = ActionType; + +export const ConnectorFieldsRt = rt.union([ + JiraFieldsRT, + ResilientFieldsRT, + ServiceNowITSMFieldsRT, + ServiceNowSIRFieldsRT, + rt.null, +]); + +export enum ConnectorTypes { + casesWebhook = '.cases-webhook', + jira = '.jira', + none = '.none', + resilient = '.resilient', + serviceNowITSM = '.servicenow', + serviceNowSIR = '.servicenow-sir', + swimlane = '.swimlane', +} + +const ConnectorCasesWebhookTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.casesWebhook), + fields: rt.null, +}); + +const ConnectorJiraTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.jira), + fields: rt.union([JiraFieldsRT, rt.null]), +}); + +const ConnectorResilientTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.resilient), + fields: rt.union([ResilientFieldsRT, rt.null]), +}); + +const ConnectorServiceNowITSMTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.serviceNowITSM), + fields: rt.union([ServiceNowITSMFieldsRT, rt.null]), +}); + +const ConnectorSwimlaneTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.swimlane), + fields: rt.union([SwimlaneFieldsRT, rt.null]), +}); + +const ConnectorServiceNowSIRTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.serviceNowSIR), + fields: rt.union([ServiceNowSIRFieldsRT, rt.null]), +}); + +const ConnectorNoneTypeFieldsRt = rt.type({ + type: rt.literal(ConnectorTypes.none), + fields: rt.null, +}); + +export const NONE_CONNECTOR_ID: string = 'none'; + +export const ConnectorTypeFieldsRt = rt.union([ + ConnectorCasesWebhookTypeFieldsRt, + ConnectorJiraTypeFieldsRt, + ConnectorNoneTypeFieldsRt, + ConnectorResilientTypeFieldsRt, + ConnectorServiceNowITSMTypeFieldsRt, + ConnectorServiceNowSIRTypeFieldsRt, + ConnectorSwimlaneTypeFieldsRt, +]); + +/** + * This type represents the connector's format when it is encoded within a user action. + */ +export const CaseUserActionConnectorRt = rt.union([ + rt.intersection([ConnectorCasesWebhookTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorJiraTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorNoneTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorResilientTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorServiceNowITSMTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorServiceNowSIRTypeFieldsRt, rt.type({ name: rt.string })]), + rt.intersection([ConnectorSwimlaneTypeFieldsRt, rt.type({ name: rt.string })]), +]); + +export const CaseConnectorRt = rt.intersection([ + rt.type({ + id: rt.string, + }), + CaseUserActionConnectorRt, +]); + +export type CaseUserActionConnector = rt.TypeOf; +export type CaseConnector = rt.TypeOf; +export type ConnectorTypeFields = rt.TypeOf; +export type ConnectorCasesWebhookTypeFields = rt.TypeOf; +export type ConnectorJiraTypeFields = rt.TypeOf; +export type ConnectorResilientTypeFields = rt.TypeOf; +export type ConnectorSwimlaneTypeFields = rt.TypeOf; +export type ConnectorServiceNowITSMTypeFields = rt.TypeOf< + typeof ConnectorServiceNowITSMTypeFieldsRt +>; +export type ConnectorServiceNowSIRTypeFields = rt.TypeOf; + +// we need to change these types back and forth for storing in ES (arrays overwrite, objects merge) +export type ConnectorFields = rt.TypeOf; diff --git a/x-pack/plugins/cases/common/api/connectors/get_connectors.ts b/x-pack/plugins/cases/common/api/connectors/get_connectors.ts new file mode 100644 index 0000000000000..5c29d585287da --- /dev/null +++ b/x-pack/plugins/cases/common/api/connectors/get_connectors.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as rt from 'io-ts'; +import { CaseConnectorRt } from './connector'; +import { CaseExternalServiceBasicRt } from '../cases'; + +const CaseConnectorPushInfoRt = rt.intersection([ + rt.type({ + needsToBePushed: rt.boolean, + hasBeenPushed: rt.boolean, + }), + rt.partial({ + latestUserActionPushDate: rt.string, + oldestUserActionPushDate: rt.string, + externalService: CaseExternalServiceBasicRt, + }), +]); + +export const GetCaseConnectorsResponseRt = rt.record( + rt.string, + rt.intersection([ + rt.type({ + push: CaseConnectorPushInfoRt, + }), + CaseConnectorRt, + ]) +); + +export type GetCaseConnectorsResponse = rt.TypeOf; diff --git a/x-pack/plugins/cases/common/api/connectors/index.ts b/x-pack/plugins/cases/common/api/connectors/index.ts index 7ed31947e9c12..33bb10cbcac1b 100644 --- a/x-pack/plugins/cases/common/api/connectors/index.ts +++ b/x-pack/plugins/cases/common/api/connectors/index.ts @@ -5,139 +5,11 @@ * 2.0. */ -import * as rt from 'io-ts'; - -import type { ActionType } from '@kbn/actions-plugin/common'; -/** - * ActionResult type from the common folder is outdated. - * The type from server is not exported properly so we - * disable the linting for the moment - */ - -import type { ActionResult } from '@kbn/actions-plugin/server/types'; -import { JiraFieldsRT } from './jira'; -import { ResilientFieldsRT } from './resilient'; -import { ServiceNowITSMFieldsRT } from './servicenow_itsm'; -import { ServiceNowSIRFieldsRT } from './servicenow_sir'; -import { SwimlaneFieldsRT } from './swimlane'; - export * from './jira'; export * from './servicenow_itsm'; export * from './servicenow_sir'; export * from './resilient'; export * from './mappings'; export * from './swimlane'; - -export type ActionConnector = ActionResult; -export type ActionTypeConnector = ActionType; - -export const ConnectorFieldsRt = rt.union([ - JiraFieldsRT, - ResilientFieldsRT, - ServiceNowITSMFieldsRT, - ServiceNowSIRFieldsRT, - rt.null, -]); - -export enum ConnectorTypes { - casesWebhook = '.cases-webhook', - jira = '.jira', - none = '.none', - resilient = '.resilient', - serviceNowITSM = '.servicenow', - serviceNowSIR = '.servicenow-sir', - swimlane = '.swimlane', -} - -const ConnectorCasesWebhookTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.casesWebhook), - fields: rt.null, -}); - -const ConnectorJiraTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.jira), - fields: rt.union([JiraFieldsRT, rt.null]), -}); - -const ConnectorResilientTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.resilient), - fields: rt.union([ResilientFieldsRT, rt.null]), -}); - -const ConnectorServiceNowITSMTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.serviceNowITSM), - fields: rt.union([ServiceNowITSMFieldsRT, rt.null]), -}); - -const ConnectorSwimlaneTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.swimlane), - fields: rt.union([SwimlaneFieldsRT, rt.null]), -}); - -const ConnectorServiceNowSIRTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.serviceNowSIR), - fields: rt.union([ServiceNowSIRFieldsRT, rt.null]), -}); - -const ConnectorNoneTypeFieldsRt = rt.type({ - type: rt.literal(ConnectorTypes.none), - fields: rt.null, -}); - -export const NONE_CONNECTOR_ID: string = 'none'; - -export const ConnectorTypeFieldsRt = rt.union([ - ConnectorCasesWebhookTypeFieldsRt, - ConnectorJiraTypeFieldsRt, - ConnectorNoneTypeFieldsRt, - ConnectorResilientTypeFieldsRt, - ConnectorServiceNowITSMTypeFieldsRt, - ConnectorServiceNowSIRTypeFieldsRt, - ConnectorSwimlaneTypeFieldsRt, -]); - -/** - * This type represents the connector's format when it is encoded within a user action. - */ -export const CaseUserActionConnectorRt = rt.union([ - rt.intersection([ConnectorCasesWebhookTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorJiraTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorNoneTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorResilientTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorServiceNowITSMTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorServiceNowSIRTypeFieldsRt, rt.type({ name: rt.string })]), - rt.intersection([ConnectorSwimlaneTypeFieldsRt, rt.type({ name: rt.string })]), -]); - -export const CaseConnectorRt = rt.intersection([ - rt.type({ - id: rt.string, - }), - CaseUserActionConnectorRt, -]); - -export const GetCaseConnectorsResponseRt = rt.record( - rt.string, - rt.intersection([ - rt.type({ needsToBePushed: rt.boolean, hasBeenPushed: rt.boolean }), - rt.partial(rt.type({ latestPushDate: rt.string, oldestPushDate: rt.string }).props), - CaseConnectorRt, - ]) -); - -export type CaseUserActionConnector = rt.TypeOf; -export type CaseConnector = rt.TypeOf; -export type ConnectorTypeFields = rt.TypeOf; -export type ConnectorCasesWebhookTypeFields = rt.TypeOf; -export type ConnectorJiraTypeFields = rt.TypeOf; -export type ConnectorResilientTypeFields = rt.TypeOf; -export type ConnectorSwimlaneTypeFields = rt.TypeOf; -export type ConnectorServiceNowITSMTypeFields = rt.TypeOf< - typeof ConnectorServiceNowITSMTypeFieldsRt ->; -export type ConnectorServiceNowSIRTypeFields = rt.TypeOf; - -// we need to change these types back and forth for storing in ES (arrays overwrite, objects merge) -export type ConnectorFields = rt.TypeOf; - -export type GetCaseConnectorsResponse = rt.TypeOf; +export * from './get_connectors'; +export * from './connector'; diff --git a/x-pack/plugins/cases/server/authorization/audit_logger.ts b/x-pack/plugins/cases/server/authorization/audit_logger.ts index 88293689446f8..338af379bbcc7 100644 --- a/x-pack/plugins/cases/server/authorization/audit_logger.ts +++ b/x-pack/plugins/cases/server/authorization/audit_logger.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { EcsEventOutcome } from '@kbn/core/server'; +import type { EcsEvent } from '@kbn/core/server'; import type { AuditEvent, AuditLogger } from '@kbn/security-plugin/server'; import type { OperationDetails } from '.'; import { DATABASE_CATEGORY, ECS_OUTCOMES, isWriteOperation } from '.'; @@ -39,7 +39,7 @@ export class AuthorizationAuditLogger { const ownerText = entity?.owner === undefined ? 'as any owners' : `as owner "${entity.owner}"`; let message: string; - let outcome: EcsEventOutcome; + let outcome: EcsEvent['outcome']; if (error) { message = `Failed attempt to ${operation.verbs.present} ${doc} ${ownerText}`; diff --git a/x-pack/plugins/cases/server/authorization/index.ts b/x-pack/plugins/cases/server/authorization/index.ts index 392974fa56979..75fa465b4813e 100644 --- a/x-pack/plugins/cases/server/authorization/index.ts +++ b/x-pack/plugins/cases/server/authorization/index.ts @@ -5,8 +5,9 @@ * 2.0. */ -import type { EcsEventCategory, EcsEventOutcome, EcsEventType } from '@kbn/core/server'; +import type { EcsEvent } from '@kbn/core/server'; import type { CasesSupportedOperations } from '@kbn/security-plugin/server'; +import type { ArrayElement } from '@kbn/utility-types'; import { CASE_COMMENT_SAVED_OBJECT, CASE_CONFIGURE_SAVED_OBJECT, @@ -44,7 +45,7 @@ const deleteVerbs: Verbs = { past: 'deleted', }; -const EVENT_TYPES: Record = { +const EVENT_TYPES: Record> = { creation: 'creation', deletion: 'deletion', change: 'change', @@ -65,12 +66,12 @@ const ACCESS_USER_ACTION_OPERATION: CasesSupportedOperations = 'getUserActions'; /** * Database constant for ECS category for use for audit logging. */ -export const DATABASE_CATEGORY: EcsEventCategory[] = ['database']; +export const DATABASE_CATEGORY: EcsEvent['category'] = ['database']; /** * ECS Outcomes for audit logging. */ -export const ECS_OUTCOMES: Record = { +export const ECS_OUTCOMES: Record = { failure: 'failure', success: 'success', unknown: 'unknown', diff --git a/x-pack/plugins/cases/server/authorization/types.ts b/x-pack/plugins/cases/server/authorization/types.ts index 57735803e69bf..2332fd51df81c 100644 --- a/x-pack/plugins/cases/server/authorization/types.ts +++ b/x-pack/plugins/cases/server/authorization/types.ts @@ -5,9 +5,10 @@ * 2.0. */ -import type { EcsEventType } from '@kbn/core/server'; +import type { EcsEvent } from '@kbn/core/server'; import type { KueryNode } from '@kbn/es-query'; import type { CasesSupportedOperations } from '@kbn/security-plugin/server'; +import type { ArrayElement } from '@kbn/utility-types'; /** * The tenses for describing the action performed by a API route @@ -73,7 +74,7 @@ export interface OperationDetails { /** * The ECS event type that this operation should be audit logged as (creation, deletion, access, etc) */ - ecsType: EcsEventType; + ecsType: ArrayElement; /** * The name of the operation to authorize against for the privilege check. * These values need to match one of the operation strings defined here: x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts diff --git a/x-pack/plugins/cases/server/client/user_actions/connectors.ts b/x-pack/plugins/cases/server/client/user_actions/connectors.ts index 0239d740e4069..0102aac887bf1 100644 --- a/x-pack/plugins/cases/server/client/user_actions/connectors.ts +++ b/x-pack/plugins/cases/server/client/user_actions/connectors.ts @@ -14,9 +14,14 @@ import type { GetCaseConnectorsResponse, CaseConnector, CaseUserActionInjectedAttributesWithoutActionId, + CaseExternalServiceBasic, } from '../../../common/api'; import { GetCaseConnectorsResponseRt } from '../../../common/api'; -import { isConnectorUserAction, isCreateCaseUserAction } from '../../../common/utils/user_actions'; +import { + isConnectorUserAction, + isCreateCaseUserAction, + isPushedUserAction, +} from '../../../common/utils/user_actions'; import { createCaseError } from '../../common/error'; import type { CasesClientArgs } from '..'; import type { Authorization, OwnerEntity } from '../../authorization'; @@ -106,6 +111,7 @@ const checkConnectorsAuthorization = async ({ interface EnrichedPushInfo { latestPushDate: Date; oldestPushDate: Date; + externalService: CaseExternalServiceBasic; connectorFieldsUsedInPush: CaseConnector; } @@ -125,20 +131,21 @@ const getConnectorsInfo = async ({ const connectorIds = connectors.map((connector) => connector.connectorId); const [pushInfo, actionConnectors] = await Promise.all([ - getPushInfo({ caseId, activity: connectors, userActionService }), + getEnrichedPushInfo({ caseId, activity: connectors, userActionService }), actionsClient.getBulk(connectorIds), ]); return createConnectorInfoResult({ actionConnectors, connectors, pushInfo, latestUserAction }); }; -interface PushTimeFrameDetails { +interface PushDetails { connectorId: string; + externalService: CaseExternalServiceBasic; mostRecentPush: Date; oldestPush: Date; } -const getPushInfo = async ({ +const getEnrichedPushInfo = async ({ caseId, activity, userActionService, @@ -147,24 +154,7 @@ const getPushInfo = async ({ activity: CaseConnectorActivity[]; userActionService: CaseUserActionService; }): Promise> => { - const pushDetails: PushTimeFrameDetails[] = []; - - for (const connectorInfo of activity) { - const mostRecentPushCreatedAt = getDate(connectorInfo.push?.mostRecent.attributes.created_at); - const oldestPushCreatedAt = getDate(connectorInfo.push?.oldest.attributes.created_at); - - if ( - connectorInfo.push != null && - mostRecentPushCreatedAt != null && - oldestPushCreatedAt != null - ) { - pushDetails.push({ - connectorId: connectorInfo.connectorId, - mostRecentPush: mostRecentPushCreatedAt, - oldestPush: oldestPushCreatedAt, - }); - } - } + const pushDetails = getPushDetails(activity); const connectorFieldsForPushes = await userActionService.getConnectorFieldsBeforeLatestPush( caseId, @@ -180,6 +170,7 @@ const getPushInfo = async ({ enrichedPushInfo.set(pushInfo.connectorId, { latestPushDate: pushInfo.mostRecentPush, oldestPushDate: pushInfo.oldestPush, + externalService: pushInfo.externalService, connectorFieldsUsedInPush: connectorFields, }); } @@ -188,6 +179,40 @@ const getPushInfo = async ({ return enrichedPushInfo; }; +const getPushDetails = (activity: CaseConnectorActivity[]) => { + const pushDetails: PushDetails[] = []; + + for (const connectorInfo of activity) { + const externalService = getExternalServiceFromSavedObject(connectorInfo.push?.mostRecent); + const mostRecentPushCreatedAt = getDate(connectorInfo.push?.mostRecent.attributes.created_at); + const oldestPushCreatedAt = getDate(connectorInfo.push?.oldest.attributes.created_at); + + if ( + connectorInfo.push != null && + externalService != null && + mostRecentPushCreatedAt != null && + oldestPushCreatedAt != null + ) { + pushDetails.push({ + connectorId: connectorInfo.connectorId, + externalService, + mostRecentPush: mostRecentPushCreatedAt, + oldestPush: oldestPushCreatedAt, + }); + } + } + + return pushDetails; +}; + +const getExternalServiceFromSavedObject = ( + savedObject: SavedObject | undefined +): CaseExternalServiceBasic | undefined => { + if (savedObject != null && isPushedUserAction(savedObject.attributes)) { + return savedObject.attributes.payload.externalService; + } +}; + const getDate = (timestamp: string | undefined): Date | undefined => { if (timestamp == null) { return; @@ -247,10 +272,13 @@ const createConnectorInfoResult = ({ results[connector.id] = { ...connector, name: connectorDetails.name, - needsToBePushed, - latestPushDate: enrichedPushInfo?.latestPushDate.toISOString(), - oldestPushDate: enrichedPushInfo?.oldestPushDate.toISOString(), - hasBeenPushed: hasBeenPushed(enrichedPushInfo), + push: { + needsToBePushed, + hasBeenPushed: hasBeenPushed(enrichedPushInfo), + externalService: enrichedPushInfo?.externalService, + latestUserActionPushDate: enrichedPushInfo?.latestPushDate.toISOString(), + oldestUserActionPushDate: enrichedPushInfo?.oldestPushDate.toISOString(), + }, }; } } diff --git a/x-pack/plugins/cases/server/services/user_actions/audit_logger.ts b/x-pack/plugins/cases/server/services/user_actions/audit_logger.ts index 82a016d2a0c3e..af3599c11c67b 100644 --- a/x-pack/plugins/cases/server/services/user_actions/audit_logger.ts +++ b/x-pack/plugins/cases/server/services/user_actions/audit_logger.ts @@ -5,12 +5,13 @@ * 2.0. */ -import type { EcsEventType } from '@kbn/ecs'; +import type { EcsEvent } from '@kbn/ecs'; import type { AuditLogger } from '@kbn/security-plugin/server'; +import type { ArrayElement } from '@kbn/utility-types'; import type { UserAction as Action } from '../../../common/api'; import type { EventDetails } from './types'; -const actionsToEcsType: Record = { +const actionsToEcsType: Record> = { add: 'change', delete: 'deletion', create: 'creation', @@ -31,7 +32,7 @@ export class UserActionAuditLogger { event: { action: event.descriptiveAction, category: ['database'], - type: [actionsToEcsType[event.action]], + type: [actionsToEcsType[event.action] as string], outcome: 'success', }, kibana: { diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx index 0a0b05d35b32b..1d221f49f866f 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx +++ b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.test.tsx @@ -10,7 +10,7 @@ import { render, waitFor } from '@testing-library/react'; import { coreMock } from '@kbn/core/public/mocks'; import userEvent from '@testing-library/user-event'; import { TestProvider } from '../../test/test_provider'; -import { getCloudDefendNewPolicyMock } from '../../test/mocks'; +import { getCloudDefendNewPolicyMock, MOCK_YAML_INVALID_CONFIGURATION } from '../../test/mocks'; import { ControlGeneralView } from '.'; import { getInputFromPolicy } from '../../common/utils'; import { INPUT_CONTROL } from '../../../common/constants'; @@ -106,4 +106,13 @@ describe('', () => { expect(getByTitle('Remove excludeCustomNginxBuild3 from selection in this group')).toBeTruthy(); }); + + it('doesnt blow up if invalid yaml passed in', async () => { + const { queryAllByTestId } = render( + + ); + + expect(queryAllByTestId('cloud-defend-selector')).toHaveLength(0); + expect(queryAllByTestId('cloud-defend-response')).toHaveLength(0); + }); }); diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx index 9fc8add9640ce..01f2affa09c5d 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx +++ b/x-pack/plugins/cloud_defend/public/components/control_general_view/index.tsx @@ -42,7 +42,7 @@ export const ControlGeneralView = ({ policy, onChange, show }: ViewDeps) => { try { const result = yaml.load(configuration); - if (result) { + if (result && result.hasOwnProperty('selectors') && result.hasOwnProperty('responses')) { return result; } } catch { @@ -77,8 +77,11 @@ export const ControlGeneralView = ({ policy, onChange, show }: ViewDeps) => { const incrementName = useCallback( (name: string): string => { // increment name using ints - const lastChar = parseInt(name.slice(-1), 10); - const newName = isNaN(lastChar) ? name + '1' : name.slice(0, -1) + (lastChar + 1); + const numberSuffix = name.search(/\d+$/); + const newName = + numberSuffix !== -1 + ? name.slice(0, numberSuffix) + (parseInt(name.slice(numberSuffix), 10) + 1) + : name + '1'; const dupe = selectors.find((selector) => selector.name === newName); if (dupe) { diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view/translations.ts b/x-pack/plugins/cloud_defend/public/components/control_general_view/translations.ts index d97789e8f9e9a..26c77aa6aa74b 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_general_view/translations.ts +++ b/x-pack/plugins/cloud_defend/public/components/control_general_view/translations.ts @@ -76,6 +76,10 @@ export const name = i18n.translate('xpack.cloudDefend.name', { defaultMessage: 'Name', }); +export const errorConditionRequired = i18n.translate('xpack.cloudDefend.errorConditionRequired', { + defaultMessage: 'At least one condition per selector is required.', +}); + export const errorDuplicateName = i18n.translate('xpack.cloudDefend.errorDuplicateName', { defaultMessage: 'This name is already used by another selector.', }); diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.test.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.test.tsx index 71e33c7005af1..35f1a418725a0 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.test.tsx +++ b/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.test.tsx @@ -118,21 +118,33 @@ describe('', () => { expect(updatedOptions[0]).not.toHaveTextContent('containerImageName'); }); - it('ensures at least one condition is provided, and a value specified', async () => { - const { getByText, getByTestId } = render(); + it('shows an error if no conditions are added', async () => { + const { getByText, getByTestId, rerender } = render(); userEvent.click(getByTestId('cloud-defend-btnremovecondition-operation')); - expect(onChange.mock.calls).toHaveLength(0); // because operation is the only condition, it should not have been removed. + const updatedSelector: ControlSelector = { ...onChange.mock.calls[0][0] }; + + rerender(); + + await waitFor(() => expect(getByText(i18n.errorConditionRequired)).toBeTruthy()); + + expect(onChange.mock.calls[0][0]).toHaveProperty('hasErrors'); + }); + it('shows an error if no values provided for condition', async () => { + const { getByText, getByTestId } = render(); const addConditionBtn = getByTestId('cloud-defend-btnaddselectorcondition'); + + userEvent.click(getByTestId('cloud-defend-btnremovecondition-operation')); userEvent.click(addConditionBtn); await waitFor(() => userEvent.click(getByText('Container image name'))); // add containerImageName - expect(onChange.mock.calls).toHaveLength(1); - expect(onChange.mock.calls[0][0]).toHaveProperty('containerImageName'); - expect(onChange.mock.calls[0][0]).toHaveProperty('hasErrors'); + expect(onChange.mock.calls).toHaveLength(2); + expect(onChange.mock.calls[1][0]).toHaveProperty('containerImageName'); + expect(onChange.mock.calls[1][0]).toHaveProperty('hasErrors'); + expect(getByText(i18n.errorValueRequired)).toBeTruthy(); }); it('prevents conditions from having values that exceed MAX_CONDITION_VALUE_LENGTH_BYTES', async () => { diff --git a/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.tsx b/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.tsx index 509c0e1b3069f..1bcedbe13cc4a 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.tsx +++ b/x-pack/plugins/cloud_defend/public/components/control_general_view_selector/index.tsx @@ -64,6 +64,14 @@ export const ControlGeneralViewSelector = ({ setAddConditionOpen(false); }, []); + const remainingProps = useMemo(() => { + return Object.keys(ControlSelectorCondition).filter( + (condition) => !selector.hasOwnProperty(condition) + ); + }, [selector]); + + const conditionsAdded = Object.keys(ControlSelectorCondition).length - remainingProps.length; + const onRemoveClicked = useCallback(() => { // we prevent the removal of the last selector to avoid an empty state if (selectors.length > 1) { @@ -106,11 +114,11 @@ export const ControlGeneralViewSelector = ({ const updatedSelector = { ...selector }; updatedSelector.name = value; - updatedSelector.hasErrors = Object.keys(errorMap).length > 0; + updatedSelector.hasErrors = Object.keys(errorMap).length > 0 || conditionsAdded === 0; onChange(updatedSelector, index); }, - [errorMap, index, onChange, selector, selectors] + [errorMap, index, conditionsAdded, onChange, selector, selectors] ); const onChangeCondition = useCallback( @@ -140,12 +148,12 @@ export const ControlGeneralViewSelector = ({ delete errorMap[prop]; } - updatedSelector.hasErrors = Object.keys(errorMap).length > 0; + updatedSelector.hasErrors = Object.keys(errorMap).length > 0 || conditionsAdded === 0; setErrorMap({ ...errorMap }); onChange(updatedSelector, index); }, - [errorMap, index, onChange, selector] + [errorMap, index, conditionsAdded, onChange, selector] ); const onAddCondition = useCallback( @@ -163,12 +171,12 @@ export const ControlGeneralViewSelector = ({ delete errorMap[prop]; setErrorMap({ ...errorMap }); - updatedSelector.hasErrors = Object.keys(errorMap).length > 0; + updatedSelector.hasErrors = Object.keys(errorMap).length > 0 || conditionsAdded === 1; onChange(updatedSelector, index); closeAddCondition(); }, - [closeAddCondition, errorMap, index, onChange, selector] + [closeAddCondition, conditionsAdded, errorMap, index, onChange, selector] ); const onAddValueToCondition = useCallback( @@ -184,18 +192,16 @@ export const ControlGeneralViewSelector = ({ ); const errors = useMemo(() => { - return Object.keys(errorMap).reduce((prev, current) => { + const errs = Object.keys(errorMap).reduce((prev, current) => { return prev.concat(errorMap[current]); }, []); - }, [errorMap]); - const remainingProps = useMemo(() => { - return Object.keys(ControlSelectorCondition).filter( - (condition) => !selector.hasOwnProperty(condition) - ); - }, [selector]); + if (conditionsAdded === 0) { + errs.push(i18n.errorConditionRequired); + } - const conditionsAdded = Object.keys(ControlSelectorCondition).length - remainingProps.length; + return errs; + }, [errorMap, conditionsAdded]); return ( onRemoveCondition(prop)} aria-label="Remove condition" diff --git a/x-pack/plugins/cloud_defend/public/components/control_settings/index.tsx b/x-pack/plugins/cloud_defend/public/components/control_settings/index.tsx index 56fc053308218..b673d745c4935 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_settings/index.tsx +++ b/x-pack/plugins/cloud_defend/public/components/control_settings/index.tsx @@ -29,7 +29,7 @@ export const ControlSettings = ({ policy, onChange }: SettingsDeps) => { const isGeneralViewSelected = viewMode === VIEW_MODE_GENERAL; const isYamlViewSelected = viewMode === VIEW_MODE_YAML; - const onChanges = useCallback( + const onGeneralChanges = useCallback( (opts: OnChangeDeps) => { opts.updatedPolicy = policy; onChange(opts); @@ -38,6 +38,17 @@ export const ControlSettings = ({ policy, onChange }: SettingsDeps) => { [onChange, policy] ); + const onYamlChanges = useCallback( + (opts: OnChangeDeps) => { + if (isYamlViewSelected) { + opts.updatedPolicy = policy; + onChange(opts); + setIsValid(opts.isValid); + } + }, + [isYamlViewSelected, onChange, policy] + ); + return ( @@ -63,8 +74,17 @@ export const ControlSettings = ({ policy, onChange }: SettingsDeps) => { - - + {/** general view removed from DOM for performance and to avoid errors when invalid yaml is passed to it**/} + {isGeneralViewSelected && ( + + )} + {/** Yaml view is kept in the dom at all times to prevent some sizing/rendering issues. + Also only listening for changes if yaml view visible to avoid isValid race condition **/} + ); diff --git a/x-pack/plugins/cloud_defend/public/components/control_yaml_view/translations.ts b/x-pack/plugins/cloud_defend/public/components/control_yaml_view/translations.ts index f183a02e1fb3f..30679b5f60edf 100644 --- a/x-pack/plugins/cloud_defend/public/components/control_yaml_view/translations.ts +++ b/x-pack/plugins/cloud_defend/public/components/control_yaml_view/translations.ts @@ -13,6 +13,5 @@ export const errorAlertActionRequired = i18n.translate('xpack.cloudDefend.alertA }); export const controlYamlHelp = i18n.translate('xpack.cloudDefend.controlYamlHelp', { - defaultMessage: - 'Configure BPF/LSM controls by creating selectors, and responses below. To learn more click ', + defaultMessage: 'Configure BPF/LSM controls by creating selectors, and responses below.', }); diff --git a/x-pack/plugins/cloud_defend/public/test/mocks.ts b/x-pack/plugins/cloud_defend/public/test/mocks.ts index 9a9f707cf2354..7dcf8d99d9116 100644 --- a/x-pack/plugins/cloud_defend/public/test/mocks.ts +++ b/x-pack/plugins/cloud_defend/public/test/mocks.ts @@ -38,8 +38,7 @@ responses: `; export const MOCK_YAML_INVALID_CONFIGURATION = ` -selectrs: -reeesponses: +s `; export const getCloudDefendNewPolicyMock = (yaml = MOCK_YAML_CONFIGURATION): NewPackagePolicy => ({ diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/components/curations_table.test.tsx b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/components/curations_table.test.tsx index 3d98b684f8dfc..d86cb8592635a 100644 --- a/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/components/curations_table.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/app_search/components/curations/components/curations_table.test.tsx @@ -84,8 +84,8 @@ describe('CurationsTable', () => { expect(tableContent).toContain('mountains, valleys'); expect(tableContent).toContain('Last updated'); - expect(tableContent).toContain('Jan 1, 1970 12:00 PM'); - expect(tableContent).toContain('Jan 2, 1970 12:00 PM'); + expect(tableContent).toContain('Jan 1, 1970 12:00 PM'); + expect(tableContent).toContain('Jan 2, 1970 12:00 PM'); }); it('renders queries with curation links and curation suggestion badges', () => { diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/tables/engines_table.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/tables/engines_table.tsx index 6bdb73a074d4b..1c419704aa27d 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/tables/engines_table.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/components/tables/engines_table.tsx @@ -9,9 +9,15 @@ import React from 'react'; import { useValues } from 'kea'; -import { CriteriaWithPagination, EuiBasicTable, EuiBasicTableColumn } from '@elastic/eui'; +import { + CriteriaWithPagination, + EuiBasicTable, + EuiBasicTableColumn, + EuiButtonEmpty, +} from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; import { EnterpriseSearchEngine } from '../../../../../../../common/types/engines'; import { MANAGE_BUTTON_LABEL } from '../../../../../shared/constants'; @@ -25,7 +31,6 @@ import { ENGINE_PATH } from '../../../../routes'; import { convertMetaToPagination, Meta } from '../../types'; -// add health status interface EnginesListTableProps { enginesList: EnterpriseSearchEngine[]; isLoading?: boolean; @@ -33,6 +38,7 @@ interface EnginesListTableProps { meta: Meta; onChange: (criteria: CriteriaWithPagination) => void; onDelete: (engine: EnterpriseSearchEngine) => void; + viewEngineIndices: (engineName: string) => void; } export const EnginesListTable: React.FC = ({ enginesList, @@ -40,6 +46,7 @@ export const EnginesListTable: React.FC = ({ meta, onChange, onDelete, + viewEngineIndices, }) => { const { navigateToUrl } = useValues(KibanaLogic); const columns: Array> = [ @@ -74,11 +81,28 @@ export const EnginesListTable: React.FC = ({ render: (dateString: string) => , }, { - field: 'indices.length', - datatype: 'number', + field: 'indices', name: i18n.translate('xpack.enterpriseSearch.content.enginesList.table.column.indices', { defaultMessage: 'Indices', }), + align: 'right', + + render: (indices: string[], engine) => ( + viewEngineIndices(engine.name)} + > + + + ), }, { diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engine_list_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engine_list_logic.test.ts index 9a512c07b9cb4..d661e10f16c8c 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engine_list_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engine_list_logic.test.ts @@ -127,6 +127,7 @@ describe('EnginesListLogic', () => { }); }); }); + describe('reducers', () => { describe('meta', () => { it('updates when apiSuccess', () => { diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx index e9bded754116c..cf97afc5673ec 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list.tsx @@ -16,6 +16,7 @@ import { i18n } from '@kbn/i18n'; import { FormattedMessage, FormattedNumber } from '@kbn/i18n-react'; import { INPUT_THROTTLE_DELAY_MS } from '../../../shared/constants/timers'; + import { DataPanel } from '../../../shared/data_panel/data_panel'; import { EnterpriseSearchEnginesPageTemplate } from '../layout/engines_page_template'; @@ -24,6 +25,8 @@ import { EmptyEnginesPrompt } from './components/empty_engines_prompt'; import { EnginesListTable } from './components/tables/engines_table'; import { CreateEngineFlyout } from './create_engine_flyout'; import { DeleteEngineModal } from './delete_engine_modal'; +import { EngineListIndicesFlyout } from './engines_list_flyout'; +import { EnginesListFlyoutLogic } from './engines_list_flyout_logic'; import { EnginesListLogic } from './engines_list_logic'; const CreateButton: React.FC = () => { @@ -46,6 +49,7 @@ const CreateButton: React.FC = () => { export const EnginesList: React.FC = () => { const { closeEngineCreate, fetchEngines, onPaginate, openDeleteEngineModal, setSearchQuery } = useActions(EnginesListLogic); + const { openFetchEngineFlyout } = useActions(EnginesListFlyoutLogic); const { isLoading, meta, results, createEngineFlyoutOpen, searchQuery } = useValues(EnginesListLogic); @@ -58,6 +62,8 @@ export const EnginesList: React.FC = () => { return ( <> + + {createEngineFlyoutOpen && } { meta={meta} onChange={onPaginate} onDelete={openDeleteEngineModal} + viewEngineIndices={openFetchEngineFlyout} loading={false} /> diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout.tsx new file mode 100644 index 0000000000000..db1ebaf088a00 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout.tsx @@ -0,0 +1,161 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { useValues, useActions } from 'kea'; + +import { + EuiBasicTable, + EuiBasicTableColumn, + EuiFlyout, + EuiFlyoutBody, + EuiFlyoutHeader, + EuiIcon, + EuiSpacer, + EuiText, + EuiTitle, +} from '@elastic/eui'; + +import { i18n } from '@kbn/i18n'; + +import { FormattedMessage } from '@kbn/i18n-react'; + +import { Status } from '../../../../../common/types/api'; + +import { EnterpriseSearchEngineIndex } from '../../../../../common/types/engines'; + +import { healthColorsMap } from '../../../shared/constants/health_colors'; +import { generateEncodedPath } from '../../../shared/encode_path_params'; +import { EuiLinkTo } from '../../../shared/react_router_helpers'; +import { SEARCH_INDEX_PATH } from '../../routes'; +import { IngestionMethod } from '../../types'; +import { ingestionMethodToText } from '../../utils/indices'; + +import { EngineError } from '../engine/engine_error'; + +import { EnginesListFlyoutLogic } from './engines_list_flyout_logic'; + +export const EngineListIndicesFlyout: React.FC = () => { + const { + fetchEngineData, + fetchEngineName, + isFetchEngineLoading, + isFetchEngineFlyoutVisible, + fetchEngineApiStatus, + fetchEngineApiError, + } = useValues(EnginesListFlyoutLogic); + const { closeFetchIndicesFlyout } = useActions(EnginesListFlyoutLogic); + + if (!fetchEngineData) return null; + const { indices } = fetchEngineData; + const engineFetchError = fetchEngineApiStatus === Status.ERROR ? true : false; + + const columns: Array> = [ + { + field: 'name', + name: i18n.translate( + 'xpack.enterpriseSearch.content.enginesList.indicesFlyout.table.name.columnTitle', + { + defaultMessage: 'Index name', + } + ), + render: (indexName: string) => ( + + {indexName} + + ), + sortable: true, + truncateText: true, + width: '40%', + }, + { + field: 'health', + name: i18n.translate( + 'xpack.enterpriseSearch.content.enginesList.indicesFlyout.table.health.columnTitle', + { + defaultMessage: 'Index health', + } + ), + render: (health: 'red' | 'green' | 'yellow' | 'unavailable') => ( + + +  {health ?? '-'} + + ), + sortable: true, + truncateText: true, + width: '15%', + }, + { + field: 'count', + name: i18n.translate( + 'xpack.enterpriseSearch.content.enginesList.indicesFlyout.table.docsCount.columnTitle', + { + defaultMessage: 'Docs count', + } + ), + sortable: true, + truncateText: true, + width: '15%', + }, + { + field: 'source', + name: i18n.translate( + 'xpack.enterpriseSearch.content.enginesList.indicesFlyout.table.ingestionMethod.columnTitle', + { + defaultMessage: 'Ingestion method', + } + ), + render: (source: IngestionMethod) => ( + {ingestionMethodToText(source)} + ), + truncateText: true, + width: '15%', + }, + ]; + + if (isFetchEngineFlyoutVisible) { + return ( + + + +

    + {i18n.translate('xpack.enterpriseSearch.content.enginesList.indicesFlyout.title', { + defaultMessage: 'View Indices', + })} +

    +     + + + + +     + + + {engineFetchError ? ( + + ) : ( + + )} + +     + ); + } else { + return <>; + } +}; diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.test.ts new file mode 100644 index 0000000000000..a3973565c4306 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.test.ts @@ -0,0 +1,107 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { LogicMounter } from '../../../__mocks__/kea_logic'; + +import { nextTick } from '@kbn/test-jest-helpers'; + +import { Status } from '../../../../../common/types/api'; +import { EnterpriseSearchEngineDetails } from '../../../../../common/types/engines'; + +import { FetchEngineApiLogic } from '../../api/engines/fetch_engine_api_logic'; + +import { EngineListFlyoutValues, EnginesListFlyoutLogic } from './engines_list_flyout_logic'; + +const DEFAULT_VALUES: EngineListFlyoutValues = { + fetchEngineData: undefined, + fetchEngineName: null, + isFetchEngineFlyoutVisible: false, + fetchEngineApiStatus: Status.IDLE, + fetchEngineApiError: undefined, + isFetchEngineLoading: false, +}; +const mockEngineData: EnterpriseSearchEngineDetails = { + created: '1999-12-31T23:59:59Z', + indices: [ + { + count: 10, + health: 'green', + name: 'search-001', + source: 'api', + }, + { + count: 1000, + health: 'yellow', + name: 'search-002', + source: 'crawler', + }, + ], + name: 'my-test-engine', + updated: '1999-12-31T23:59:59Z', +}; + +describe('EngineListFlyoutLogic', () => { + const { mount } = new LogicMounter(EnginesListFlyoutLogic); + const { mount: apiLogicMount } = new LogicMounter(FetchEngineApiLogic); + + beforeEach(() => { + jest.clearAllMocks(); + jest.useRealTimers(); + apiLogicMount(); + mount(); + }); + it('has expected default values', () => { + expect(EnginesListFlyoutLogic.values).toEqual(DEFAULT_VALUES); + }); + + describe('actions', () => { + describe('closeFetchEngineIndicesFlyout', () => { + it('set isFetchEngineFlyoutVisible to false and fetchEngineName to empty string', () => { + EnginesListFlyoutLogic.actions.closeFetchIndicesFlyout(); + expect(EnginesListFlyoutLogic.values).toEqual(DEFAULT_VALUES); + }); + }); + describe('openFetchEngineIndicesFlyout', () => { + it('set isFetchEngineFlyoutVisible to true and sets fetchEngineName to engine name', () => { + EnginesListFlyoutLogic.actions.openFetchEngineFlyout('my-test-engine'); + expect(EnginesListFlyoutLogic.values).toEqual({ + ...DEFAULT_VALUES, + isFetchEngineFlyoutVisible: true, + fetchEngineName: 'my-test-engine', + isFetchEngineLoading: true, + fetchEngineApiStatus: Status.LOADING, + }); + }); + }); + }); + + describe('selectors', () => { + it('receives fetchEngine indices data on success', () => { + expect(EnginesListFlyoutLogic.values).toEqual(DEFAULT_VALUES); + FetchEngineApiLogic.actions.apiSuccess(mockEngineData); + expect(EnginesListFlyoutLogic.values).toEqual({ + ...DEFAULT_VALUES, + fetchEngineApiStatus: Status.SUCCESS, + fetchEngineData: mockEngineData, + }); + }); + }); + describe('listeners', () => { + beforeEach(() => { + FetchEngineApiLogic.actions.apiSuccess(mockEngineData); + }); + it('fetch engines flyout when flyout is visible', async () => { + jest.useFakeTimers({ legacyFakeTimers: true }); + EnginesListFlyoutLogic.actions.openFetchEngineFlyout = jest.fn(); + EnginesListFlyoutLogic.actions.openFetchEngineFlyout('my-test-engine'); + await nextTick(); + expect(EnginesListFlyoutLogic.actions.openFetchEngineFlyout).toHaveBeenCalledTimes(1); + expect(EnginesListFlyoutLogic.actions.openFetchEngineFlyout).toHaveBeenCalledWith( + 'my-test-engine' + ); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.ts new file mode 100644 index 0000000000000..8598ecd92ae63 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_flyout_logic.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { kea, MakeLogicType } from 'kea'; + +import { Status } from '../../../../../common/types/api'; +import { FetchEngineApiLogic } from '../../api/engines/fetch_engine_api_logic'; +import { EngineViewActions, EngineViewLogic, EngineViewValues } from '../engine/engine_view_logic'; + +export interface EngineListFlyoutValues { + isFetchEngineLoading: EngineViewValues['isLoadingEngine']; + isFetchEngineFlyoutVisible: boolean; + fetchEngineData: EngineViewValues['engineData']; // data from fetchEngineAPI + fetchEngineName: string | null; + fetchEngineApiError?: EngineViewValues['fetchEngineApiError']; + fetchEngineApiStatus: EngineViewValues['fetchEngineApiStatus']; +} +export interface EngineListFlyoutActions { + closeFetchIndicesFlyout(): void; + fetchEngineData: EngineViewActions['fetchEngine'] | null; + openFetchEngineFlyout: (engineName: string) => { engineName: string }; +} + +export const EnginesListFlyoutLogic = kea< + MakeLogicType +>({ + connect: { + actions: [EngineViewLogic, ['fetchEngine as fetchEngine']], + values: [ + EngineViewLogic, + [ + 'engineData as fetchEngineData', + 'fetchEngineApiError as fetchEngineApiError', + 'fetchEngineApiStatus as fetchEngineApiStatus', + ], + ], + }, + actions: { + closeFetchIndicesFlyout: true, + openFetchEngineFlyout: (engineName) => ({ engineName }), + }, + path: ['enterprise_search', 'content', 'engine_list_flyout_logic'], + reducers: ({}) => ({ + fetchEngineName: [ + null, + { + closeFetchIndicesFlyout: () => null, + openFetchEngineFlyout: (_, { engineName }) => engineName, + }, + ], + isFetchEngineFlyoutVisible: [ + false, + { + closeFetchIndicesFlyout: () => false, + openFetchEngineFlyout: () => true, + }, + ], + }), + selectors: ({ selectors }) => ({ + isFetchEngineLoading: [ + () => [selectors.fetchEngineApiStatus], + (status: EngineListFlyoutValues['fetchEngineApiStatus']) => [Status.LOADING].includes(status), + ], + }), + listeners: ({}) => ({ + openFetchEngineFlyout: async (input) => { + FetchEngineApiLogic.actions.makeRequest(input); + }, + }), +}); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_logic.ts index 81cf12da12c34..c515ada735d06 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/engines/engines_list_logic.ts @@ -105,6 +105,7 @@ export const EnginesListLogic = kea engine, }, ], + isDeleteModalVisible: [ false, { @@ -112,6 +113,7 @@ export const EnginesListLogic = kea true, }, ], + parameters: [ { meta: DEFAULT_META }, { @@ -137,6 +139,7 @@ export const EnginesListLogic = kea ({ deleteModalEngineName: [() => [selectors.deleteModalEngine], (engine) => engine?.name ?? ''], + isDeleteLoading: [ () => [selectors.deleteStatus], (status: EngineListValues['deleteStatus']) => [Status.LOADING].includes(status), diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/formatted_date_time/index.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/formatted_date_time/index.test.tsx index fd76943d3e727..f74125b1528c7 100644 --- a/x-pack/plugins/enterprise_search/public/applications/shared/formatted_date_time/index.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/shared/formatted_date_time/index.test.tsx @@ -16,7 +16,7 @@ describe('FormattedDateTime', () => { const date = new Date('1970-01-01T12:00:00'); const wrapper = mountWithIntl(); - expect(wrapper.text()).toEqual('Jan 1, 1970 12:00 PM'); + expect(wrapper.text()).toEqual('Jan 1, 1970 12:00 PM'); }); it('does not render time if hideTime is passed', () => { diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/instructions.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/instructions.tsx index 4e7acd347ed98..a90ff77de9fd4 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/instructions.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/instructions.tsx @@ -42,7 +42,8 @@ export const Instructions = (props: InstructionProps) => { refreshAgentPolicies, } = props; const fleetStatus = useFleetStatus(); - const { isUnhealthy: isFleetServerUnhealthy } = useFleetServerUnhealthy(); + const { isUnhealthy: isFleetServerUnhealthy, isLoading: isLoadingFleetServerHealth } = + useFleetServerUnhealthy(); useEffect(() => { refreshAgentPolicies(); @@ -66,14 +67,17 @@ export const Instructions = (props: InstructionProps) => { const fleetServers = agents?.items || []; - if (isLoadingAgents || isLoadingAgentPolicies) return ; + if (isLoadingAgents || isLoadingAgentPolicies || isLoadingFleetServerHealth) + return ; const hasNoFleetServerHost = fleetStatus.isReady && (fleetServerHosts?.length ?? 0) === 0; const showAgentEnrollment = - fleetStatus.isReady && - (isFleetServerPolicySelected || - (!isFleetServerUnhealthy && fleetServers.length > 0 && (fleetServerHosts?.length ?? 0) > 0)); + isFleetServerPolicySelected || + (fleetStatus.isReady && + !isFleetServerUnhealthy && + fleetServers.length > 0 && + (fleetServerHosts?.length ?? 0) > 0); const showFleetServerEnrollment = !isFleetServerPolicySelected && diff --git a/x-pack/plugins/fleet/server/routes/data_streams/handlers.ts b/x-pack/plugins/fleet/server/routes/data_streams/handlers.ts index e6e497991ca82..bf8e8a22cdbdd 100644 --- a/x-pack/plugins/fleet/server/routes/data_streams/handlers.ts +++ b/x-pack/plugins/fleet/server/routes/data_streams/handlers.ts @@ -16,6 +16,9 @@ import { dataStreamService } from '../../services/data_streams'; import { getDataStreamsQueryMetadata } from './get_data_streams_query_metadata'; +const MANAGED_BY = 'fleet'; +const LEGACY_MANAGED_BY = 'ingest-manager'; + interface ESDataStreamInfo { name: string; timestamp_field: { @@ -54,8 +57,11 @@ export const getListHandler: RequestHandler = async (context, request, response) getPackageSavedObjects(savedObjects.client), ]); + // managed_by property 'ingest-manager' added to allow for legacy data streams to be displayed + // See https://github.com/elastic/elastic-agent/issues/654 + const filteredDataStreamsInfo = dataStreamsInfo.filter( - (ds) => ds?._meta?.managed_by === 'fleet' + (ds) => ds?._meta?.managed_by === MANAGED_BY || ds?._meta?.managed_by === LEGACY_MANAGED_BY ); const dataStreamsInfoByName = keyBy(filteredDataStreamsInfo, 'name'); @@ -116,6 +122,7 @@ export const getListHandler: RequestHandler = async (context, request, response) // Query additional information for each data stream const dataStreamPromises = dataStreamNames.map(async (dataStreamName) => { const dataStream = dataStreams[dataStreamName]; + const dataStreamResponse: DataStream = { index: dataStreamName, dataset: '', diff --git a/x-pack/plugins/infra/public/common/visualizations/lens/utils.ts b/x-pack/plugins/infra/public/common/visualizations/lens/utils.ts index a10edfa77985e..a42e43a71771e 100644 --- a/x-pack/plugins/infra/public/common/visualizations/lens/utils.ts +++ b/x-pack/plugins/infra/public/common/visualizations/lens/utils.ts @@ -46,7 +46,7 @@ export const getBreakdownColumn = ( type: 'alphabetical', fallback: false, }, - orderDirection: 'desc', + orderDirection: 'asc', otherBucket: false, missingBucket: false, parentFormat: { diff --git a/x-pack/plugins/infra/public/hooks/use_lens_attributes.test.ts b/x-pack/plugins/infra/public/hooks/use_lens_attributes.test.ts index 075d883593b01..cb46714276bd9 100644 --- a/x-pack/plugins/infra/public/hooks/use_lens_attributes.test.ts +++ b/x-pack/plugins/infra/public/hooks/use_lens_attributes.test.ts @@ -79,7 +79,7 @@ describe('useHostTable hook', () => { fallback: false, type: 'alphabetical', }, - orderDirection: 'desc', + orderDirection: 'asc', otherBucket: false, parentFormat: { id: 'terms', diff --git a/x-pack/plugins/infra/public/pages/metrics/hosts/components/tabs/metrics/metric_chart.tsx b/x-pack/plugins/infra/public/pages/metrics/hosts/components/tabs/metrics/metric_chart.tsx index e1374d1ae97ba..fd83ef7b9f6c8 100644 --- a/x-pack/plugins/infra/public/pages/metrics/hosts/components/tabs/metrics/metric_chart.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/hosts/components/tabs/metrics/metric_chart.tsx @@ -19,6 +19,7 @@ import { useLensAttributes } from '../../../../../../hooks/use_lens_attributes'; import { useMetricsDataViewContext } from '../../../hooks/use_data_view'; import { useUnifiedSearchContext } from '../../../hooks/use_unified_search'; import { HostLensAttributesTypes } from '../../../../../../common/visualizations'; +import { useHostsViewContext } from '../../../hooks/use_hosts_view'; export interface MetricChartProps { title: string; @@ -37,6 +38,7 @@ export const MetricChart = ({ title, type, breakdownSize }: MetricChartProps) => onSubmit, } = useUnifiedSearchContext(); const { metricsDataView } = useMetricsDataViewContext(); + const { baseRequest } = useHostsViewContext(); const { services: { lens }, } = useKibana(); @@ -111,6 +113,7 @@ export const MetricChart = ({ title, type, breakdownSize }: MetricChartProps) => query={unifiedSearchQuery} filters={unifiedSearchFilters} extraActions={extraAction} + lastReloadRequestTime={baseRequest.requestTs} executionContext={{ type: 'infrastructure_observability_hosts_view', name: `Hosts View ${type} Chart`, diff --git a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/append.test.tsx b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/append.test.tsx index 8c3785f1ff403..95dafec27b6aa 100644 --- a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/append.test.tsx +++ b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/append.test.tsx @@ -105,6 +105,7 @@ describe('Processor: Append', () => { find('appendValueField.input').simulate('change', [{ label: 'Some_Value' }]); component.update(); }); + form.toggleEuiSwitch('allowDuplicatesSwitch.input'); form.toggleEuiSwitch('ignoreFailureSwitch.input'); // Save the field with new changes @@ -115,6 +116,44 @@ describe('Processor: Append', () => { field: 'field_1', ignore_failure: true, value: ['Some_Value'], + allow_duplicates: false, + }); + }); + + test('should allow to set media_type when value is a template snippet', async () => { + const { + actions: { saveNewProcessor }, + form, + find, + component, + exists, + } = testBed; + + // Add "field" value (required) + form.setInputValue('fieldNameField.input', 'sample_field'); + + // Shouldn't be able to set media_type if value is not a template string + await act(async () => { + find('appendValueField.input').simulate('change', [{ label: 'value_1' }]); + }); + component.update(); + expect(exists('mediaTypeSelectorField')).toBe(false); + + // Set value to a template snippet and media_type to a non-default value + await act(async () => { + find('appendValueField.input').simulate('change', [{ label: '{{{value_2}}}' }]); + }); + component.update(); + form.setSelectValue('mediaTypeSelectorField', 'text/plain'); + + // Save the field with new changes + await saveNewProcessor(); + + const processors = getProcessorValue(onUpdate, APPEND_TYPE); + expect(processors[0][APPEND_TYPE]).toEqual({ + field: 'sample_field', + value: ['{{{value_2}}}'], + media_type: 'text/plain', }); }); }); diff --git a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/processor.helpers.tsx b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/processor.helpers.tsx index f66d601e8caae..9501598c53db2 100644 --- a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/processor.helpers.tsx +++ b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/__jest__/processors/processor.helpers.tsx @@ -130,6 +130,7 @@ type TestSubject = | 'addProcessorButton' | 'addProcessorForm.submitButton' | 'appendValueField.input' + | 'allowDuplicatesSwitch.input' | 'formatsValueField.input' | 'timezoneField.input' | 'outputFormatField.input' diff --git a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/components/processor_form/processors/append.tsx b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/components/processor_form/processors/append.tsx index fde39e7462009..74d57eebc07fa 100644 --- a/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/components/processor_form/processors/append.tsx +++ b/x-pack/plugins/ingest_pipelines/public/application/components/pipeline_editor/components/processor_form/processors/append.tsx @@ -8,14 +8,19 @@ import React, { FunctionComponent } from 'react'; import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { hasTemplateSnippet } from '../../../utils'; import { FIELD_TYPES, fieldValidators, UseField, ComboBoxField, + ToggleField, + SelectField, + useFormData, } from '../../../../../../shared_imports'; -import { FieldsConfig, to } from './shared'; +import { FieldsConfig, from, to } from './shared'; import { FieldNameField } from './common_fields/field_name_field'; const { emptyField } = fieldValidators; @@ -41,9 +46,42 @@ const fieldsConfig: FieldsConfig = { }, ], }, + allow_duplicates: { + type: FIELD_TYPES.TOGGLE, + defaultValue: true, + deserializer: to.booleanOrUndef, + serializer: from.undefinedIfValue(true), + label: i18n.translate( + 'xpack.ingestPipelines.pipelineEditor.appendForm.allowDuplicatesFieldLabel', + { + defaultMessage: 'Allow duplicates', + } + ), + helpText: i18n.translate( + 'xpack.ingestPipelines.pipelineEditor.appendForm.allowDuplicatesFieldHelpText', + { + defaultMessage: 'Allow appending values already present in the field.', + } + ), + }, + media_type: { + type: FIELD_TYPES.SELECT, + defaultValue: 'application/json', + serializer: from.undefinedIfValue('application/json'), + label: i18n.translate('xpack.ingestPipelines.pipelineEditor.appendForm.mediaTypeFieldLabel', { + defaultMessage: 'Media type', + }), + helpText: ( + + ), + }, }; export const Append: FunctionComponent = () => { + const [{ fields }] = useFormData({ watch: ['fields.value'] }); return ( <> { component={ComboBoxField} path="fields.value" /> + + + + {hasTemplateSnippet(fields?.value) && ( + + )} ); }; diff --git a/x-pack/plugins/lens/public/datasources/form_based/datapanel.tsx b/x-pack/plugins/lens/public/datasources/form_based/datapanel.tsx index 374eb430dae9c..6f515b6793c3b 100644 --- a/x-pack/plugins/lens/public/datasources/form_based/datapanel.tsx +++ b/x-pack/plugins/lens/public/datasources/form_based/datapanel.tsx @@ -245,26 +245,16 @@ export const InnerFormBasedDataPanel = function InnerFormBasedDataPanel({ [layerFields] ); - const onOverrideFieldGroupDetails = useCallback( - (groupName) => { - if (groupName === FieldsGroupNames.AvailableFields) { - const isUsingSampling = core.uiSettings.get('lens:useFieldExistenceSampling'); - - return { - helpText: isUsingSampling - ? i18n.translate('xpack.lens.indexPattern.allFieldsSamplingLabelHelp', { - defaultMessage: - 'Available fields contain the data in the first 500 documents that match your filters. To view all fields, expand Empty fields. You are unable to create visualizations with full text, geographic, flattened, and object fields.', - }) - : i18n.translate('xpack.lens.indexPattern.allFieldsLabelHelp', { - defaultMessage: - 'Drag and drop available fields to the workspace and create visualizations. To change the available fields, select a different data view, edit your queries, or use a different time range. Some field types cannot be visualized in Lens, including full text and geographic fields.', - }), - }; - } - }, - [core.uiSettings] - ); + const onOverrideFieldGroupDetails = useCallback((groupName) => { + if (groupName === FieldsGroupNames.AvailableFields) { + return { + helpText: i18n.translate('xpack.lens.indexPattern.allFieldsLabelHelp', { + defaultMessage: + 'Drag and drop available fields to the workspace and create visualizations. To change the available fields, select a different data view, edit your queries, or use a different time range. Some field types cannot be visualized in Lens, including full text and geographic fields.', + }), + }; + } + }, []); const { fieldListFiltersProps, fieldListGroupedProps } = useGroupedFields({ dataViewId: currentIndexPatternId, diff --git a/x-pack/plugins/lens/public/datasources/form_based/dimension_panel/dimension_editor.tsx b/x-pack/plugins/lens/public/datasources/form_based/dimension_panel/dimension_editor.tsx index f93ee60bae9e6..c51d909ba6766 100644 --- a/x-pack/plugins/lens/public/datasources/form_based/dimension_panel/dimension_editor.tsx +++ b/x-pack/plugins/lens/public/datasources/form_based/dimension_panel/dimension_editor.tsx @@ -397,7 +397,7 @@ export function DimensionEditor(props: DimensionEditorProps) { ); } else if (!compatibleWithCurrentField) { label = ( - + {label} @@ -652,7 +652,7 @@ export function DimensionEditor(props: DimensionEditorProps) { <> + {i18n.translate('xpack.lens.indexPattern.functionsLabel', { defaultMessage: 'Functions', @@ -665,10 +665,8 @@ export function DimensionEditor(props: DimensionEditorProps) { isOpen={isHelpOpen} display="inlineBlock" panelPaddingSize="none" - className="dscFieldTypesHelp__popover" - panelClassName="dscFieldTypesHelp__panel" closePopover={closeHelp} - initialFocus="#dscFieldTypesHelpBasicTableId" + initialFocus="#functionsHelpBasicTableId" > {i18n.translate('xpack.lens.indexPattern.quickFunctions.popoverTitle', { @@ -682,7 +680,7 @@ export function DimensionEditor(props: DimensionEditorProps) { paddingSize="s" > ().services; const exploreInDiscover = useMemo(() => { @@ -330,18 +329,12 @@ function FieldItemPopoverContents( overrideMissingContent={(params) => { if (params.reason === 'no-data') { // TODO: should we replace this with a default message "Analysis is not available for this field?" - const isUsingSampling = core.uiSettings.get('lens:useFieldExistenceSampling'); return ( - {isUsingSampling - ? i18n.translate('xpack.lens.indexPattern.fieldStatsSamplingNoData', { - defaultMessage: - 'Lens is unable to create visualizations with this field because it does not contain data in the first 500 documents that match your filters. To create a visualization, drag and drop a different field.', - }) - : i18n.translate('xpack.lens.indexPattern.fieldStatsNoData', { - defaultMessage: - 'Lens is unable to create visualizations with this field because it does not contain data. To create a visualization, drag and drop a different field.', - })} + {i18n.translate('xpack.lens.indexPattern.fieldStatsNoData', { + defaultMessage: + 'Lens is unable to create visualizations with this field because it does not contain data. To create a visualization, drag and drop a different field.', + })} ); } diff --git a/x-pack/plugins/lens/public/datasources/form_based/form_based.tsx b/x-pack/plugins/lens/public/datasources/form_based/form_based.tsx index 1ce6832f78109..44574bb2cd4ce 100644 --- a/x-pack/plugins/lens/public/datasources/form_based/form_based.tsx +++ b/x-pack/plugins/lens/public/datasources/form_based/form_based.tsx @@ -66,7 +66,6 @@ import { getFiltersInLayer, getShardFailuresWarningMessages, getVisualDefaultsForLayer, - getDeprecatedSamplingWarningMessage, isColumnInvalid, cloneLayer, } from './utils'; @@ -872,7 +871,6 @@ export function getFormBasedDatasource({ return message; }), - ...getDeprecatedSamplingWarningMessage(core), ]; return [...layerErrorMessages, ...dimensionErrorMessages, ...warningMessages]; diff --git a/x-pack/plugins/lens/public/datasources/form_based/utils.tsx b/x-pack/plugins/lens/public/datasources/form_based/utils.tsx index e8d98516ec8a1..8ad43734aedf1 100644 --- a/x-pack/plugins/lens/public/datasources/form_based/utils.tsx +++ b/x-pack/plugins/lens/public/datasources/form_based/utils.tsx @@ -8,10 +8,10 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; -import type { CoreStart, DocLinksStart, ThemeServiceStart } from '@kbn/core/public'; +import type { DocLinksStart, ThemeServiceStart } from '@kbn/core/public'; import type { DatatableUtilitiesService } from '@kbn/data-plugin/common'; import { TimeRange } from '@kbn/es-query'; -import { EuiCallOut, EuiLink, EuiSpacer, EuiText } from '@elastic/eui'; +import { EuiLink, EuiSpacer, EuiText } from '@elastic/eui'; import type { DatatableColumn } from '@kbn/expressions-plugin/common'; import { groupBy, escape, uniq } from 'lodash'; @@ -393,52 +393,6 @@ export function getPrecisionErrorWarningMessages( return warningMessages; } -export function getDeprecatedSamplingWarningMessage(core: CoreStart): UserMessage[] { - const useFieldExistenceSamplingKey = 'lens:useFieldExistenceSampling'; - const isUsingSampling = core.uiSettings.get(useFieldExistenceSamplingKey); - - return isUsingSampling - ? [ - { - severity: 'warning', - fixableInEditor: false, - displayLocations: [{ id: 'banner' }], - shortMessage: '', - longMessage: ( - { - core.application.navigateToApp('management', { - path: `/kibana/settings?query=${useFieldExistenceSamplingKey}`, - }); - }} - > - - - ), - }} - /> - } - /> - ), - }, - ] - : []; -} - export function getVisualDefaultsForLayer(layer: FormBasedLayer) { return Object.keys(layer.columns).reduce>>( (memo, columnId) => { diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json index 35638932adb3e..5080426607f8d 100644 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json @@ -5,16 +5,24 @@ ], "max_empty_searches": 10, "query": { - "bool": { - "filter": [{"exists": {"field": "source.ip"}}], - "must": [ - {"bool": { - "should": [ - {"term": {"event.category": "authentication"}}, - {"term": {"event.outcome": "success"}} - ] - }} - ] + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "term": { + "event.category": "authentication" + } + }, + { + "term": { + "event.outcome": "success" + } } + ] + } } -} \ No newline at end of file +} diff --git a/x-pack/plugins/monitoring/dev_docs/how_to/work_with_packages.md b/x-pack/plugins/monitoring/dev_docs/how_to/work_with_packages.md new file mode 100644 index 0000000000000..f1c5eff8d07b8 --- /dev/null +++ b/x-pack/plugins/monitoring/dev_docs/how_to/work_with_packages.md @@ -0,0 +1,179 @@ +# Stack Monitoring integration packages + +The Stack Monitoring packages provide a similar experience as their beats modules counterpart, both for metrics and logs ingestion. Feature wise these two collection modes are used to provide the Stack Monitoring UI the data it needs to power each product views. There is a however a difference in how the data is stored: while standalone beats modules will store all their data in a single data stream, for example `.monitoring-elasticsearch-8-mb`, the integrations will create one data stream for each metricset or filestream, for example `metrics-elasticsearch.stack-monitoring.node-default` for the node metricset. This means the integrations mappings are more specialized because they're split to only define the relevant properties for each metricset but the merged version of an integration data streams should be equivalent to its metricbeat mapping. + +## Links +- [Usage dashboard (internal)](https://ela.st/sm-packages-dashboard) + +## Working with packages + +Make sure you've read the following documents to get up to speed: + +**Workflow:** +- [Ecosystem definitions](https://github.com/elastic/integrations/blob/main/docs/definitions.md) +- [elastic-package getting started](https://github.com/elastic/elastic-package#getting-started) +- [Package testing and validation](https://github.com/elastic/integrations/blob/main/docs/testing_and_validation.md) +- [Developer workflow](https://github.com/elastic/integrations/blob/main/docs/developer_workflow_design_build_test_integration.md) + +**Related repos:** +- [Integrations](https://github.com/elastic/integrations) +- [Package registry](https://github.com/elastic/package-registry/) +- [Package storage](https://github.com/elastic/package-storage/) +- [Package spec](https://github.com/elastic/package-spec) + +### Integration internals + +#### Metrics +For metrics collection, the integrations act as a wrapper around the corresponding metricbeat modules. For example, when the `elasticsearch` integration is configured to collect the `cluster_stats` metrics from a given host, the elastic agent will spawn a metricbeat process with the appropriate configuration. + +Here's the state of the running processes (configuration have been shortened for clarity): + +```mermaid + +flowchart TB +subgraph elastic-agent + ESinteg["elasticsearch integration"] + subgraph policy.yml + Agentpolicy["
    inputs:\n  - id: elasticsearch/metrics-elasticsearch\n    type: elasticsearch/metrics\n    streams:\n      - id: elasticsearch/metrics-elasticsearch.stack_monitoring.cluster_stats\n    metricsets:\n      - cluster_stats\n    hosts:\n      - http://foo:9200\n    ...
    "] + style Agentpolicy text-align:left + end +end + +subgraph metricbeat + ESmodule["elasticsearch module"] + subgraph metricbeat.yml + MBconfig["
    metricbeat.modules:\n  - module: elasticsearch\n    metricsets:\n      - cluster_stats\n    hosts:\n      - http://foo:9200\n    ...
    "] + style MBconfig text-align:left + end +end + +elastic-agent-.->|spawn|metricbeat +ESmodule-.->|config|metricbeat.yml +ESinteg-.->|config|policy.yml +``` + +#### Logs +Similarly, logs collection will spawn a filebeat process. The corresponding filebeat module, if it exists, is not used in this scenario and instead the configuration/ingest pipelines are duplicated in the integration. + +### Defining service dependencies + +A package can define the services it needs to monitor for development and automated testing purposes, for example the mysql package needs a running database to fetch and validate metrics or logs. While we could use the elasticsearch and kibana services started by `elastic-package stack up` we don't want the stack packages to be special cases and just like mysql, the packages should be responsible of defining their dependencies. + +This can be done by creating a `docker-compose` file under the package `_dev/deploy` directory, then running `elastic-package service up -v` in the package folder. An example is the [elasticsearch package](https://github.com/elastic/integrations/tree/main/packages/elasticsearch/_dev/deploy/docker) that starts a service which generates every types of logs with the help of a script executing queries. + +### Collecting logs + +To collect logs elastic-agent needs access to the raw files. Let's see how that works taking `elasticsearch` package as an example. +The setup requires an elastic-package stack and the development elasticsearch started with elastic-package service. While services will generate logs out of the box (eg server, gc logs), some need to be triggered (eg slowlogs). To generate all log types for our tests we also start a script that sends requests to elasticsearch in order to trigger those. + +```mermaid + +flowchart LR +subgraph local host + LOCALlogs["~/.elastic-package/tmp/service_logs ( ${SERVICE_LOGS_DIR} )"] +end + +subgraph "elastic package service (generate logs)" + + subgraph elasticsearch + SEelasticsearchlogs["/usr/share/elasticsearch/logs"] + end + + subgraph logs_generator + SElogsscript["script.sh[3]"] + end +end + +subgraph "elastic package stack (ingest logs)" + subgraph elastic-agent + STagentlogs["/tmp/service_logs"] + end +end + + +LOCALlogs-.->|"mount[1]"|STagentlogs +LOCALlogs-.->|"mount[2]"|SEelasticsearchlogs +SElogsscript-.->|http requests to trigger logs|elasticsearch +``` +[1] https://github.com/elastic/elastic-package/blob/main/internal/profile/_static/docker-compose-stack.yml#L133-L135 + +[2] https://github.com/elastic/integrations/blob/main/packages/elasticsearch/_dev/deploy/docker/docker-compose.yml#L39 +This is a simplified version as there is some gymnastics involved to work around permissions, but the workflow remains the same + +[3] https://github.com/elastic/integrations/blob/main/packages/elasticsearch/_dev/deploy/docker/scripts/generate-logs.sh + +A log file written in the elasticsearch container will be available to the local `~/.elastic-package/tmp/service_logs` directory and thus available to the elastic-agent. Now the integration can be configured to point to the elastic-agent's `/tmp/service_logs`, for example elasticsearch's gc logs will be available under `/tmp/service_logs/gc.log`. + +## Connecting a local Kibana + +You may want to test local Kibana changes against the elastic-package stack, and that's perfectly doable but with some limitations (at the time of writing). + +**Note** that when logging to multiple local Kibana instances you'll have to access them through isolated environments, for example firefox containers, private windows or a different browser. Clearing cookies for the domain also works. There seems to be a conflict with cookies where one is unable to pass the login screen of a local Kibana instance when cookies from another local instance are already cached. The symptom is a redirection to the login screen when entering valid credentials. + +Once an elastic-package stack is started, update `kibana_system` password on the running elasticsearch: + +```bash +curl --insecure -u elastic:changeme -H 'Content-Type: application/json' \ +https://localhost:9200/_security/user/kibana_system/_password -d'{"password": "changeme"}' +``` + +Now configure the local Kibana on a different port so we don't conflict with the one started by elastic-package, and ignore certificate verification: + +```yaml +server.port: 5602 + +elasticsearch.username: kibana_system +elasticsearch.password: changeme +elasticsearch.ignoreVersionMismatch: true +elasticsearch.hosts: ["https://localhost:9200"] +elasticsearch.ssl.verificationMode: none +``` + +then `yarn start`. A local Kibana running at http://localhost:5602 will talk to the elastic-package system, allowing local changes to Kibana to interact with data ingested by integrations. + +Note that the local kibana is not able to interact with the local package-registry when running http, this means we have to do all integration-related interaction on the kibana run by elastic-package (at https://localhost:5601). + +To enable ssl we can point the local kibana configuration to the certificates used by elastic-package (under ~/.elastic-package/profiles/{profile}/certs), then start the process with `NODE_EXTRA_CA_CERTS=~/.elastic-package/profiles/{profile}/certs/ca-cert.pem yarn start`. + +## Testing strategy + +On the package side, we use the testing tools provided by elastic-package for: + +- [static validation of the mappings](https://github.com/elastic/elastic-package/blob/main/docs/howto/static_testing.md) +- [ingest pipeline validation](https://github.com/elastic/elastic-package/blob/main/docs/howto/pipeline_testing.md) +- [validation of live data](https://github.com/elastic/elastic-package/blob/main/docs/howto/system_testing.md) + +See the [elastic-package-test documentation](https://github.com/elastic/elastic-package#elastic-package-test) for more details. + +The system tests spawn a full setup (`elastic-package stack up` + `elastic-package service up`), install the package and attach a policy to a running agent to collect live data. This real-world setup can be leveraged to continuously validate future versions of the stack when they are released. Right now the service dependencies are running on 8.5.0 and the tests validate that this version is supported. The plan is to have an automated job that opens a PR validating that the tests are still successful with the latest released version. + +On the Stack Monitoring side, we have an API integration test suite running against packages; see https://github.com/elastic/kibana/tree/main/x-pack/test/monitoring_api_integration#readme + +## Troubleshooting + +### My elastic-package stack appears to be stuck + +If your stack doesn’t start it might be memory or disk starved. A good indicator is the presence of the following log in the elasticsearch container: + + ```json + {"@timestamp":"2022-06-30T05:55:51.586Z", "log.level": "WARN", "message":"high disk watermark [90%] exceeded on [Vo4wyn23ReWufzMT2R9n3g][5b4a83809124][/usr/share/elasticsearch/data] free: 5.6gb[9.6%], shards will be relocated away from this node; currently relocating away shards totalling [0] bytes; the node is expected to continue to exceed the high disk watermark when these relocations are complete", "ecs.version": "1.2.0","service. name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread. name":"elasticsearch[5b4a83809124][masterService#updateTask][T#1]", "log.logger":"org.elasticsearch.cluster.routing.allocation. DiskThresholdMonitor","elasticsearch.cluster. uuid":"wzlK4-GBTymeP6n_Izf6ZA","elasticsearch.node. id":"Vo4wyn23ReWufzMT2R9n3g","elasticsearch.node.name":"5b4a83809124", "elasticsearch.cluster.name":"elasticsearch"} + ``` + + Try increasing the Docker environments disk threshold or cleaning the stored data. If no such logs appear, inspect every container logs to find the offending component. + +### My package is not showing up in Integrations + +- Ensure the [kibana version](https://github.com/elastic/integrations/blob/7ae8b62ffdee2552d6165f1b287cdd03e1edf1db/packages/elasticsearch/manifest.yml#L16) defined in the manifest supports your local kibana version, +- If the package is a prerelease version and you're running a Kibana with version >= v8.6.0, the package is hidden behind a flag that needs to be activated: + + +### Elastic agent + +By default the agent is monitored which means that dedicated filebeat and metricbeat processes collect logs and metrics from the running agent. This data is then available in the respective Kibana applications under `logs-*` and `metrics-*` patterns. +If you need to look at the raw filebeat/metrics logs they are stored under `/usr/share/elastic-agent/state/data/logs/default` in the container. + +**Additional resources:** +- [v2 diagram](https://github.com/elastic/elastic-agent-shipper/issues/3) +- [Agent onboarding (internal)](https://ela.st/agent-onboarding-doc) +- [Elastic Agent architecture v2 (internal)](https://ela.st/agent-v2-archicture-doc) + diff --git a/x-pack/plugins/monitoring/dev_docs/reference/data_collection_modes.md b/x-pack/plugins/monitoring/dev_docs/reference/data_collection_modes.md index 758eda14f6c21..b34bc550a0a8f 100644 --- a/x-pack/plugins/monitoring/dev_docs/reference/data_collection_modes.md +++ b/x-pack/plugins/monitoring/dev_docs/reference/data_collection_modes.md @@ -145,12 +145,14 @@ Beats also doesn't have filebeat module or recommended configuration, but the lo ### Package-driven collection +See [working with packages](../howto/work_with_packages.md) for details on how to develop and test Stack Monitoring packages. + When using package-driven collection, each component in your Elastic stack is given a corresponding fleet package (also known as "integration"). - [Elasticsearch](https://github.com/elastic/integrations/tree/main/packages/elasticsearch) - [Kibana](https://github.com/elastic/integrations/tree/main/packages/kibana) - [Logstash](https://github.com/elastic/integrations/tree/main/packages/logstash) -- Beats (WIP) +- [Beats](https://github.com/elastic/integrations/tree/main/packages/beat) - Enterprise Search (WIP) An operator will install the package via the monitoring deployment's kibana instance (or possible a separate deployment used for fleet management). @@ -196,4 +198,4 @@ metrics-.->|poll|ClusterStats logs-.->|read|Disk publisher-->|/_bulk|Elasticsearch -``` \ No newline at end of file +``` diff --git a/x-pack/plugins/observability/server/domain/models/common.ts b/x-pack/plugins/observability/server/domain/models/common.ts index 08b81a44c71ed..3e734146e8994 100644 --- a/x-pack/plugins/observability/server/domain/models/common.ts +++ b/x-pack/plugins/observability/server/domain/models/common.ts @@ -6,9 +6,16 @@ */ import * as t from 'io-ts'; -import { dateRangeSchema, statusSchema } from '@kbn/slo-schema'; +import { + dateRangeSchema, + historicalSummarySchema, + statusSchema, + summarySchema, +} from '@kbn/slo-schema'; type Status = t.TypeOf; type DateRange = t.TypeOf; +type HistoricalSummary = t.TypeOf; +type Summary = t.TypeOf; -export type { DateRange, Status }; +export type { DateRange, HistoricalSummary, Status, Summary }; diff --git a/x-pack/plugins/observability/server/domain/models/indicators.ts b/x-pack/plugins/observability/server/domain/models/indicators.ts index 88c0e2dd8e5ae..6df394b031ce5 100644 --- a/x-pack/plugins/observability/server/domain/models/indicators.ts +++ b/x-pack/plugins/observability/server/domain/models/indicators.ts @@ -9,7 +9,6 @@ import * as t from 'io-ts'; import { apmTransactionDurationIndicatorSchema, apmTransactionErrorRateIndicatorSchema, - historicalSummarySchema, indicatorDataSchema, indicatorSchema, indicatorTypesSchema, @@ -22,7 +21,6 @@ type KQLCustomIndicator = t.TypeOf; type Indicator = t.TypeOf; type IndicatorTypes = t.TypeOf; type IndicatorData = t.TypeOf; -type HistoricalSummary = t.TypeOf; export type { Indicator, @@ -31,5 +29,4 @@ export type { APMTransactionDurationIndicator, KQLCustomIndicator, IndicatorData, - HistoricalSummary, }; diff --git a/x-pack/plugins/observability/server/domain/models/slo.ts b/x-pack/plugins/observability/server/domain/models/slo.ts index 777b78fbcd5b2..4c6cd6dd12a72 100644 --- a/x-pack/plugins/observability/server/domain/models/slo.ts +++ b/x-pack/plugins/observability/server/domain/models/slo.ts @@ -11,7 +11,6 @@ import { sloSchema, sloWithSummarySchema } from '@kbn/slo-schema'; type SLO = t.TypeOf; type SLOId = t.TypeOf; type SLOWithSummary = t.TypeOf; - type StoredSLO = t.OutputOf; export type { SLO, SLOWithSummary, SLOId, StoredSLO }; diff --git a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/executor.ts b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/executor.ts index 96732747bdce7..679537a7f7260 100644 --- a/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/executor.ts +++ b/x-pack/plugins/observability/server/lib/rules/slo_burn_rate/executor.ts @@ -58,7 +58,7 @@ export const getRuleExecutor = (): LifecycleRuleExecutor< } = services; const sloRepository = new KibanaSavedObjectsSLORepository(soClient); - const sliClient = new DefaultSLIClient(esClient.asCurrentUser); + const summaryClient = new DefaultSLIClient(esClient.asCurrentUser); const slo = await sloRepository.findById(params.sloId); const longWindowDuration = new Duration( @@ -70,7 +70,7 @@ export const getRuleExecutor = (): LifecycleRuleExecutor< toDurationUnit(params.shortWindow.unit) ); - const sliData = await sliClient.fetchSLIDataFrom(slo, [ + const sliData = await summaryClient.fetchSLIDataFrom(slo, [ { name: LONG_WINDOW, duration: longWindowDuration.add(slo.settings.syncDelay) }, { name: SHORT_WINDOW, duration: shortWindowDuration.add(slo.settings.syncDelay) }, ]); diff --git a/x-pack/plugins/observability/server/routes/slo/route.ts b/x-pack/plugins/observability/server/routes/slo/route.ts index 50716135e653d..90fa8b82fbca2 100644 --- a/x-pack/plugins/observability/server/routes/slo/route.ts +++ b/x-pack/plugins/observability/server/routes/slo/route.ts @@ -17,7 +17,7 @@ import { import { CreateSLO, DefaultResourceInstaller, - DefaultSLIClient, + DefaultSummaryClient, DefaultTransformManager, DeleteSLO, FindSLO, @@ -133,8 +133,8 @@ const getSLORoute = createObservabilityServerRoute({ const soClient = (await context.core).savedObjects.client; const esClient = (await context.core).elasticsearch.client.asCurrentUser; const repository = new KibanaSavedObjectsSLORepository(soClient); - const sliClient = new DefaultSLIClient(esClient); - const getSLO = new GetSLO(repository, sliClient); + const summaryClient = new DefaultSummaryClient(esClient); + const getSLO = new GetSLO(repository, summaryClient); const response = await getSLO.execute(params.path.id); @@ -156,8 +156,8 @@ const findSLORoute = createObservabilityServerRoute({ const soClient = (await context.core).savedObjects.client; const esClient = (await context.core).elasticsearch.client.asCurrentUser; const repository = new KibanaSavedObjectsSLORepository(soClient); - const sliClient = new DefaultSLIClient(esClient); - const findSLO = new FindSLO(repository, sliClient); + const summaryClient = new DefaultSummaryClient(esClient); + const findSLO = new FindSLO(repository, summaryClient); const response = await findSLO.execute(params?.query ?? {}); diff --git a/x-pack/plugins/observability/server/services/slo/__snapshots__/summary_client.test.ts.snap b/x-pack/plugins/observability/server/services/slo/__snapshots__/summary_client.test.ts.snap new file mode 100644 index 0000000000000..e7b4a068d7ae0 --- /dev/null +++ b/x-pack/plugins/observability/server/services/slo/__snapshots__/summary_client.test.ts.snap @@ -0,0 +1,40 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`SummaryClient fetchSummary with calendar aligned and timeslices SLO returns the summary 1`] = ` +Object { + "errorBudget": Object { + "consumed": 0.198413, + "initial": 0.05, + "isEstimated": false, + "remaining": 0.801587, + }, + "sliValue": 0.9, + "status": "DEGRADING", +} +`; + +exports[`SummaryClient fetchSummary with rolling and occurrences SLO returns the summary 1`] = ` +Object { + "errorBudget": Object { + "consumed": 100, + "initial": 0.001, + "isEstimated": false, + "remaining": 0, + }, + "sliValue": 0.9, + "status": "VIOLATED", +} +`; + +exports[`SummaryClient fetchSummary with rolling and timeslices SLO returns the summary 1`] = ` +Object { + "errorBudget": Object { + "consumed": 2, + "initial": 0.05, + "isEstimated": false, + "remaining": 0, + }, + "sliValue": 0.9, + "status": "VIOLATED", +} +`; diff --git a/x-pack/plugins/observability/server/services/slo/find_slo.test.ts b/x-pack/plugins/observability/server/services/slo/find_slo.test.ts index e4982c36a073b..13477c3fbf3f6 100644 --- a/x-pack/plugins/observability/server/services/slo/find_slo.test.ts +++ b/x-pack/plugins/observability/server/services/slo/find_slo.test.ts @@ -5,30 +5,29 @@ * 2.0. */ -import { IndicatorData, SLO, SLOId } from '../../domain/models'; -import { toDateRange } from '../../domain/services'; +import { SLO, SLOId, Summary } from '../../domain/models'; import { FindSLO } from './find_slo'; import { createSLO, createPaginatedSLO } from './fixtures/slo'; -import { createSLIClientMock, createSLORepositoryMock } from './mocks'; -import { SLIClient } from './sli_client'; +import { createSummaryClientMock, createSLORepositoryMock } from './mocks'; import { SLORepository, SortField, SortDirection } from './slo_repository'; +import { SummaryClient } from './summary_client'; describe('FindSLO', () => { let mockRepository: jest.Mocked; - let mockSLIClient: jest.Mocked; + let mockSummaryClient: jest.Mocked; let findSLO: FindSLO; beforeEach(() => { mockRepository = createSLORepositoryMock(); - mockSLIClient = createSLIClientMock(); - findSLO = new FindSLO(mockRepository, mockSLIClient); + mockSummaryClient = createSummaryClientMock(); + findSLO = new FindSLO(mockRepository, mockSummaryClient); }); describe('happy path', () => { it('returns the results with pagination', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); const result = await findSLO.execute({}); @@ -91,7 +90,7 @@ describe('FindSLO', () => { it('calls the repository with the default criteria and pagination', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({}); @@ -105,7 +104,7 @@ describe('FindSLO', () => { it('calls the repository with the name filter criteria', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ name: 'Availability' }); @@ -119,7 +118,7 @@ describe('FindSLO', () => { it('calls the repository with the indicatorType filter criteria', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ indicatorTypes: ['sli.kql.custom'] }); @@ -133,7 +132,7 @@ describe('FindSLO', () => { it('calls the repository with the pagination', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ name: 'My SLO*', page: '2', perPage: '100' }); @@ -147,7 +146,7 @@ describe('FindSLO', () => { it('uses default pagination values when invalid', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ page: '-1', perPage: '0' }); @@ -161,7 +160,7 @@ describe('FindSLO', () => { it('sorts by name by default when not specified', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ sortBy: undefined }); @@ -175,7 +174,7 @@ describe('FindSLO', () => { it('sorts by indicator type', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ sortBy: 'indicatorType' }); @@ -189,7 +188,7 @@ describe('FindSLO', () => { it('sorts by indicator type in descending order', async () => { const slo = createSLO(); mockRepository.find.mockResolvedValueOnce(createPaginatedSLO(slo)); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce(someIndicatorData(slo)); + mockSummaryClient.fetchSummary.mockResolvedValueOnce(someSummary(slo)); await findSLO.execute({ sortBy: 'indicatorType', sortDirection: 'desc' }); @@ -202,12 +201,17 @@ describe('FindSLO', () => { }); }); -function someIndicatorData(slo: SLO): Record { +function someSummary(slo: SLO): Record { return { [slo.id]: { - good: 9999, - total: 10000, - dateRange: toDateRange(slo.timeWindow), + status: 'HEALTHY', + sliValue: 0.9999, + errorBudget: { + initial: 0.001, + consumed: 0.1, + remaining: 0.9, + isEstimated: false, + }, }, }; } diff --git a/x-pack/plugins/observability/server/services/slo/find_slo.ts b/x-pack/plugins/observability/server/services/slo/find_slo.ts index 06134a2b692d5..dd56977d0cf84 100644 --- a/x-pack/plugins/observability/server/services/slo/find_slo.ts +++ b/x-pack/plugins/observability/server/services/slo/find_slo.ts @@ -6,9 +6,7 @@ */ import { FindSLOParams, FindSLOResponse, findSLOResponseSchema } from '@kbn/slo-schema'; -import { IndicatorData, SLO, SLOId, SLOWithSummary } from '../../domain/models'; -import { computeErrorBudget, computeSLI, computeSummaryStatus } from '../../domain/services'; -import { SLIClient } from './sli_client'; +import { SLO, SLOId, SLOWithSummary, Summary } from '../../domain/models'; import { Criteria, Paginated, @@ -18,12 +16,13 @@ import { SortField, SortDirection, } from './slo_repository'; +import { SummaryClient } from './summary_client'; const DEFAULT_PAGE = 1; const DEFAULT_PER_PAGE = 25; export class FindSLO { - constructor(private repository: SLORepository, private sliClient: SLIClient) {} + constructor(private repository: SLORepository, private summaryClient: SummaryClient) {} public async execute(params: FindSLOParams): Promise { const pagination: Pagination = toPagination(params); @@ -35,40 +34,27 @@ export class FindSLO { sort, pagination ); - const indicatorDataBySlo = await this.sliClient.fetchCurrentSLIData(sloList); - const sloListWithSummary = computeSloWithSummary(sloList, indicatorDataBySlo); + const summaryBySlo = await this.summaryClient.fetchSummary(sloList); - return this.toResponse(sloListWithSummary, resultMeta); - } + const sloListWithSummary = mergeSloWithSummary(sloList, summaryBySlo); - private toResponse( - sloList: SLOWithSummary[], - resultMeta: Omit, 'results'> - ): FindSLOResponse { return findSLOResponseSchema.encode({ page: resultMeta.page, perPage: resultMeta.perPage, total: resultMeta.total, - results: sloList, + results: sloListWithSummary, }); } } -function computeSloWithSummary( +function mergeSloWithSummary( sloList: SLO[], - indicatorDataBySlo: Record + summaryBySlo: Record ): SLOWithSummary[] { - const sloListWithSummary: SLOWithSummary[] = []; - for (const slo of sloList) { - const sliValue = computeSLI(indicatorDataBySlo[slo.id]); - const errorBudget = computeErrorBudget(slo, indicatorDataBySlo[slo.id]); - const status = computeSummaryStatus(slo, sliValue, errorBudget); - sloListWithSummary.push({ - ...slo, - summary: { status, sliValue, errorBudget }, - }); - } - return sloListWithSummary; + return sloList.map((slo) => ({ + ...slo, + summary: summaryBySlo[slo.id], + })); } function toPagination(params: FindSLOParams): Pagination { diff --git a/x-pack/plugins/observability/server/services/slo/get_slo.test.ts b/x-pack/plugins/observability/server/services/slo/get_slo.test.ts index b0752400c2cd7..33416d42a776c 100644 --- a/x-pack/plugins/observability/server/services/slo/get_slo.test.ts +++ b/x-pack/plugins/observability/server/services/slo/get_slo.test.ts @@ -5,33 +5,37 @@ * 2.0. */ -import { toDateRange } from '../../domain/services'; import { createAPMTransactionErrorRateIndicator, createSLO } from './fixtures/slo'; import { GetSLO } from './get_slo'; -import { createSLIClientMock, createSLORepositoryMock } from './mocks'; -import { SLIClient } from './sli_client'; +import { createSummaryClientMock, createSLORepositoryMock } from './mocks'; import { SLORepository } from './slo_repository'; +import { SummaryClient } from './summary_client'; describe('GetSLO', () => { let mockRepository: jest.Mocked; - let mockSLIClient: jest.Mocked; + let mockSummaryClient: jest.Mocked; let getSLO: GetSLO; beforeEach(() => { mockRepository = createSLORepositoryMock(); - mockSLIClient = createSLIClientMock(); - getSLO = new GetSLO(mockRepository, mockSLIClient); + mockSummaryClient = createSummaryClientMock(); + getSLO = new GetSLO(mockRepository, mockSummaryClient); }); describe('happy path', () => { it('retrieves the SLO from the repository', async () => { const slo = createSLO({ indicator: createAPMTransactionErrorRateIndicator() }); mockRepository.findById.mockResolvedValueOnce(slo); - mockSLIClient.fetchCurrentSLIData.mockResolvedValueOnce({ + mockSummaryClient.fetchSummary.mockResolvedValueOnce({ [slo.id]: { - good: 9999, - total: 10000, - dateRange: toDateRange(slo.timeWindow), + status: 'HEALTHY', + sliValue: 0.9999, + errorBudget: { + initial: 0.001, + consumed: 0.1, + remaining: 0.9, + isEstimated: false, + }, }, }); diff --git a/x-pack/plugins/observability/server/services/slo/get_slo.ts b/x-pack/plugins/observability/server/services/slo/get_slo.ts index de49ba4aaca13..96716a15c0a8f 100644 --- a/x-pack/plugins/observability/server/services/slo/get_slo.ts +++ b/x-pack/plugins/observability/server/services/slo/get_slo.ts @@ -6,34 +6,23 @@ */ import { GetSLOResponse, getSLOResponseSchema } from '@kbn/slo-schema'; -import { IndicatorData, SLO, SLOId, SLOWithSummary } from '../../domain/models'; +import { SLO, SLOId, SLOWithSummary, Summary } from '../../domain/models'; import { SLORepository } from './slo_repository'; -import { SLIClient } from './sli_client'; -import { computeSLI, computeErrorBudget, computeSummaryStatus } from '../../domain/services'; +import { SummaryClient } from './summary_client'; export class GetSLO { - constructor(private repository: SLORepository, private sliClient: SLIClient) {} + constructor(private repository: SLORepository, private summaryClient: SummaryClient) {} public async execute(sloId: string): Promise { const slo = await this.repository.findById(sloId); + const summaryBySlo = await this.summaryClient.fetchSummary([slo]); - const indicatorDataBySlo = await this.sliClient.fetchCurrentSLIData([slo]); - const sloWithSummary = computeSloWithSummary(slo, indicatorDataBySlo); + const sloWithSummary = mergeSloWithSummary(slo, summaryBySlo); - return this.toResponse(sloWithSummary); - } - - private toResponse(slo: SLOWithSummary): GetSLOResponse { - return getSLOResponseSchema.encode(slo); + return getSLOResponseSchema.encode(sloWithSummary); } } -function computeSloWithSummary( - slo: SLO, - indicatorDataBySlo: Record -): SLOWithSummary { - const sliValue = computeSLI(indicatorDataBySlo[slo.id]); - const errorBudget = computeErrorBudget(slo, indicatorDataBySlo[slo.id]); - const status = computeSummaryStatus(slo, sliValue, errorBudget); - return { ...slo, summary: { status, sliValue, errorBudget } }; +function mergeSloWithSummary(slo: SLO, summaryBySlo: Record): SLOWithSummary { + return { ...slo, summary: summaryBySlo[slo.id] }; } diff --git a/x-pack/plugins/observability/server/services/slo/index.ts b/x-pack/plugins/observability/server/services/slo/index.ts index a4d186db813f9..9d7097d92fc03 100644 --- a/x-pack/plugins/observability/server/services/slo/index.ts +++ b/x-pack/plugins/observability/server/services/slo/index.ts @@ -16,3 +16,4 @@ export * from './sli_client'; export * from './slo_repository'; export * from './transform_manager'; export * from './update_slo'; +export * from './summary_client'; diff --git a/x-pack/plugins/observability/server/services/slo/mocks/index.ts b/x-pack/plugins/observability/server/services/slo/mocks/index.ts index 5781553f91e05..bb8b66542b1db 100644 --- a/x-pack/plugins/observability/server/services/slo/mocks/index.ts +++ b/x-pack/plugins/observability/server/services/slo/mocks/index.ts @@ -8,6 +8,7 @@ import { ResourceInstaller } from '../resource_installer'; import { SLIClient } from '../sli_client'; import { SLORepository } from '../slo_repository'; +import { SummaryClient } from '../summary_client'; import { TransformManager } from '../transform_manager'; const createResourceInstallerMock = (): jest.Mocked => { @@ -35,9 +36,14 @@ const createSLORepositoryMock = (): jest.Mocked => { }; }; +const createSummaryClientMock = (): jest.Mocked => { + return { + fetchSummary: jest.fn(), + }; +}; + const createSLIClientMock = (): jest.Mocked => { return { - fetchCurrentSLIData: jest.fn(), fetchSLIDataFrom: jest.fn(), }; }; @@ -46,5 +52,6 @@ export { createResourceInstallerMock, createTransformManagerMock, createSLORepositoryMock, + createSummaryClientMock, createSLIClientMock, }; diff --git a/x-pack/plugins/observability/server/services/slo/sli_client.test.ts b/x-pack/plugins/observability/server/services/slo/sli_client.test.ts index d942cea0335d0..a00d0627461c1 100644 --- a/x-pack/plugins/observability/server/services/slo/sli_client.test.ts +++ b/x-pack/plugins/observability/server/services/slo/sli_client.test.ts @@ -8,12 +8,9 @@ import { ElasticsearchClientMock, elasticsearchServiceMock } from '@kbn/core/server/mocks'; import moment from 'moment'; -import { SLO_DESTINATION_INDEX_NAME } from '../../assets/constants'; -import { toDateRange } from '../../domain/services'; import { Duration, DurationUnit } from '../../domain/models'; import { createSLO } from './fixtures/slo'; import { DefaultSLIClient } from './sli_client'; -import { sevenDaysRolling, weeklyCalendarAligned } from './fixtures/time_window'; const commonEsResponse = { took: 100, @@ -29,231 +26,13 @@ const commonEsResponse = { }, }; -const getMsearchResponse = (good: number = 90, total: number = 100) => ({ - ...commonEsResponse, - responses: [ - { - ...commonEsResponse, - aggregations: { - good: { value: good }, - total: { value: total }, - }, - }, - ], -}); - -describe('SLIClient', () => { +describe('SummaryClient', () => { let esClientMock: ElasticsearchClientMock; beforeEach(() => { esClientMock = elasticsearchServiceMock.createElasticsearchClient(); }); - describe('fetchCurrentSLIData', () => { - describe('with occurrences budgeting method', () => { - describe('with a rolling time window', () => { - it('returns the aggregated good and total values', async () => { - const slo = createSLO({ timeWindow: sevenDaysRolling() }); - esClientMock.msearch.mockResolvedValueOnce(getMsearchResponse()); - const sliClient = new DefaultSLIClient(esClientMock); - - const result = await sliClient.fetchCurrentSLIData([slo]); - - const expectedDateRange = toDateRange(slo.timeWindow); - expect(result[slo.id]).toMatchObject({ - good: 90, - total: 100, - }); - expect(result[slo.id].dateRange.from).toBeClose(expectedDateRange.from); - expect(result[slo.id].dateRange.to).toBeClose(expectedDateRange.to); - // @ts-ignore searches not typed properly - expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ - { index: `${SLO_DESTINATION_INDEX_NAME}*` }, - { - size: 0, - query: { - bool: { - filter: [ - { term: { 'slo.id': slo.id } }, - { term: { 'slo.revision': slo.revision } }, - { - range: { - '@timestamp': { gte: expect.anything(), lt: expect.anything() }, - }, - }, - ], - }, - }, - aggs: { - good: { sum: { field: 'slo.numerator' } }, - total: { sum: { field: 'slo.denominator' } }, - }, - }, - ]); - }); - }); - - describe('with a calendar aligned time window', () => { - it('returns the aggregated good and total values', async () => { - const slo = createSLO({ - timeWindow: weeklyCalendarAligned(new Date('2022-09-01T00:00:00.000Z')), - }); - esClientMock.msearch.mockResolvedValueOnce(getMsearchResponse()); - const sliClient = new DefaultSLIClient(esClientMock); - - const result = await sliClient.fetchCurrentSLIData([slo]); - - const expectedDateRange = toDateRange(slo.timeWindow); - expect(result[slo.id]).toMatchObject({ good: 90, total: 100 }); - expect(result[slo.id].dateRange.from).toBeClose(expectedDateRange.from); - expect(result[slo.id].dateRange.to).toBeClose(expectedDateRange.to); - // @ts-ignore searches not typed properly - expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ - { index: `${SLO_DESTINATION_INDEX_NAME}*` }, - { - size: 0, - query: { - bool: { - filter: [ - { term: { 'slo.id': slo.id } }, - { term: { 'slo.revision': slo.revision } }, - { - range: { - '@timestamp': { - gte: expectedDateRange.from.toISOString(), - lt: expectedDateRange.to.toISOString(), - }, - }, - }, - ], - }, - }, - aggs: { - good: { sum: { field: 'slo.numerator' } }, - total: { sum: { field: 'slo.denominator' } }, - }, - }, - ]); - }); - }); - }); - - describe('with timeslices budgeting method', () => { - describe('with a calendar aligned time window', () => { - it('returns the aggregated good and total values', async () => { - const slo = createSLO({ - budgetingMethod: 'timeslices', - objective: { - target: 0.95, - timesliceTarget: 0.9, - timesliceWindow: new Duration(10, DurationUnit.Minute), - }, - timeWindow: weeklyCalendarAligned(new Date('2022-09-01T00:00:00.000Z')), - }); - esClientMock.msearch.mockResolvedValueOnce(getMsearchResponse()); - const sliClient = new DefaultSLIClient(esClientMock); - - const result = await sliClient.fetchCurrentSLIData([slo]); - - const expectedDateRange = toDateRange(slo.timeWindow); - expect(result[slo.id]).toMatchObject({ good: 90, total: 100 }); - expect(result[slo.id].dateRange.from).toBeClose(expectedDateRange.from); - expect(result[slo.id].dateRange.to).toBeClose(expectedDateRange.to); - // @ts-ignore searches not typed properly - expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ - { index: `${SLO_DESTINATION_INDEX_NAME}*` }, - { - size: 0, - query: { - bool: { - filter: [ - { term: { 'slo.id': slo.id } }, - { term: { 'slo.revision': slo.revision } }, - { - range: { - '@timestamp': { - gte: expectedDateRange.from.toISOString(), - lt: expectedDateRange.to.toISOString(), - }, - }, - }, - ], - }, - }, - aggs: { - good: { - sum: { - field: 'slo.isGoodSlice', - }, - }, - total: { - value_count: { - field: 'slo.isGoodSlice', - }, - }, - }, - }, - ]); - }); - }); - - describe('with a rolling time window', () => { - it('returns the aggregated good and total values', async () => { - const slo = createSLO({ - budgetingMethod: 'timeslices', - objective: { - target: 0.95, - timesliceTarget: 0.9, - timesliceWindow: new Duration(10, DurationUnit.Minute), - }, - timeWindow: sevenDaysRolling(), - }); - esClientMock.msearch.mockResolvedValueOnce(getMsearchResponse()); - const sliClient = new DefaultSLIClient(esClientMock); - - const result = await sliClient.fetchCurrentSLIData([slo]); - - const expectedDateRange = toDateRange(slo.timeWindow); - expect(result[slo.id]).toMatchObject({ good: 90, total: 100 }); - expect(result[slo.id].dateRange.from).toBeClose(expectedDateRange.from); - expect(result[slo.id].dateRange.to).toBeClose(expectedDateRange.to); - // @ts-ignore searches not typed properly - expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ - { index: `${SLO_DESTINATION_INDEX_NAME}*` }, - { - size: 0, - query: { - bool: { - filter: [ - { term: { 'slo.id': slo.id } }, - { term: { 'slo.revision': slo.revision } }, - { - range: { - '@timestamp': { gte: expect.anything(), lt: expect.anything() }, - }, - }, - ], - }, - }, - aggs: { - good: { - sum: { - field: 'slo.isGoodSlice', - }, - }, - total: { - value_count: { - field: 'slo.isGoodSlice', - }, - }, - }, - }, - ]); - }); - }); - }); - }); - describe('fetchSLIDataFrom', () => { const LONG_WINDOW = 'long_window'; const SHORT_WINDOW = 'short_window'; @@ -306,9 +85,9 @@ describe('SLIClient', () => { }, }, }); - const sliClient = new DefaultSLIClient(esClientMock); + const summaryClient = new DefaultSLIClient(esClientMock); - const result = await sliClient.fetchSLIDataFrom(slo, lookbackWindows); + const result = await summaryClient.fetchSLIDataFrom(slo, lookbackWindows); expect(esClientMock?.search?.mock?.lastCall?.[0]).toMatchObject({ aggs: { @@ -396,9 +175,9 @@ describe('SLIClient', () => { }, }, }); - const sliClient = new DefaultSLIClient(esClientMock); + const summaryClient = new DefaultSLIClient(esClientMock); - const result = await sliClient.fetchSLIDataFrom(slo, lookbackWindows); + const result = await summaryClient.fetchSLIDataFrom(slo, lookbackWindows); expect(esClientMock?.search?.mock?.lastCall?.[0]).toMatchObject({ aggs: { diff --git a/x-pack/plugins/observability/server/services/slo/sli_client.ts b/x-pack/plugins/observability/server/services/slo/sli_client.ts index 6386b101e8207..fe0959b57224a 100644 --- a/x-pack/plugins/observability/server/services/slo/sli_client.ts +++ b/x-pack/plugins/observability/server/services/slo/sli_client.ts @@ -9,18 +9,19 @@ import { AggregationsAggregationContainer, AggregationsDateRangeAggregate, AggregationsSumAggregate, + AggregationsValueCountAggregate, MsearchMultisearchBody, } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { ElasticsearchClient } from '@kbn/core/server'; import { assertNever } from '@kbn/std'; import { occurrencesBudgetingMethodSchema, timeslicesBudgetingMethodSchema } from '@kbn/slo-schema'; + import { SLO_DESTINATION_INDEX_NAME } from '../../assets/constants'; import { toDateRange } from '../../domain/services/date_range'; import { InternalQueryError } from '../../errors'; -import { DateRange, Duration, IndicatorData, SLO, SLOId } from '../../domain/models'; +import { DateRange, Duration, IndicatorData, SLO } from '../../domain/models'; export interface SLIClient { - fetchCurrentSLIData(sloList: SLO[]): Promise>; fetchSLIDataFrom( slo: SLO, lookbackWindows: LookbackWindow[] @@ -39,41 +40,6 @@ type EsAggregations = Record; export class DefaultSLIClient implements SLIClient { constructor(private esClient: ElasticsearchClient) {} - async fetchCurrentSLIData(sloList: SLO[]): Promise> { - const dateRangeBySlo: Record = sloList.reduce( - (acc, slo) => ({ [slo.id]: toDateRange(slo.timeWindow), ...acc }), - {} - ); - const searches = sloList.flatMap((slo) => [ - { index: `${SLO_DESTINATION_INDEX_NAME}*` }, - generateSearchQuery(slo, dateRangeBySlo[slo.id]), - ]); - - const indicatorDataBySlo: Record = {}; - if (searches.length === 0) { - return indicatorDataBySlo; - } - - const result = await this.esClient.msearch({ searches }); - - for (let i = 0; i < result.responses.length; i++) { - const slo = sloList[i]; - if ('error' in result.responses[i]) { - // handle errorneous responses with default zero values, and keep going - indicatorDataBySlo[slo.id] = { dateRange: dateRangeBySlo[slo.id], good: 0, total: 0 }; - continue; - } - - // @ts-ignore - const { aggregations } = result.responses[i]; - const good = aggregations?.good?.value || 0; - const total = aggregations?.total?.value || 0; - indicatorDataBySlo[slo.id] = { dateRange: dateRangeBySlo[slo.id], good, total }; - } - - return indicatorDataBySlo; - } - async fetchSLIDataFrom( slo: SLO, lookbackWindows: LookbackWindow[] @@ -111,38 +77,6 @@ export class DefaultSLIClient implements SLIClient { } } -function generateSearchQuery(slo: SLO, dateRange: DateRange): MsearchMultisearchBody { - if (occurrencesBudgetingMethodSchema.is(slo.budgetingMethod)) { - return { - ...commonQuery(slo, dateRange), - aggs: { - good: { sum: { field: 'slo.numerator' } }, - total: { sum: { field: 'slo.denominator' } }, - }, - }; - } - - if (timeslicesBudgetingMethodSchema.is(slo.budgetingMethod)) { - return { - ...commonQuery(slo, dateRange), - aggs: { - good: { - sum: { - field: 'slo.isGoodSlice', - }, - }, - total: { - value_count: { - field: 'slo.isGoodSlice', - }, - }, - }, - }; - } - - assertNever(slo.budgetingMethod); -} - function commonQuery( slo: SLO, dateRange: DateRange @@ -232,7 +166,7 @@ function handleWindowedResult( } const bucket = windowAggBuckets[0]; const good = (bucket.good as AggregationsSumAggregate).value; - const total = (bucket.total as AggregationsSumAggregate).value; + const total = (bucket.total as AggregationsValueCountAggregate).value; if (good === null || total === null) { throw new InternalQueryError('Invalid aggregation sum bucket response'); } diff --git a/x-pack/plugins/observability/server/services/slo/summary_client.test.ts b/x-pack/plugins/observability/server/services/slo/summary_client.test.ts new file mode 100644 index 0000000000000..f6dcaca04b5d3 --- /dev/null +++ b/x-pack/plugins/observability/server/services/slo/summary_client.test.ts @@ -0,0 +1,256 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ElasticsearchClientMock, elasticsearchServiceMock } from '@kbn/core/server/mocks'; +import moment from 'moment'; + +import { SLO_DESTINATION_INDEX_NAME } from '../../assets/constants'; +import { Duration, DurationUnit } from '../../domain/models'; +import { createSLO } from './fixtures/slo'; +import { DefaultSummaryClient } from './summary_client'; +import { sevenDaysRolling, weeklyCalendarAligned } from './fixtures/time_window'; + +const commonEsResponse = { + took: 100, + timed_out: false, + _shards: { + total: 0, + successful: 0, + skipped: 0, + failed: 0, + }, + hits: { + hits: [], + }, +}; + +const createEsResponse = (good: number = 90, total: number = 100) => ({ + ...commonEsResponse, + responses: [ + { + ...commonEsResponse, + aggregations: { + good: { value: good }, + total: { value: total }, + }, + }, + ], +}); + +describe('SummaryClient', () => { + let esClientMock: ElasticsearchClientMock; + + beforeEach(() => { + esClientMock = elasticsearchServiceMock.createElasticsearchClient(); + }); + + describe('fetchSummary', () => { + describe('with rolling and occurrences SLO', () => { + it('returns the summary', async () => { + const slo = createSLO({ timeWindow: sevenDaysRolling() }); + esClientMock.msearch.mockResolvedValueOnce(createEsResponse()); + const summaryClient = new DefaultSummaryClient(esClientMock); + + const result = await summaryClient.fetchSummary([slo]); + + expect(result[slo.id]).toMatchSnapshot(); + // @ts-ignore + expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ + { index: `${SLO_DESTINATION_INDEX_NAME}*` }, + { + size: 0, + query: { + bool: { + filter: [ + { term: { 'slo.id': slo.id } }, + { term: { 'slo.revision': slo.revision } }, + { + range: { + '@timestamp': { gte: expect.anything(), lt: expect.anything() }, + }, + }, + ], + }, + }, + aggs: { + good: { sum: { field: 'slo.numerator' } }, + total: { sum: { field: 'slo.denominator' } }, + }, + }, + ]); + }); + }); + + describe('with calendar aligned and occurrences SLO', () => { + it('returns the summary', async () => { + const slo = createSLO({ + timeWindow: weeklyCalendarAligned(new Date('2022-09-01T00:00:00.000Z')), + }); + esClientMock.msearch.mockResolvedValueOnce(createEsResponse()); + const summaryClient = new DefaultSummaryClient(esClientMock); + + await summaryClient.fetchSummary([slo]); + + // @ts-ignore + expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ + { index: `${SLO_DESTINATION_INDEX_NAME}*` }, + { + size: 0, + query: { + bool: { + filter: [ + { term: { 'slo.id': slo.id } }, + { term: { 'slo.revision': slo.revision } }, + { + range: { + '@timestamp': { + gte: expect.anything(), + lt: expect.anything(), + }, + }, + }, + ], + }, + }, + aggs: { + good: { sum: { field: 'slo.numerator' } }, + total: { sum: { field: 'slo.denominator' } }, + }, + }, + ]); + }); + }); + + describe('with rolling and timeslices SLO', () => { + it('returns the summary', async () => { + const slo = createSLO({ + budgetingMethod: 'timeslices', + objective: { + target: 0.95, + timesliceTarget: 0.9, + timesliceWindow: new Duration(10, DurationUnit.Minute), + }, + timeWindow: sevenDaysRolling(), + }); + esClientMock.msearch.mockResolvedValueOnce(createEsResponse()); + const summaryClient = new DefaultSummaryClient(esClientMock); + + const result = await summaryClient.fetchSummary([slo]); + + expect(result[slo.id]).toMatchSnapshot(); + // @ts-ignore searches not typed properly + expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ + { index: `${SLO_DESTINATION_INDEX_NAME}*` }, + { + size: 0, + query: { + bool: { + filter: [ + { term: { 'slo.id': slo.id } }, + { term: { 'slo.revision': slo.revision } }, + { + range: { + '@timestamp': { gte: expect.anything(), lt: expect.anything() }, + }, + }, + ], + }, + }, + aggs: { + good: { + sum: { + field: 'slo.isGoodSlice', + }, + }, + total: { + value_count: { + field: 'slo.isGoodSlice', + }, + }, + }, + }, + ]); + }); + }); + + describe('with calendar aligned and timeslices SLO', () => { + it('returns the summary', async () => { + const slo = createSLO({ + budgetingMethod: 'timeslices', + objective: { + target: 0.95, + timesliceTarget: 0.9, + timesliceWindow: new Duration(10, DurationUnit.Minute), + }, + timeWindow: weeklyCalendarAligned(new Date('2022-09-01T00:00:00.000Z')), + }); + esClientMock.msearch.mockResolvedValueOnce(createEsResponse()); + const summaryClient = new DefaultSummaryClient(esClientMock); + + const result = await summaryClient.fetchSummary([slo]); + + expect(result[slo.id]).toMatchSnapshot(); + // @ts-ignore searches not typed properly + expect(esClientMock.msearch.mock.calls[0][0].searches).toEqual([ + { index: `${SLO_DESTINATION_INDEX_NAME}*` }, + { + size: 0, + query: { + bool: { + filter: [ + { term: { 'slo.id': slo.id } }, + { term: { 'slo.revision': slo.revision } }, + { + range: { + '@timestamp': { + gte: expect.anything(), + lt: expect.anything(), + }, + }, + }, + ], + }, + }, + aggs: { + good: { + sum: { + field: 'slo.isGoodSlice', + }, + }, + total: { + value_count: { + field: 'slo.isGoodSlice', + }, + }, + }, + }, + ]); + }); + }); + }); +}); + +expect.extend({ + toBeClose(received: Date | string, actual: Date | string) { + const receivedDate = moment(received); + const actualDate = moment(actual); + return { + message: () => + `expected ${receivedDate.toISOString()} to be close to ${actualDate.toISOString()}`, + pass: Math.abs(receivedDate.diff(actualDate, 'seconds')) <= 120, + }; + }, +}); + +declare global { + // eslint-disable-next-line @typescript-eslint/no-namespace + namespace jest { + interface Matchers { + toBeClose(actual: Date | string): R; + } + } +} diff --git a/x-pack/plugins/observability/server/services/slo/summary_client.ts b/x-pack/plugins/observability/server/services/slo/summary_client.ts new file mode 100644 index 0000000000000..e531f7dd2e967 --- /dev/null +++ b/x-pack/plugins/observability/server/services/slo/summary_client.ts @@ -0,0 +1,98 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { MsearchMultisearchBody } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { ElasticsearchClient } from '@kbn/core/server'; +import { occurrencesBudgetingMethodSchema, timeslicesBudgetingMethodSchema } from '@kbn/slo-schema'; +import { SLO_DESTINATION_INDEX_NAME } from '../../assets/constants'; +import { toDateRange } from '../../domain/services/date_range'; +import { DateRange, SLO, SLOId, Summary } from '../../domain/models'; +import { computeErrorBudget, computeSLI, computeSummaryStatus } from '../../domain/services'; + +export interface SummaryClient { + fetchSummary(sloList: SLO[]): Promise>; +} + +export class DefaultSummaryClient implements SummaryClient { + constructor(private esClient: ElasticsearchClient) {} + + async fetchSummary(sloList: SLO[]): Promise> { + const dateRangeBySlo: Record = sloList.reduce( + (acc, slo) => ({ [slo.id]: toDateRange(slo.timeWindow), ...acc }), + {} + ); + const searches = sloList.flatMap((slo) => [ + { index: `${SLO_DESTINATION_INDEX_NAME}*` }, + generateSearchQuery(slo, dateRangeBySlo[slo.id]), + ]); + + const summaryBySlo: Record = {}; + if (searches.length === 0) { + return summaryBySlo; + } + + const result = await this.esClient.msearch({ searches }); + + for (let i = 0; i < result.responses.length; i++) { + const slo = sloList[i]; + + // @ts-ignore + const { aggregations = {} } = result.responses[i]; + const good = aggregations?.good?.value ?? 0; + const total = aggregations?.total?.value ?? 0; + + const sliValue = computeSLI({ good, total }); + const errorBudget = computeErrorBudget(slo, { + dateRange: dateRangeBySlo[slo.id], + good, + total, + }); + summaryBySlo[slo.id] = { + sliValue, + errorBudget, + status: computeSummaryStatus(slo, sliValue, errorBudget), + }; + } + + return summaryBySlo; + } +} + +function generateSearchQuery(slo: SLO, dateRange: DateRange): MsearchMultisearchBody { + return { + size: 0, + query: { + bool: { + filter: [ + { term: { 'slo.id': slo.id } }, + { term: { 'slo.revision': slo.revision } }, + { + range: { + '@timestamp': { gte: dateRange.from.toISOString(), lt: dateRange.to.toISOString() }, + }, + }, + ], + }, + }, + ...(occurrencesBudgetingMethodSchema.is(slo.budgetingMethod) && { + aggs: { + good: { sum: { field: 'slo.numerator' } }, + total: { sum: { field: 'slo.denominator' } }, + }, + }), + ...(timeslicesBudgetingMethodSchema.is(slo.budgetingMethod) && { + aggs: { + good: { + sum: { field: 'slo.isGoodSlice' }, + }, + total: { + value_count: { field: 'slo.isGoodSlice' }, + }, + }, + }), + }; +} diff --git a/x-pack/plugins/reporting/public/share_context_menu/register_csv_reporting.tsx b/x-pack/plugins/reporting/public/share_context_menu/register_csv_reporting.tsx index eada57161e3a3..1116652ab05f9 100644 --- a/x-pack/plugins/reporting/public/share_context_menu/register_csv_reporting.tsx +++ b/x-pack/plugins/reporting/public/share_context_menu/register_csv_reporting.tsx @@ -72,7 +72,7 @@ export const reportingCsvShareProvider = ({ icon: 'document', toolTipContent: licenseToolTipContent, disabled: licenseDisabled, - ['data-test-subj']: 'csvReportMenuItem', + ['data-test-subj']: 'CSVReports', sortOrder: 1, }, panel: { diff --git a/x-pack/plugins/reporting/public/share_context_menu/register_pdf_png_reporting.tsx b/x-pack/plugins/reporting/public/share_context_menu/register_pdf_png_reporting.tsx index 8ea26a6964be6..167ff3311f50a 100644 --- a/x-pack/plugins/reporting/public/share_context_menu/register_pdf_png_reporting.tsx +++ b/x-pack/plugins/reporting/public/share_context_menu/register_pdf_png_reporting.tsx @@ -132,7 +132,7 @@ export const reportingScreenshotShareProvider = ({ icon: 'document', toolTipContent: licenseToolTipContent, disabled: licenseDisabled, - ['data-test-subj']: 'pngReportMenuItem', + ['data-test-subj']: 'PNGReports', sortOrder: 10, }, panel: { @@ -167,7 +167,7 @@ export const reportingScreenshotShareProvider = ({ icon: 'document', toolTipContent: licenseToolTipContent, disabled: licenseDisabled, - ['data-test-subj']: 'pdfReportMenuItem', + ['data-test-subj']: 'PDFReports', sortOrder: 10, }, panel: { diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts index 9aa0bbd7343cb..ff0ec174b0846 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts @@ -34,7 +34,7 @@ import { WriteOperations, AlertingAuthorizationEntity, } from '@kbn/alerting-plugin/server'; -import { Logger, ElasticsearchClient, EcsEventOutcome } from '@kbn/core/server'; +import { Logger, ElasticsearchClient, EcsEvent } from '@kbn/core/server'; import { AuditLogger } from '@kbn/security-plugin/server'; import { IndexPatternsFetcher } from '@kbn/data-plugin/server'; import { isEmpty } from 'lodash'; @@ -146,7 +146,7 @@ export class AlertsClient { private getOutcome( operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get - ): { outcome: EcsEventOutcome } { + ): { outcome: EcsEvent['outcome'] } { return { outcome: operation === WriteOperations.Update ? 'unknown' : 'success', }; diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/audit_events.ts b/x-pack/plugins/rule_registry/server/alert_data_client/audit_events.ts index 36a6a497203e7..8ea76b768ce2e 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/audit_events.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/audit_events.ts @@ -5,9 +5,10 @@ * 2.0. */ -import { EcsEventOutcome, EcsEventType } from '@kbn/core/server'; +import { EcsEvent } from '@kbn/core/server'; import { AuditEvent } from '@kbn/security-plugin/server'; import { ReadOperations, WriteOperations } from '@kbn/alerting-plugin/server'; +import { ArrayElement } from '@kbn/utility-types'; export enum AlertAuditAction { GET = 'alert_get', @@ -29,7 +30,7 @@ const eventVerbs: Record = { alert_find: ['access', 'accessing', 'accessed'], }; -const eventTypes: Record = { +const eventTypes: Record> = { alert_get: 'access', alert_update: 'change', alert_find: 'access', @@ -37,7 +38,7 @@ const eventTypes: Record = { export interface AlertAuditEventParams { action: AlertAuditAction; - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; id?: string; error?: Error; } diff --git a/x-pack/plugins/security/server/audit/audit_events.ts b/x-pack/plugins/security/server/audit/audit_events.ts index 26cfec1a6c420..42cc7d4712af2 100644 --- a/x-pack/plugins/security/server/audit/audit_events.ts +++ b/x-pack/plugins/security/server/audit/audit_events.ts @@ -9,7 +9,8 @@ import type { AuditAction, AddAuditEventParams as SavedObjectEventParams, } from '@kbn/core-saved-objects-server'; -import type { EcsEventOutcome, EcsEventType, KibanaRequest, LogMeta } from '@kbn/core/server'; +import type { EcsEvent, KibanaRequest, LogMeta } from '@kbn/core/server'; +import type { ArrayElement } from '@kbn/utility-types'; import type { AuthenticationProvider } from '../../common/model'; import type { AuthenticationResult } from '../authentication/authentication_result'; @@ -355,7 +356,7 @@ const savedObjectAuditVerbs: Record = { ], }; -const savedObjectAuditTypes: Record = { +const savedObjectAuditTypes: Record> = { saved_object_create: 'creation', saved_object_get: 'access', saved_object_resolve: 'access', @@ -430,7 +431,7 @@ const spaceAuditVerbs: Record = { space_find: ['access', 'accessing', 'accessed'], }; -const spaceAuditTypes: Record = { +const spaceAuditTypes: Record> = { space_create: 'creation', space_get: 'access', space_update: 'change', @@ -440,7 +441,7 @@ const spaceAuditTypes: Record = { export interface SpacesAuditEventParams { action: SpaceAuditAction; - outcome?: EcsEventOutcome; + outcome?: EcsEvent['outcome']; savedObject?: NonNullable['saved_object']; error?: Error; } diff --git a/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts b/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts index 1aad389855c10..bd6eb1fa1456e 100644 --- a/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts +++ b/x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts @@ -6,7 +6,7 @@ */ import { AuditAction } from '@kbn/core-saved-objects-server'; -import type { EcsEventOutcome, SavedObjectsClient } from '@kbn/core/server'; +import type { EcsEvent, SavedObjectsClient } from '@kbn/core/server'; import { auditLoggerMock } from '../audit/mocks'; import type { CheckSavedObjectsPrivileges } from '../authorization'; @@ -472,7 +472,7 @@ describe('#addAuditEvent', () => { test(`adds an unknown audit event`, async () => { const { auditLogger, securityExtension } = setup(); const action = AuditAction.UPDATE_OBJECTS_SPACES; - const outcome: EcsEventOutcome = 'unknown'; + const outcome: EcsEvent['outcome'] = 'unknown'; const savedObject = { type: 'dashboard', id: '3' }; const spaces = ['space-id']; @@ -505,7 +505,7 @@ describe('#addAuditEvent', () => { test(`adds a success audit event`, async () => { const { auditLogger, securityExtension } = setup(); const action = AuditAction.UPDATE_OBJECTS_SPACES; - const outcome: EcsEventOutcome = 'success'; + const outcome: EcsEvent['outcome'] = 'success'; const savedObject = { type: 'dashboard', id: '3' }; const spaces = ['space-id']; @@ -538,7 +538,7 @@ describe('#addAuditEvent', () => { test(`adds a failure audit event`, async () => { const { auditLogger, securityExtension } = setup(); const action = AuditAction.DELETE; - const outcome: EcsEventOutcome = 'failure'; + const outcome: EcsEvent['outcome'] = 'failure'; const savedObject = { type: 'dashboard', id: '3' }; const error: Error = { name: 'test_error', diff --git a/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts b/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts index c571c96e87e71..085ab11076a57 100644 --- a/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts +++ b/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts @@ -9,7 +9,7 @@ import { savedObjectsExtensionsMock } from '@kbn/core-saved-objects-api-server-m import type { ISavedObjectsSecurityExtension } from '@kbn/core-saved-objects-server'; import { AuditAction } from '@kbn/core-saved-objects-server'; import { setMapsAreEqual, setsAreEqual } from '@kbn/core-saved-objects-utils-server'; -import type { EcsEventOutcome, SavedObjectsFindResponse } from '@kbn/core/server'; +import type { EcsEvent, SavedObjectsFindResponse } from '@kbn/core/server'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import { httpServerMock } from '@kbn/core/server/mocks'; import type { GetAllSpacesPurpose, LegacyUrlAliasTarget, Space } from '@kbn/spaces-plugin/server'; @@ -140,7 +140,7 @@ const expectNoAuthorizationCheck = ( const expectAuditEvent = ( auditLogger: AuditLogger, action: string, - outcome: EcsEventOutcome, + outcome: EcsEvent['outcome'], savedObject?: Required['kibana']['saved_object'] ) => { expect(auditLogger.log).toHaveBeenCalledWith( diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index d60ef8dd54d51..20f41f938502b 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -387,8 +387,8 @@ export const getNewTermsRule = (): NewTermsRule => ({ export const getMachineLearningRule = (): MachineLearningRule => ({ machineLearningJobs: [ - 'v3_linux_anomalous_network_activity', - 'v3_linux_anomalous_process_all_hosts', + 'Unusual Linux Network Activity', + 'Anomalous Process for a Linux Population', ], anomalyScoreThreshold: 20, name: 'New ML Rule Test', diff --git a/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts b/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts index 146f5d68d70e9..80b53926ed720 100644 --- a/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts +++ b/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts @@ -111,6 +111,8 @@ export const LOOK_BACK_TIME_TYPE = export const MACHINE_LEARNING_DROPDOWN_INPUT = '[data-test-subj="mlJobSelect"] [data-test-subj="comboBoxInput"]'; +export const MACHINE_LEARNING_DROPDOWN_OPTION = '[data-test-subj="comboBoxOptionsList "] button'; + export const MACHINE_LEARNING_TYPE = '[data-test-subj="machineLearningRuleType"]'; export const MITRE_TACTIC = '.euiContextMenuItem__text'; diff --git a/x-pack/plugins/security_solution/cypress/screens/rule_details.ts b/x-pack/plugins/security_solution/cypress/screens/rule_details.ts index 38f7ff2e34607..222ef1f684193 100644 --- a/x-pack/plugins/security_solution/cypress/screens/rule_details.ts +++ b/x-pack/plugins/security_solution/cypress/screens/rule_details.ts @@ -59,7 +59,7 @@ export const INVESTIGATION_NOTES_MARKDOWN = 'test markdown'; export const INVESTIGATION_NOTES_TOGGLE = '[data-test-subj="stepAboutDetailsToggle-notes"]'; -export const MACHINE_LEARNING_JOB_ID = '[data-test-subj="machineLearningJobId"]'; +export const MACHINE_LEARNING_JOB_ID = '[data-test-subj="machineLearningJob"]'; export const MACHINE_LEARNING_JOB_STATUS = '[data-test-subj="machineLearningJobStatus"]'; diff --git a/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts b/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts index b0e4239de2dbd..07a104102625f 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts @@ -617,11 +617,14 @@ export const fillDefineIndicatorMatchRuleAndContinue = (rule: ThreatIndicatorRul }; export const fillDefineMachineLearningRuleAndContinue = (rule: MachineLearningRule) => { - rule.machineLearningJobs.forEach((machineLearningJob) => { - cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).click({ force: true }); - cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).type(`${machineLearningJob}{enter}`); - cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).type('{esc}'); - }); + const text = rule.machineLearningJobs + .map((machineLearningJob) => `${machineLearningJob}{downArrow}{enter}`) + .join(''); + cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).click({ force: true }); + cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).type(text); + + cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).type('{esc}'); + cy.get(ANOMALY_THRESHOLD_INPUT).type( `{selectall}${getMachineLearningRule().anomalyScoreThreshold}`, { diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_donut.test.ts.snap b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_donut.test.ts.snap index 8352c1b59bb03..5bf935430d2bd 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_donut.test.ts.snap +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_donut.test.ts.snap @@ -6,11 +6,11 @@ Object { "references": Array [], "state": Object { "adHocDataViews": Object { - "1dd5663b-f062-43f8-8688-fc8166c2ca8e": Object { + "d594baeb-5eca-480c-8885-ba79eaf41372": Object { "allowNoIndex": false, "fieldAttrs": Object {}, "fieldFormats": Object {}, - "id": "1dd5663b-f062-43f8-8688-fc8166c2ca8e", + "id": "d594baeb-5eca-480c-8885-ba79eaf41372", "name": "ml_host_risk_score_latest_mockSpaceId", "runtimeFieldMap": Object {}, "sourceFilters": Array [], @@ -21,7 +21,7 @@ Object { "datasourceStates": Object { "formBased": Object { "layers": Object { - "d594baeb-5eca-480c-8885-ba79eaf41372": Object { + "2cc5663b-f062-43f8-8688-fc8166c2ca8e": Object { "columnOrder": Array [ "a2e8541a-c22f-4e43-8a12-caa33edc5de0", "75179122-96fc-40e1-93b4-8e9310af5f06", @@ -115,8 +115,8 @@ Object { ], "internalReferences": Array [ Object { - "id": "1dd5663b-f062-43f8-8688-fc8166c2ca8e", - "name": "indexpattern-datasource-layer-d594baeb-5eca-480c-8885-ba79eaf41372", + "id": "d594baeb-5eca-480c-8885-ba79eaf41372", + "name": "indexpattern-datasource-layer-2cc5663b-f062-43f8-8688-fc8166c2ca8e", "type": "index-pattern", }, ], @@ -129,7 +129,7 @@ Object { Object { "categoryDisplay": "hide", "emptySizeRatio": 0.82, - "layerId": "d594baeb-5eca-480c-8885-ba79eaf41372", + "layerId": "2cc5663b-f062-43f8-8688-fc8166c2ca8e", "layerType": "data", "legendDisplay": "show", "legendPosition": "left", diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_over_time_area.test.ts.snap b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_over_time_area.test.ts.snap index 42d74de580706..c178855402cc1 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_over_time_area.test.ts.snap +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/__snapshots__/risk_score_over_time_area.test.ts.snap @@ -6,11 +6,11 @@ Object { "references": Array [], "state": Object { "adHocDataViews": Object { - "e614baeb-5eca-480c-8885-ba79eaf41372": Object { + "d594baeb-5eca-480c-8885-ba79eaf41372": Object { "allowNoIndex": false, "fieldAttrs": Object {}, "fieldFormats": Object {}, - "id": "e614baeb-5eca-480c-8885-ba79eaf41372", + "id": "d594baeb-5eca-480c-8885-ba79eaf41372", "name": "ml_host_risk_score_mockSpaceId", "runtimeFieldMap": Object {}, "sourceFilters": Array [], @@ -21,30 +21,7 @@ Object { "datasourceStates": Object { "formBased": Object { "layers": Object { - "c604baeb-5eca-480c-8885-ba79eaf41372": Object { - "columnOrder": Array [ - "1dd5663b-f062-43f8-8688-fc8166c2ca8e", - ], - "columns": Object { - "1dd5663b-f062-43f8-8688-fc8166c2ca8e": Object { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "isStaticValue": true, - "label": "Risky threshold", - "operationType": "static_value", - "params": Object { - "value": "70", - }, - "references": Array [], - "scale": "ratio", - }, - }, - "incompleteColumns": Object {}, - "linkToLayers": Array [], - "sampling": 1, - }, - "d594baeb-5eca-480c-8885-ba79eaf41372": Object { + "e614baeb-5eca-480c-8885-ba79eaf41372": Object { "columnOrder": Array [ "02a55c97-d7a4-440d-ac77-33b941c16189", "8886a925-4419-4d9a-8498-3bda4ecf1b0a", @@ -85,6 +62,29 @@ Object { "incompleteColumns": Object {}, "sampling": 1, }, + "f614baeb-5eca-480c-8885-ba79eaf52483": Object { + "columnOrder": Array [ + "1dd5663b-f062-43f8-8688-fc8166c2ca8e", + ], + "columns": Object { + "1dd5663b-f062-43f8-8688-fc8166c2ca8e": Object { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "isStaticValue": true, + "label": "Risky threshold", + "operationType": "static_value", + "params": Object { + "value": "70", + }, + "references": Array [], + "scale": "ratio", + }, + }, + "incompleteColumns": Object {}, + "linkToLayers": Array [], + "sampling": 1, + }, }, }, "textBased": Object { @@ -129,13 +129,13 @@ Object { ], "internalReferences": Array [ Object { - "id": "e614baeb-5eca-480c-8885-ba79eaf41372", - "name": "indexpattern-datasource-layer-d594baeb-5eca-480c-8885-ba79eaf41372", + "id": "d594baeb-5eca-480c-8885-ba79eaf41372", + "name": "indexpattern-datasource-layer-e614baeb-5eca-480c-8885-ba79eaf41372", "type": "index-pattern", }, Object { - "id": "e614baeb-5eca-480c-8885-ba79eaf41372", - "name": "indexpattern-datasource-layer-c604baeb-5eca-480c-8885-ba79eaf41372", + "id": "d594baeb-5eca-480c-8885-ba79eaf41372", + "name": "indexpattern-datasource-layer-f614baeb-5eca-480c-8885-ba79eaf52483", "type": "index-pattern", }, ], @@ -159,7 +159,7 @@ Object { "accessors": Array [ "8886a925-4419-4d9a-8498-3bda4ecf1b0a", ], - "layerId": "d594baeb-5eca-480c-8885-ba79eaf41372", + "layerId": "e614baeb-5eca-480c-8885-ba79eaf41372", "layerType": "data", "position": "top", "seriesType": "line", @@ -176,7 +176,7 @@ Object { "accessors": Array [ "1dd5663b-f062-43f8-8688-fc8166c2ca8e", ], - "layerId": "c604baeb-5eca-480c-8885-ba79eaf41372", + "layerId": "f614baeb-5eca-480c-8885-ba79eaf52483", "layerType": "referenceLine", "yConfig": Array [ Object { diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.test.ts b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.test.ts index b7a30e1c02979..df536a7e33d17 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.test.ts @@ -34,7 +34,8 @@ jest.mock('uuid', () => ({ v4: jest .fn() .mockReturnValueOnce('d594baeb-5eca-480c-8885-ba79eaf41372') - .mockReturnValue('1dd5663b-f062-43f8-8688-fc8166c2ca8e'), + .mockReturnValueOnce('1dd5663b-f062-43f8-8688-fc8166c2ca8e') + .mockReturnValue('2cc5663b-f062-43f8-8688-fc8166c2ca8e'), })); describe('getRiskScoreDonutAttributes', () => { diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.ts b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.ts index da79a1a7b0245..9aad237e66c88 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.ts +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_donut.ts @@ -8,12 +8,14 @@ import { v4 as uuidv4 } from 'uuid'; import type { GetLensAttributes } from '../../../types'; +const internalReferenceIdMapping: Record = { host: uuidv4(), user: uuidv4() }; + export const getRiskScoreDonutAttributes: GetLensAttributes = ( - stackByField, + stackByField = 'host', extraOptions = { spaceId: 'default' } ) => { const layerId = uuidv4(); - const internalReferenceId = uuidv4(); + const internalReferenceId = internalReferenceIdMapping[stackByField]; return { title: `${stackByField} risk donut`, description: '', diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.test.ts b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.test.ts index a284a2c1104ee..08cd3d131d166 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.test.ts @@ -36,6 +36,7 @@ jest.mock('uuid', () => ({ .mockReturnValueOnce('d594baeb-5eca-480c-8885-ba79eaf41372') .mockReturnValueOnce('c604baeb-5eca-480c-8885-ba79eaf41372') .mockReturnValueOnce('e614baeb-5eca-480c-8885-ba79eaf41372') + .mockReturnValueOnce('f614baeb-5eca-480c-8885-ba79eaf52483') .mockReturnValue('1dd5663b-f062-43f8-8688-fc8166c2ca8e'), })); diff --git a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.ts b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.ts index 1db72e96db116..b100e5042a33a 100644 --- a/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.ts +++ b/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/common/risk_scores/risk_score_over_time_area.ts @@ -7,13 +7,16 @@ import { v4 as uuidv4 } from 'uuid'; import type { GetLensAttributes } from '../../../types'; + +const internalReferenceIdMapping: Record = { host: uuidv4(), user: uuidv4() }; + export const getRiskScoreOverTimeAreaAttributes: GetLensAttributes = ( stackByField = 'host', extraOptions = { spaceId: 'default' } ) => { const layerIds = [uuidv4(), uuidv4()]; - const internalReferenceId = uuidv4(); const layer2ColumnId = uuidv4(); + const internalReferenceId = internalReferenceIdMapping[stackByField]; return { title: `${stackByField} risk score over time`, description: '', diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/ml_rule_warning_popover.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/ml_rule_warning_popover.tsx index 85768f2bbc5ed..539cd7f1f6e74 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/ml_rule_warning_popover.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/ml_rule_warning_popover.tsx @@ -76,7 +76,7 @@ const MlRuleWarningPopoverComponent: React.FC {notRunningJobs.map((job) => ( - {job.id} + {job.customSettings?.security_app_display_name ?? job.id} ))} { + const originalModule = jest.requireActual('../../../../common/lib/kibana'); + return { + ...originalModule, + useKibana: jest.fn().mockReturnValue({ + services: { theme: { theme$: {} }, http: { basePath: { get: jest.fn(() => {}) } } }, + }), + }; +}); + +describe('MlJobLink', () => { + it('renders job name when available', () => { + const jobName = 'test_job_name'; + const { getByTestId } = render(, { + wrapper: TestProviders, + }); + + expect(getByTestId('machineLearningJobLink')).toHaveTextContent(jobName); + }); + + it('renders job id when job name is unavailable', () => { + const jobId = 'test_job_id'; + const { getByTestId } = render(, { + wrapper: TestProviders, + }); + + expect(getByTestId('machineLearningJobLink')).toHaveTextContent(jobId); + }); +}); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_link/ml_job_link.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_link/ml_job_link.tsx index a3eefb1240486..7680b5b72dff3 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_link/ml_job_link.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_link/ml_job_link.tsx @@ -18,9 +18,10 @@ const StyledJobEuiLInk = styled(EuiLink)` interface MlJobLinkProps { jobId: string; + jobName: string | undefined; } -const MlJobLinkComponent: React.FC = ({ jobId }) => { +const MlJobLinkComponent: React.FC = ({ jobId, jobName }) => { const { services: { http, ml }, } = useKibana(); @@ -33,7 +34,7 @@ const MlJobLinkComponent: React.FC = ({ jobId }) => { return ( - {jobId} + {jobName ?? jobId} ); }; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx index 5bce4dae67903..7e55c3cb43770 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx @@ -31,6 +31,7 @@ import * as i18n from './translations'; interface MlJobValue { id: string; description: string; + name?: string; } const JobDisplayContainer = styled.div` @@ -50,9 +51,9 @@ const MlJobEuiButton = styled(EuiButton)` margin-top: 20px; `; -const JobDisplay: React.FC = ({ id, description }) => ( +const JobDisplay: React.FC = ({ description, name, id }) => ( - {id} + {name ?? id}

    {description}

    @@ -67,8 +68,13 @@ interface MlJobSelectProps { } const renderJobOption = (option: MlJobOption) => ( - // eslint-disable-next-line @typescript-eslint/no-non-null-assertion - + ); export const MlJobSelect: React.FC = ({ describedByIds = [], field }) => { @@ -90,11 +96,17 @@ export const MlJobSelect: React.FC = ({ describedByIds = [], f value: { id: job.id, description: job.description, + name: job.customSettings?.security_app_display_name, }, - label: job.id, + // Make sure users can search for id or name. + // The label contains the name and id because EuiComboBox uses it for the textual search. + label: `${job.customSettings?.security_app_display_name} ${job.id}`, })); - const selectedJobOptions = jobOptions.filter((option) => jobIds.includes(option.value.id)); + const selectedJobOptions = jobOptions + .filter((option) => jobIds.includes(option.value.id)) + // 'label' defines what is rendered inside the selected ComboBoxPill + .map((options) => ({ ...options, label: options.value.name ?? options.value.id })); const notRunningJobIds = useMemo(() => { const selectedJobs = jobs.filter(({ id }) => jobIds.includes(id)); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/ml_jobs_description/ml_job_item.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/ml_jobs_description/ml_job_item.tsx index 377600652c7d0..b706ed4135f49 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_jobs_description/ml_job_item.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_jobs_description/ml_job_item.tsx @@ -32,7 +32,7 @@ const MlJobItemComponent: FC<{ return (
    - +
    diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/render_cell_value.tsx index 4df1eb412b2b3..21d0d3a199f55 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/render_cell_value.tsx @@ -7,6 +7,7 @@ import type { EuiDataGridCellValueElementProps } from '@elastic/eui'; import { EuiIcon, EuiToolTip, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import { find } from 'lodash/fp'; import React, { useMemo } from 'react'; import { GuidedOnboardingTourStep } from '../../../common/components/guided_onboarding_tour/tour_step'; import { isDetectionsAlertsTable } from '../../../common/components/top_n/helpers'; @@ -42,7 +43,15 @@ export const RenderCellValue: React.FC 0 ? ( + actualSuppressionCount && + actualSuppressionCount > 0 ? ( - + @@ -108,7 +114,7 @@ export const useRenderCellValue = ({ } return ( - - {defaultToEmptyTag(geo)} + ); } else { diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_execution_output.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_execution_output.tsx index 4ebf075004b89..7f5d2a638e59c 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_execution_output.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_execution_output.tsx @@ -92,7 +92,7 @@ export const CommandExecutionOutput = memo( return (
    - +
    {/* UX desire for 12px (current theme): achieved with EuiSpace sizes - s (8px) + xs (4px) */} diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/command_input.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/command_input.tsx index 0310b0251d5d0..8aeaf9a4c0043 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/command_input.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/command_input.tsx @@ -12,6 +12,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiButtonIcon, EuiResizeObserver } from '@el import styled from 'styled-components'; import classNames from 'classnames'; import type { EuiResizeObserverProps } from '@elastic/eui/src/components/observer/resize_observer/resize_observer'; +import type { ExecuteCommandPayload, ConsoleDataState } from '../console_state/types'; import { useWithInputShowPopover } from '../../hooks/state_selectors/use_with_input_show_popover'; import { EnteredInput } from './lib/entered_input'; import type { InputCaptureProps } from './components/input_capture'; @@ -40,6 +41,13 @@ const CommandInputContainer = styled.div` border-bottom-color: ${({ theme: { eui } }) => eui.euiColorDanger}; } + .inputDisplay { + & > * { + flex-direction: row; + align-items: center; + } + } + .textEntered { white-space: break-spaces; } @@ -88,13 +96,17 @@ export interface CommandInputProps extends CommonProps { export const CommandInput = memo(({ prompt = '', focusRef, ...commonProps }) => { useInputHints(); + const getTestId = useTestIdGenerator(useDataTestSubj()); const dispatch = useConsoleStateDispatch(); - const { rightOfCursor, textEntered, fullTextEntered } = useWithInputTextEntered(); + const { rightOfCursorText, leftOfCursorText, fullTextEntered, enteredCommand, parsedInput } = + useWithInputTextEntered(); const visibleState = useWithInputVisibleState(); - const [isKeyInputBeingCaptured, setIsKeyInputBeingCaptured] = useState(false); - const getTestId = useTestIdGenerator(useDataTestSubj()); const isPopoverOpen = !!useWithInputShowPopover(); - const [commandToExecute, setCommandToExecute] = useState(''); + + const [isKeyInputBeingCaptured, setIsKeyInputBeingCaptured] = useState(false); + const [commandToExecute, setCommandToExecute] = useState( + undefined + ); const [popoverWidth, setPopoverWidth] = useState('94vw'); const _focusRef: InputCaptureProps['focusRef'] = useRef(null); @@ -111,6 +123,10 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. const disableArrowButton = useMemo(() => fullTextEntered.trim().length === 0, [fullTextEntered]); + const userInput = useMemo(() => { + return new EnteredInput(leftOfCursorText, rightOfCursorText, parsedInput, enteredCommand); + }, [enteredCommand, leftOfCursorText, parsedInput, rightOfCursorText]); + const handleOnResize = useCallback(({ width }) => { if (width > 0) { setPopoverWidth(`${width}px`); @@ -118,15 +134,12 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. }, []); const handleSubmitButton = useCallback(() => { - setCommandToExecute(textEntered + rightOfCursor.text); - dispatch({ - type: 'updateInputTextEnteredState', - payload: { - textEntered: '', - rightOfCursor: undefined, - }, + setCommandToExecute({ + input: userInput.getFullText(true), + enteredCommand, + parsedInput, }); - }, [dispatch, textEntered, rightOfCursor.text]); + }, [enteredCommand, parsedInput, userInput]); const handleOnChangeFocus = useCallback>( (hasFocus) => { @@ -163,8 +176,18 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. // Update the store with the updated text that was entered dispatch({ type: 'updateInputTextEnteredState', - payload: ({ textEntered: prevLeftOfCursor, rightOfCursor: prevRightOfCursor }) => { - let inputText = new EnteredInput(prevLeftOfCursor, prevRightOfCursor.text); + payload: ({ + leftOfCursorText: prevLeftOfCursor, + rightOfCursorText: prevRightOfCursor, + enteredCommand: prevEnteredCommand, + parsedInput: prevParsedInput, + }) => { + const inputText = new EnteredInput( + prevLeftOfCursor, + prevRightOfCursor, + prevParsedInput, + prevEnteredCommand + ); inputText.addValue(value ?? '', selection); @@ -181,8 +204,12 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. // ENTER = Execute command and blank out the input area case 13: - setCommandToExecute(inputText.getFullText()); - inputText = new EnteredInput('', ''); + setCommandToExecute({ + input: inputText.getFullText(true), + enteredCommand: prevEnteredCommand as ConsoleDataState['input']['enteredCommand'], + parsedInput: prevParsedInput as ConsoleDataState['input']['parsedInput'], + }); + inputText.clear(); break; // ARROW LEFT @@ -207,8 +234,9 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. } return { - textEntered: inputText.getLeftOfCursorText(), - rightOfCursor: { text: inputText.getRightOfCursorText() }, + leftOfCursorText: inputText.getLeftOfCursorText(), + rightOfCursorText: inputText.getRightOfCursorText(), + argState: inputText.getArgState(), }; }, }); @@ -219,8 +247,17 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. // Execute the command if one was ENTER'd. useEffect(() => { if (commandToExecute) { - dispatch({ type: 'executeCommand', payload: { input: commandToExecute } }); - setCommandToExecute(''); + dispatch({ type: 'executeCommand', payload: commandToExecute }); + setCommandToExecute(undefined); + + // reset input + dispatch({ + type: 'updateInputTextEnteredState', + payload: { + leftOfCursorText: '', + rightOfCursorText: '', + }, + }); } }, [commandToExecute, dispatch]); @@ -248,17 +285,20 @@ export const CommandInput = memo(({ prompt = '', focusRef, .. onChangeFocus={handleOnChangeFocus} focusRef={focusRef} > - - -
    {textEntered}
    + + + {userInput.getLeftOfCursorRenderingContent()} - -
    - {rightOfCursor.text} -
    + + {userInput.getRightOfCursorRenderingContent()}     diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/argument_selector_wrapper.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/argument_selector_wrapper.tsx new file mode 100644 index 0000000000000..28a5a082c2903 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/argument_selector_wrapper.tsx @@ -0,0 +1,142 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { memo, useCallback } from 'react'; +import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import styled, { createGlobalStyle } from 'styled-components'; +import type { EuiTheme } from '@kbn/kibana-react-plugin/common'; +import { useConsoleStateDispatch } from '../../../hooks/state_selectors/use_console_state_dispatch'; +import { useWithCommandArgumentState } from '../../../hooks/state_selectors/use_with_command_argument_state'; +import type { CommandArgDefinition, CommandArgumentValueSelectorProps } from '../../../types'; + +const ArgumentSelectorWrapperContainer = styled.span` + user-select: none; + + .selectorContainer { + max-width: 25vw; + display: flex; + align-items: center; + height: 100%; + } +`; + +// FIXME:PT Delete below. Only here for DEV purposes +const DevUxStyles = createGlobalStyle<{ theme: EuiTheme }>` + + body { + + &.style1 .argSelectorWrapper { + .style1-hide { + display: none; + } + + .selectorContainer { + border: ${({ theme: { eui } }) => eui.euiBorderThin}; + border-radius: ${({ theme: { eui } }) => eui.euiBorderRadiusSmall}; + padding: 0 ${({ theme: { eui } }) => eui.euiSizeXS}; + } + } + + &.style2 { + .argSelectorWrapper { + border: ${({ theme: { eui } }) => eui.euiBorderThin}; + border-radius: ${({ theme: { eui } }) => eui.euiBorderRadiusSmall}; + overflow: hidden; + + & > .euiFlexGroup { + align-items: stretch; + } + + .style2-hide { + display: none; + } + + .argNameContainer { + background-color: ${({ theme: { eui } }) => eui.euiFormInputGroupLabelBackground}; + } + + .argName { + padding-left: ${({ theme: { eui } }) => eui.euiSizeXS}; + height: 100%; + display: flex; + align-items: center; + } + .selectorContainer { + padding: 0 ${({ theme: { eui } }) => eui.euiSizeXS}; + } + } + } + } +`; + +// Type to ensure that `SelectorComponent` is defined +type ArgDefinitionWithRequiredSelector = Omit & + Pick, 'SelectorComponent'>; + +export interface ArgumentSelectorWrapperProps { + argName: string; + argIndex: number; + argDefinition: ArgDefinitionWithRequiredSelector; +} + +/** + * handles displaying a custom argument value selector and manages its state + */ +export const ArgumentSelectorWrapper = memo( + ({ argName, argIndex, argDefinition: { SelectorComponent } }) => { + const dispatch = useConsoleStateDispatch(); + const { valueText, value, store } = useWithCommandArgumentState(argName, argIndex); + + const handleSelectorComponentOnChange = useCallback< + CommandArgumentValueSelectorProps['onChange'] + >( + (updates) => { + dispatch({ + type: 'updateInputCommandArgState', + payload: { + name: argName, + instance: argIndex, + state: updates, + }, + }); + }, + [argIndex, argName, dispatch] + ); + + return ( + + + +
    + {`--${argName}=`} + {'"'} +
    +     + + {/* `div` below ensures that the `SelectorComponent` does NOT inherit the styles of a `flex` container */} +
    + +
    +     + + {'"'} + +     + + +     + ); + } +); +ArgumentSelectorWrapper.displayName = 'ArgumentSelectorWrapper'; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/command_input_history.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/command_input_history.tsx index fbb5b7360eddd..4e192a80d5b84 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/command_input_history.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/command_input_history.tsx @@ -43,7 +43,7 @@ export const CommandInputHistory = memo(() => { const selectableHistoryOptions = useMemo(() => { return inputHistory.map((inputItem, index) => { return { - label: inputItem.input, + label: inputItem.display, key: inputItem.id, data: inputItem, }; @@ -94,7 +94,13 @@ export const CommandInputHistory = memo(() => { dispatch({ type: 'updateInputPlaceholderState', payload: { placeholder: '' } }); if (selected) { - dispatch({ type: 'updateInputTextEnteredState', payload: { textEntered: selected.label } }); + dispatch({ + type: 'updateInputTextEnteredState', + payload: { + leftOfCursorText: (selected.data as InputHistoryItem).input, + rightOfCursorText: '', + }, + }); } dispatch({ type: 'addFocusToKeyCapture' }); @@ -124,15 +130,18 @@ export const CommandInputHistory = memo(() => { // unloads, if no option from the history was selected, then set the prior text // entered back useEffect(() => { - dispatch({ type: 'updateInputTextEnteredState', payload: { textEntered: '' } }); + dispatch({ + type: 'updateInputTextEnteredState', + payload: { leftOfCursorText: '', rightOfCursorText: '' }, + }); return () => { if (!optionWasSelected.current) { dispatch({ type: 'updateInputTextEnteredState', payload: { - textEntered: priorInputState.textEntered, - rightOfCursor: priorInputState.rightOfCursor, + leftOfCursorText: priorInputState.leftOfCursorText, + rightOfCursorText: priorInputState.rightOfCursorText, }, }); dispatch({ type: 'updateInputPlaceholderState', payload: { placeholder: '' } }); diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/input_placeholder.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/input_placeholder.tsx index 40775d5220eed..f0dde8fb95670 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/input_placeholder.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/components/input_placeholder.tsx @@ -19,6 +19,10 @@ const InputPlaceholderContainer = styled(EuiText)` padding-left: 0.5em; width: 96%; color: ${({ theme: { eui } }) => eui.euiFormControlPlaceholderText}; + user-select: none; + line-height: ${({ theme: { eui } }) => { + return `calc(${eui.euiLineHeight}em + 0.5em)`; + }}; `; export const InputPlaceholder = memo(() => { diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/hooks/use_input_hints.ts b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/hooks/use_input_hints.ts index 8d179708f3850..16abace42ad75 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/hooks/use_input_hints.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/hooks/use_input_hints.ts @@ -38,7 +38,7 @@ export const useInputHints = () => { const isInputPopoverOpen = Boolean(useWithInputShowPopover()); const commandEntered = useWithInputCommandEntered(); const commandList = useWithCommandList(); - const { textEntered } = useWithInputTextEntered(); + const { leftOfCursorText } = useWithInputTextEntered(); const commandEnteredDefinition = useMemo(() => { if (commandEntered) { @@ -105,10 +105,10 @@ export const useInputHints = () => { dispatch({ type: 'updateFooterContent', payload: { - value: textEntered || isInputPopoverOpen ? '' : UP_ARROW_ACCESS_HISTORY_HINT, + value: leftOfCursorText || isInputPopoverOpen ? '' : UP_ARROW_ACCESS_HISTORY_HINT, }, }); dispatch({ type: 'setInputState', payload: { value: undefined } }); } - }, [commandEntered, commandEnteredDefinition, dispatch, isInputPopoverOpen, textEntered]); + }, [commandEntered, commandEnteredDefinition, dispatch, isInputPopoverOpen, leftOfCursorText]); }; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/integration_tests/command_input.test.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/integration_tests/command_input.test.tsx index 54b8a487d2e09..028c4874c1cd6 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/integration_tests/command_input.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/integration_tests/command_input.test.tsx @@ -463,4 +463,39 @@ describe('When entering data into the Console input', () => { expect(getRightOfCursorText()).toEqual(''); }); }); + + describe('and a command argument has a value SelectorComponent defined', () => { + it('should insert Selector component when argument name is used', async () => { + render(); + enterCommand('cmd7 --foo', { inputOnly: true }); + + expect(getLeftOfCursorText()).toEqual('cmd7 --foo="foo[0]: foo selected"'); + }); + + it('should support using argument multiple times (allowMultiples: true)', async () => { + render(); + enterCommand('cmd7 --foo --foo', { inputOnly: true }); + + expect(getLeftOfCursorText()).toEqual( + 'cmd7 --foo="foo[0]: foo selected" --foo="foo[1]: foo selected"' + ); + }); + + it(`should remove entire argument if BACKSPACE key is pressed`, async () => { + render(); + enterCommand('cmd7 --foo', { inputOnly: true }); + typeKeyboardKey('{backspace}'); + + expect(getLeftOfCursorText()).toEqual('cmd7 '); + }); + + it(`should remove entire argument if DELETE key is pressed`, async () => { + render(); + enterCommand('cmd7 --foo', { inputOnly: true }); + typeKeyboardKey('{ArrowLeft}'); + typeKeyboardKey('{Delete}'); + + expect(getLeftOfCursorText()).toEqual('cmd7 '); + }); + }); }); diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.test.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.test.tsx new file mode 100644 index 0000000000000..fa313293d4746 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.test.tsx @@ -0,0 +1,322 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EnteredInput } from './entered_input'; +import { parseCommandInput } from '../../../service/parsed_command_input'; +import type { CommandDefinition } from '../../..'; +import { getCommandListMock } from '../../../mocks'; +import type { EnteredCommand } from '../../console_state/types'; + +describe('When using `EnteredInput` class', () => { + let enteredInput: EnteredInput; + let commandDefinition: CommandDefinition; + + const createEnteredInput = ( + leftOfCursorText: string = 'cmd1 --comment="hello"', + rightOfCursorText: string = '', + commandDef: CommandDefinition | undefined = commandDefinition, + argValueSelectorState: EnteredCommand['argState'] = {} + ): EnteredInput => { + const parsedInput = parseCommandInput(leftOfCursorText + rightOfCursorText); + const enteredCommand: EnteredCommand | undefined = commandDef + ? { + commandDefinition: commandDef, + argState: argValueSelectorState, + argsWithValueSelectors: undefined, + } + : undefined; + + enteredInput = new EnteredInput( + leftOfCursorText, + rightOfCursorText, + parsedInput, + enteredCommand + ); + + return enteredInput; + }; + + beforeEach(() => { + commandDefinition = getCommandListMock().find((def) => def.name === 'cmd1')!; + }); + + it('should clear input when calling `clear()`', () => { + createEnteredInput('cmd1 --comment="', 'hello"'); + + expect(enteredInput.getFullText()).toEqual('cmd1 --comment="hello"'); + + enteredInput.clear(); + + expect(enteredInput.getFullText()).toEqual(''); + }); + + it.each([ + { + leftInput: 'cmd1 --comment="', + rightInput: '', + valueToAdd: 'n', + leftExpected: 'cmd1 --comment="n', + rightExpected: '', + }, + { + leftInput: 'cmd1 --comment="', + rightInput: '"', + valueToAdd: 'n', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + { + leftInput: '', + rightInput: 'cmd1 --comment=""', + valueToAdd: 'n', + leftExpected: 'n', + rightExpected: 'cmd1 --comment=""', + }, + ])( + 'Should add [$valueToAdd] to command left=[$leftInput] right=[$rightInput]', + ({ leftInput, rightInput, valueToAdd, leftExpected, rightExpected }) => { + createEnteredInput(leftInput, rightInput); + enteredInput.addValue(valueToAdd); + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + + it.each([ + // Cursor at the end + + // Cursor at the start + { + leftInput: '', + rightInput: 'cmd1 --comment="hello"', + valueToAdd: 'n', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + // Cursor in the middle with replacement value on the right + { + leftInput: 'cmd1 --comment', + rightInput: '="hello"', + valueToAdd: 'n', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + // Cursor in the middle right between the replacement value + { + leftInput: 'cmd1 --comment="he', + rightInput: 'llo"', + valueToAdd: 'n', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + // Cursor at the end of the value that will be replaced + { + leftInput: 'cmd1 --comment="hello', + rightInput: '"', + valueToAdd: 'n', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + // Cursor at the start of the value that will be replaced + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + valueToAdd: 'n', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="n', + rightExpected: '"', + }, + ])( + 'Should replace (via `.addValue()`) [$valueToReplace] with [$valueToAdd] on command left=[$leftInput] right=[$rightInput]', + ({ leftInput, rightInput, valueToAdd, valueToReplace, rightExpected, leftExpected }) => { + createEnteredInput(leftInput, rightInput); + enteredInput.addValue(valueToAdd, valueToReplace); + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + + it.each([ + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + direction: 'left', + leftExpected: 'cmd1 --comment=', + rightExpected: '"hello"', + }, + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + direction: 'right', + leftExpected: 'cmd1 --comment="h', + rightExpected: 'ello"', + }, + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + direction: 'end', + leftExpected: 'cmd1 --comment="hello"', + rightExpected: '', + }, + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + direction: 'home', + leftExpected: '', + rightExpected: 'cmd1 --comment="hello"', + }, + ])( + 'should move cursor $direction', + ({ leftInput, rightInput, direction, leftExpected, rightExpected }) => { + createEnteredInput(leftInput, rightInput); + enteredInput.moveCursorTo(direction as Parameters[0]); + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + + it.each([ + { + leftInput: 'cmd1 --comment="hello"', + rightInput: '', + leftExpected: 'cmd1 --comment="hello"', + rightExpected: '', + }, + { + leftInput: '', + rightInput: 'cmd1 --comment="hello"', + leftExpected: '', + rightExpected: 'md1 --comment="hello"', + }, + { + leftInput: 'cmd1 --comment="h', + rightInput: 'ello"', + leftExpected: 'cmd1 --comment="h', + rightExpected: 'llo"', + }, + ])( + 'should remove expected character using `deleteChar()` when command is left=[$leftInput] right=[$rightInput]', + ({ leftInput, rightInput, leftExpected, rightExpected }) => { + createEnteredInput(leftInput, rightInput); + + enteredInput.deleteChar(); + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + + it.each([ + { + leftInput: 'cmd1 --comment="hello"', + rightInput: '', + leftExpected: 'cmd1 --comment="hello', + rightExpected: '', + }, + { + leftInput: '', + rightInput: 'cmd1 --comment="hello"', + leftExpected: '', + rightExpected: 'cmd1 --comment="hello"', + }, + { + leftInput: 'cmd1 --comment="h', + rightInput: 'ello"', + leftExpected: 'cmd1 --comment="', + rightExpected: 'ello"', + }, + ])( + 'should remove expected character using `backspaceChar()` when command is left=[$leftInput] right=[$rightInput]', + ({ leftInput, rightInput, leftExpected, rightExpected }) => { + createEnteredInput(leftInput, rightInput); + + enteredInput.backspaceChar(); + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + + describe.each(['deleteChar', 'backspaceChar'])( + 'and using %s with text selected', + (methodName) => { + it.each([ + { + leftInput: 'cmd1 --comment="hello"', + rightInput: '', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + // Cursor at the start + { + leftInput: '', + rightInput: 'cmd1 --comment="hello"', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + // Cursor in the middle with replacement value on the right + { + leftInput: 'cmd1 --comment', + rightInput: '="hello"', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + // Cursor in the middle right between the replacement value + { + leftInput: 'cmd1 --comment="he', + rightInput: 'llo"', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + // Cursor at the end of the value that will be replaced + { + leftInput: 'cmd1 --comment="hello', + rightInput: '"', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + // Cursor at the start of the value that will be replaced + { + leftInput: 'cmd1 --comment="', + rightInput: 'hello"', + valueToReplace: 'hello', + leftExpected: 'cmd1 --comment="', + rightExpected: '"', + }, + ])( + 'Should remove selection [$valueToReplace] (via `.deleteChr()`) from command left=[$leftInput] right=[$rightInput]', + ({ leftInput, rightInput, valueToReplace, rightExpected, leftExpected }) => { + createEnteredInput(leftInput, rightInput); + + switch (methodName) { + case 'deleteChar': + enteredInput.deleteChar(valueToReplace); + break; + case 'backspaceChar': + enteredInput.backspaceChar(valueToReplace); + break; + } + + expect(enteredInput.getLeftOfCursorText()).toEqual(leftExpected); + expect(enteredInput.getRightOfCursorText()).toEqual(rightExpected); + } + ); + } + ); +}); diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.ts b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.ts deleted file mode 100644 index bf809c9bee885..0000000000000 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.ts +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/** - * Class that manages the command entered and how that is displayed to the left and right of the cursor - */ -export class EnteredInput { - constructor(private leftOfCursorText: string, private rightOfCursorText: string) {} - - private replaceSelection(selection: string, newValue: string) { - const prevFullTextEntered = this.leftOfCursorText + this.rightOfCursorText; - - this.leftOfCursorText = - prevFullTextEntered.substring(0, prevFullTextEntered.indexOf(selection)) + newValue; - - this.rightOfCursorText = prevFullTextEntered.substring( - prevFullTextEntered.indexOf(selection) + selection.length - ); - } - - getLeftOfCursorText(): string { - return this.leftOfCursorText; - } - - getRightOfCursorText(): string { - return this.rightOfCursorText; - } - - getFullText(): string { - return this.leftOfCursorText + this.rightOfCursorText; - } - - moveCursorTo(direction: 'left' | 'right' | 'end' | 'home') { - switch (direction) { - case 'end': - this.leftOfCursorText = this.leftOfCursorText + this.rightOfCursorText; - this.rightOfCursorText = ''; - break; - - case 'home': - this.rightOfCursorText = this.leftOfCursorText + this.rightOfCursorText; - this.leftOfCursorText = ''; - break; - - case 'left': - if (this.leftOfCursorText.length) { - // Add last character on the left, to the right side of the cursor - this.rightOfCursorText = - this.leftOfCursorText.charAt(this.leftOfCursorText.length - 1) + this.rightOfCursorText; - - // Remove the last character from the left (it's now on the right side of cursor) - this.leftOfCursorText = this.leftOfCursorText.substring( - 0, - this.leftOfCursorText.length - 1 - ); - } - break; - - case 'right': - if (this.rightOfCursorText.length) { - // MOve the first character from the Right side, to the left side of the cursor - this.leftOfCursorText = this.leftOfCursorText + this.rightOfCursorText.charAt(0); - - // Remove the first character from the Right side of the cursor (now on the left) - this.rightOfCursorText = this.rightOfCursorText.substring(1); - } - break; - } - } - - addValue(value: string, replaceSelection: string = '') { - if (replaceSelection.length && value.length) { - this.replaceSelection(replaceSelection, value); - } else { - this.leftOfCursorText += value; - } - } - - deleteChar(replaceSelection: string = '') { - if (replaceSelection) { - this.replaceSelection(replaceSelection, ''); - } else if (this.rightOfCursorText) { - this.rightOfCursorText = this.rightOfCursorText.substring(1); - } - } - - backspaceChar(replaceSelection: string = '') { - if (replaceSelection) { - this.replaceSelection(replaceSelection, ''); - } else if (this.leftOfCursorText) { - this.leftOfCursorText = this.leftOfCursorText.substring(0, this.leftOfCursorText.length - 1); - } - } -} diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.tsx new file mode 100644 index 0000000000000..f6a1b67233355 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_input/lib/entered_input.tsx @@ -0,0 +1,295 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { ReactNode } from 'react'; +import React from 'react'; +import type { ArgumentSelectorWrapperProps } from '../components/argument_selector_wrapper'; +import { ArgumentSelectorWrapper } from '../components/argument_selector_wrapper'; +import type { ParsedCommandInterface } from '../../../service/types'; +import type { ArgSelectorState, EnteredCommand } from '../../console_state/types'; + +interface InputCharacter { + value: string; + renderValue: ReactNode; + isArgSelector: boolean; + argName: string; + argIndex: number; // zero based + argState: undefined | ArgSelectorState; +} + +const createInputCharacter = (overrides: Partial = {}): InputCharacter => { + return { + value: '', + renderValue: null, + isArgSelector: false, + argName: '', + argIndex: 0, + argState: undefined, + ...overrides, + }; +}; + +const getInputCharacters = (input: string): InputCharacter[] => { + return input.split('').map((char) => { + return createInputCharacter({ + value: char, + renderValue: char, + }); + }); +}; + +const toReactJsxFragment = (prefix: string, item: InputCharacter, index: number) => { + return {item.renderValue}; +}; + +const toInputCharacterDisplayString = ( + includeArgSelectorValues: boolean, + item: InputCharacter +): string => { + let response = item.value; + + if (includeArgSelectorValues && item.isArgSelector) { + response += `="${item.argState?.valueText ?? ''}"`; + } + + return response; +}; + +/** + * Class that manages the command entered and how that is displayed to the left and right of the cursor + */ +export class EnteredInput { + private leftOfCursorContent: InputCharacter[]; + private rightOfCursorContent: InputCharacter[]; + private canHaveArgValueSelectors: boolean; + private argState: undefined | EnteredCommand['argState']; + + constructor( + leftOfCursorText: string, + rightOfCursorText: string, + parsedInput: ParsedCommandInterface, + enteredCommand: undefined | EnteredCommand + ) { + this.leftOfCursorContent = getInputCharacters(leftOfCursorText); + this.rightOfCursorContent = getInputCharacters(rightOfCursorText); + + this.canHaveArgValueSelectors = Boolean(enteredCommand?.argsWithValueSelectors); + + // Determine if any argument value selector should be inserted + if (parsedInput.hasArgs && enteredCommand && enteredCommand.argsWithValueSelectors) { + this.argState = enteredCommand.argState; + + const inputPieces = [ + { + input: leftOfCursorText, + items: this.leftOfCursorContent, + }, + { + input: rightOfCursorText, + items: this.rightOfCursorContent, + }, + ]; + + for (const [argName, argDef] of Object.entries(enteredCommand.argsWithValueSelectors)) { + // If the argument has been used, then replace it with the Arguments Selector + if (parsedInput.hasArg(argName)) { + let argIndex = 0; + + // Loop through the input pieces (left and right side of cursor) looking for the Argument name + for (const { input, items } of inputPieces) { + const argNameMatch = `--${argName}`; + let pos = input.indexOf(argNameMatch); + + while (pos > -1) { + const argChrLength = argNameMatch.length; + const replaceValues: InputCharacter[] = Array.from( + { length: argChrLength }, + createInputCharacter + ); + const argState = enteredCommand.argState[argName]?.at(argIndex); + + replaceValues[0] = createInputCharacter({ + value: argNameMatch, + renderValue: ( + + ), + isArgSelector: true, + argName, + argIndex: argIndex++, + argState, + }); + + items.splice(pos, argChrLength, ...replaceValues); + + pos = input.indexOf(argNameMatch, pos + argChrLength); + } + } + } + } + + // Remove all empty characters (created as a result of inserting any Argument Selector components) + this.leftOfCursorContent = this.leftOfCursorContent.filter(({ value }) => value.length > 0); + this.rightOfCursorContent = this.rightOfCursorContent.filter(({ value }) => value.length > 0); + } + } + + private replaceSelection(selection: string, newValue: string) { + const prevFullTextEntered = this.getFullText(); + const newValueContent = newValue ? createInputCharacter({ value: newValue }) : undefined; + let start = prevFullTextEntered.indexOf(selection); + + const fullContent = [...this.leftOfCursorContent, ...this.rightOfCursorContent]; + + // Adjust the `start` to account for arguments that have value selectors. + // These arguments, are stored in the `fullContent` array as one single array item instead of + // one per-character. The adjustment needs to be done only if the argument appears to the left + // of the selection + if (this.canHaveArgValueSelectors) { + fullContent.forEach((inputCharacter, index) => { + if (inputCharacter.isArgSelector && index < start) { + start = start - (inputCharacter.value.length - 1); + } + }); + } + + const removedChars = fullContent.splice(start, selection.length); + + if (newValueContent) { + fullContent.splice(start, 0, newValueContent); + start++; + } + + this.leftOfCursorContent = fullContent.splice(0, start); + this.rightOfCursorContent = fullContent; + this.removeArgState(removedChars); + } + + private removeArgState(argStateList: InputCharacter[]) { + if (this.argState) { + let argStateWasAdjusted = false; + const newArgState = { ...this.argState }; + + for (const { argName, argIndex, isArgSelector } of argStateList) { + if (isArgSelector && newArgState[argName]?.at(argIndex)) { + newArgState[argName] = newArgState[argName].filter((_, index) => { + return index !== argIndex; + }); + argStateWasAdjusted = true; + } + } + + if (argStateWasAdjusted) { + this.argState = newArgState; + } + } + } + + getLeftOfCursorText(includeArgSelectorValues: boolean = false): string { + return this.leftOfCursorContent + .map(toInputCharacterDisplayString.bind(null, includeArgSelectorValues)) + .join(''); + } + + getRightOfCursorText(includeArgSelectorValues: boolean = false): string { + return this.rightOfCursorContent + .map(toInputCharacterDisplayString.bind(null, includeArgSelectorValues)) + .join(''); + } + + getFullText(includeArgSelectorValues: boolean = false): string { + return ( + this.getLeftOfCursorText(includeArgSelectorValues) + + this.getRightOfCursorText(includeArgSelectorValues) + ); + } + + getLeftOfCursorRenderingContent(): ReactNode { + return <>{this.leftOfCursorContent.map(toReactJsxFragment.bind(null, 'left'))}; + } + + getRightOfCursorRenderingContent(): ReactNode { + return <>{this.rightOfCursorContent.map(toReactJsxFragment.bind(null, 'right'))}; + } + + getArgState(): undefined | EnteredCommand['argState'] { + return this.argState; + } + + moveCursorTo(direction: 'left' | 'right' | 'end' | 'home') { + switch (direction) { + case 'end': + this.leftOfCursorContent.push(...this.rightOfCursorContent.splice(0)); + break; + + case 'home': + this.rightOfCursorContent.unshift(...this.leftOfCursorContent.splice(0)); + break; + + case 'left': + if (this.leftOfCursorContent.length) { + const itemToMove = this.leftOfCursorContent.pop(); + + if (itemToMove) { + this.rightOfCursorContent.unshift(itemToMove); + } + } + break; + + case 'right': + if (this.rightOfCursorContent.length) { + const itemToMove = this.rightOfCursorContent.shift(); + + if (itemToMove) { + this.leftOfCursorContent.push(itemToMove); + } + } + break; + } + } + + addValue(value: string, replaceSelection: string = '') { + if (replaceSelection.length && value.length) { + this.replaceSelection(replaceSelection, value); + } else if (value) { + this.leftOfCursorContent.push(createInputCharacter({ value })); + } + } + + deleteChar(replaceSelection: string = '') { + if (replaceSelection) { + this.replaceSelection(replaceSelection, ''); + } else { + const removedChar = this.rightOfCursorContent.shift(); + + if (removedChar?.isArgSelector) { + this.removeArgState([removedChar]); + } + } + } + + backspaceChar(replaceSelection: string = '') { + if (replaceSelection) { + this.replaceSelection(replaceSelection, ''); + } else { + const removedChar = this.leftOfCursorContent.pop(); + + if (removedChar?.isArgSelector) { + this.removeArgState([removedChar]); + } + } + } + + clear() { + this.leftOfCursorContent = []; + this.rightOfCursorContent = []; + this.argState = undefined; + } +} diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/command_list.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/command_list.tsx index 83c5df7397daa..854c66dcc27d7 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/command_list.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/command_list.tsx @@ -124,7 +124,8 @@ export const CommandList = memo(({ commands, display = 'defaul type: 'updateInputTextEnteredState', payload: () => { return { - textEntered: text, + leftOfCursorText: text, + rightOfCursorText: '', }; }, }); diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/hooks/use_stored_input_history.ts b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/hooks/use_stored_input_history.ts index 8a9249b3dc01f..a1614f2b36683 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/hooks/use_stored_input_history.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/hooks/use_stored_input_history.ts @@ -17,10 +17,12 @@ interface InputHistoryOfflineStorage { const COMMAND_INPUT_HISTORY_KEY = 'commandInputHistory'; /** - * The current version of the input history offline storage. Will help in the future - * if we ever need to "migrate" stored data to a new format + * The current version of the input history offline storage. + * + * NOTE: Changes to this value will likely require some migration to be added + * to `migrateHistoryData()` down below. */ -const CURRENT_VERSION = 1; +const CURRENT_VERSION = 2; const getDefaultInputHistoryStorage = (): InputHistoryOfflineStorage => { return { @@ -41,6 +43,10 @@ export const useStoredInputHistory = ( `${storagePrefix}.${COMMAND_INPUT_HISTORY_KEY}` ) as InputHistoryOfflineStorage) ?? getDefaultInputHistoryStorage(); + if (storedData.version !== CURRENT_VERSION) { + migrateHistoryData(storedData); + } + return storedData.data; } @@ -69,3 +75,19 @@ export const useSaveInputHistoryToStorage = ( [storage, storagePrefix] ); }; + +const migrateHistoryData = (storedData: InputHistoryOfflineStorage) => { + const { data, version } = storedData; + + for (const historyItem of data) { + // ------------------------------------------- + // V2: + // - adds `display` property + // ------------------------------------------- + if (version < 2) { + historyItem.display = historyItem.input; + } + } + + storedData.version = CURRENT_VERSION; +}; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_reducer.ts b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_reducer.ts index d6c6161da3300..407ae37e2377c 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_reducer.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_reducer.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { parseCommandInput } from '../../service/parsed_command_input'; import { handleInputAreaState, INPUT_DEFAULT_PLACEHOLDER_TEXT, @@ -31,16 +32,17 @@ export const initiateState = ( managedConsolePriorState?: ConsoleDataState ): ConsoleDataState => { const commands = getBuiltinCommands().concat(userCommandList); - const state = managedConsolePriorState ?? { + const state: ConsoleDataState = managedConsolePriorState ?? { commands, ...otherOptions, commandHistory: [], sidePanel: { show: null }, footerContent: '', input: { - textEntered: '', - rightOfCursor: { text: '' }, - commandEntered: '', + leftOfCursorText: '', + rightOfCursorText: '', + parsedInput: parseCommandInput(''), + enteredCommand: undefined, placeholder: INPUT_DEFAULT_PLACEHOLDER_TEXT, showPopover: undefined, history: [], @@ -102,6 +104,7 @@ export const stateDataReducer: ConsoleStoreReducer = (state, action) => { case 'updateInputTextEnteredState': case 'updateInputPlaceholderState': case 'setInputState': + case 'updateInputCommandArgState': newState = handleInputAreaState(state, action); break; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_execute_command.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_execute_command.tsx index 764e7377a497c..94b8c07059f42 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_execute_command.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_execute_command.tsx @@ -5,13 +5,10 @@ * 2.0. */ -// FIXME:PT breakup module in order to avoid turning off eslint rule below -/* eslint-disable complexity */ - -import { i18n } from '@kbn/i18n'; import { v4 as uuidV4 } from 'uuid'; import React from 'react'; -import { FormattedMessage } from '@kbn/i18n-react'; +import { executionTranslations } from './translations'; +import type { ParsedCommandInterface } from '../../../service/types'; import { ConsoleCodeBlock } from '../../console_code_block'; import { handleInputAreaState } from './handle_input_area_state'; import { HelpCommandArgument } from '../../builtin_commands/help_command_argument'; @@ -21,8 +18,6 @@ import type { ConsoleDataState, ConsoleStoreReducer, } from '../types'; -import type { ParsedCommandInterface } from '../../../service/parsed_command_input'; -import { parseCommandInput } from '../../../service/parsed_command_input'; import { UnknownCommand } from '../../unknown_comand'; import { BadArgument } from '../../bad_argument'; import { ValidationError } from '../../validation_error'; @@ -76,7 +71,10 @@ const updateStateWithNewCommandHistoryItem = ( ): ConsoleDataState => { const updatedState = handleInputAreaState(state, { type: 'updateInputHistoryState', - payload: { command: newHistoryItem.command.input }, + payload: { + command: newHistoryItem.command.input, + display: newHistoryItem.command.inputDisplay, + }, }); updatedState.commandHistory = [...state.commandHistory, newHistoryItem]; @@ -131,16 +129,13 @@ const createCommandHistoryEntry = ( export const handleExecuteCommand: ConsoleStoreReducer< ConsoleDataAction & { type: 'executeCommand' } > = (state, action) => { - const parsedInput = parseCommandInput(action.payload.input); + const { parsedInput, enteredCommand, input: fullInputText } = action.payload; if (parsedInput.name === '') { return state; } - const { commands } = state; - const commandDefinition: CommandDefinition | undefined = commands.find( - (definition) => definition.name === parsedInput.name - ); + const commandDefinition: CommandDefinition | undefined = enteredCommand?.commandDefinition; // Unknown command if (!commandDefinition) { @@ -149,6 +144,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandHistoryEntry( { input: parsedInput.input, + inputDisplay: fullInputText, args: parsedInput, commandDefinition: { ...UnknownCommandDefinition, @@ -161,28 +157,17 @@ export const handleExecuteCommand: ConsoleStoreReducer< ); } - const command = { + const command: Command = { input: parsedInput.input, + inputDisplay: fullInputText, args: parsedInput, commandDefinition, }; const requiredArgs = getRequiredArguments(commandDefinition.args); const exclusiveOrArgs = getExclusiveOrArgs(commandDefinition.args); - const exclusiveOrErrorMessage = ( - - - {exclusiveOrArgs.map(toCliArgumentOption).join(', ')} - - ), - }} - /> - + const exclusiveOrErrorMessage = executionTranslations.onlyOneFromExclusiveOr( + exclusiveOrArgs.map(toCliArgumentOption).join(', ') ); // If args were entered, then validate them @@ -235,12 +220,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandHistoryEntry( cloneCommandDefinitionWithNewRenderComponent(command, BadArgument), createCommandExecutionState({ - errorMessage: i18n.translate( - 'xpack.securitySolution.console.commandValidation.noArgumentsSupported', - { - defaultMessage: 'Command does not support any arguments', - } - ), + errorMessage: executionTranslations.NO_ARGUMENTS_SUPPORTED, }), false ) @@ -256,26 +236,10 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandHistoryEntry( cloneCommandDefinitionWithNewRenderComponent(command, BadArgument), createCommandExecutionState({ - errorMessage: ( - - - {parsedInput.name} - - ), - unknownArgs: ( - - {unknownInputArgs.map(toCliArgumentOption).join(', ')} - - ), - }} - /> - + errorMessage: executionTranslations.unknownArgument( + unknownInputArgs.length, + parsedInput.name, + unknownInputArgs.map(toCliArgumentOption).join(', ') ), }), false @@ -294,15 +258,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandExecutionState({ errorMessage: ( - {i18n.translate( - 'xpack.securitySolution.console.commandValidation.missingRequiredArg', - { - defaultMessage: 'Missing required argument: {argName}', - values: { - argName: toCliArgumentOption(requiredArg), - }, - } - )} + {executionTranslations.missingRequiredArg(requiredArg)} ), }), @@ -341,15 +297,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandExecutionState({ errorMessage: ( - - {i18n.translate( - 'xpack.securitySolution.console.commandValidation.unsupportedArg', - { - defaultMessage: 'Unsupported argument: {argName}', - values: { argName: toCliArgumentOption(argName) }, - } - )} - + {executionTranslations.unsupportedArg(argName)} ), }), false @@ -366,13 +314,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandExecutionState({ errorMessage: ( - {i18n.translate( - 'xpack.securitySolution.console.commandValidation.argSupportedOnlyOnce', - { - defaultMessage: 'Argument can only be used once: {argName}', - values: { argName: toCliArgumentOption(argName) }, - } - )} + {executionTranslations.noMultiplesAllowed(argName)} ), }), @@ -381,6 +323,70 @@ export const handleExecuteCommand: ConsoleStoreReducer< ); } + if (argDefinition.mustHaveValue !== undefined && argDefinition.mustHaveValue !== false) { + let dataValidationError = ''; + + if (argInput.length === 0) { + dataValidationError = executionTranslations.mustHaveValue(argName); + } else { + argInput.some((argValue, index) => { + switch (argDefinition.mustHaveValue) { + case true: + case 'non-empty-string': + if (typeof argValue === 'boolean') { + dataValidationError = executionTranslations.mustHaveValue(argName); + } else if ( + argDefinition.mustHaveValue === 'non-empty-string' && + argValue.trim().length === 0 + ) { + dataValidationError = executionTranslations.mustHaveValue(argName); + } + break; + + case 'number': + case 'number-greater-than-zero': + { + const valueNumber = Number(argValue); + + if (!Number.isSafeInteger(valueNumber)) { + dataValidationError = executionTranslations.mustBeNumber(argName); + } else { + if (argDefinition.mustHaveValue === 'number-greater-than-zero') { + if (valueNumber <= 0) { + dataValidationError = executionTranslations.mustBeGreaterThanZero(argName); + } + } + } + + // If no errors, then update (mutate) the value so that correct + // format reaches the execution component + if (!dataValidationError) { + argInput[index] = valueNumber; + } + } + break; + } + + return !!dataValidationError; + }); + } + + if (dataValidationError) { + return updateStateWithNewCommandHistoryItem( + state, + createCommandHistoryEntry( + cloneCommandDefinitionWithNewRenderComponent(command, BadArgument), + + createCommandExecutionState({ + errorMessage: {dataValidationError}, + }), + false + ) + ); + } + } + + // Call validation callback if one was defined for the argument if (argDefinition.validate) { const validationResult = argDefinition.validate(argInput); @@ -392,13 +398,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandExecutionState({ errorMessage: ( - {i18n.translate( - 'xpack.securitySolution.console.commandValidation.invalidArgValue', - { - defaultMessage: 'Invalid argument value: {argName}. {error}', - values: { argName: toCliArgumentOption(argName), error: validationResult }, - } - )} + {executionTranslations.argValueValidatorError(argName, validationResult)} ), }), @@ -416,14 +416,9 @@ export const handleExecuteCommand: ConsoleStoreReducer< createCommandExecutionState({ errorMessage: ( - {i18n.translate('xpack.securitySolution.console.commandValidation.mustHaveArgs', { - defaultMessage: 'Missing required arguments: {requiredArgs}', - values: { - requiredArgs: requiredArgs - .map((argName) => toCliArgumentOption(argName)) - .join(', '), - }, - })} + {executionTranslations.missingArguments( + requiredArgs.map((argName) => toCliArgumentOption(argName)).join(', ') + )} ), }), @@ -448,11 +443,7 @@ export const handleExecuteCommand: ConsoleStoreReducer< cloneCommandDefinitionWithNewRenderComponent(command, BadArgument), createCommandExecutionState({ errorMessage: ( - - {i18n.translate('xpack.securitySolution.console.commandValidation.oneArgIsRequired', { - defaultMessage: 'At least one argument must be used', - })} - + {executionTranslations.MUST_HAVE_AT_LEAST_ONE_ARG} ), }), false diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_input_area_state.ts b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_input_area_state.ts index 092f74dc66ce1..e703d0f280480 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_input_area_state.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/handle_input_area_state.ts @@ -7,8 +7,14 @@ import { i18n } from '@kbn/i18n'; import { v4 as uuidV4 } from 'uuid'; -import { getCommandNameFromTextInput } from '../../../service/parsed_command_input'; -import type { ConsoleDataAction, ConsoleStoreReducer } from '../types'; +import type { ParsedCommandInterface } from '../../../service/types'; +import { parseCommandInput } from '../../../service/parsed_command_input'; +import type { + ConsoleDataAction, + ConsoleDataState, + ConsoleStoreReducer, + EnteredCommand, +} from '../types'; export const INPUT_DEFAULT_PLACEHOLDER_TEXT = i18n.translate( 'xpack.securitySolution.handleInputAreaState.inputPlaceholderText', @@ -17,6 +23,21 @@ export const INPUT_DEFAULT_PLACEHOLDER_TEXT = i18n.translate( } ); +const setArgSelectorValueToParsedArgs = ( + parsedInput: ParsedCommandInterface, + enteredCommand: EnteredCommand | undefined +) => { + if (enteredCommand && enteredCommand.argsWithValueSelectors) { + for (const argName of Object.keys(enteredCommand.argsWithValueSelectors)) { + if (parsedInput.hasArg(argName)) { + const argumentValues = enteredCommand.argState[argName] ?? []; + + parsedInput.args[argName] = argumentValues.map((itemState) => itemState.value); + } + } + } +}; + type InputAreaStateAction = ConsoleDataAction & { type: | 'updateInputPopoverState' @@ -24,7 +45,8 @@ type InputAreaStateAction = ConsoleDataAction & { | 'clearInputHistoryState' | 'updateInputTextEnteredState' | 'updateInputPlaceholderState' - | 'setInputState'; + | 'setInputState' + | 'updateInputCommandArgState'; }; export const handleInputAreaState: ConsoleStoreReducer = ( @@ -50,7 +72,14 @@ export const handleInputAreaState: ConsoleStoreReducer = ( input: { ...state.input, // Keeping the last 100 entries only for now - history: [{ id: uuidV4(), input: payload.command }, ...state.input.history.slice(0, 99)], + history: [ + { + id: uuidV4(), + input: payload.command, + display: payload.display ?? payload.command, + }, + ...state.input.history.slice(0, 99), + ], }, }; @@ -64,33 +93,70 @@ export const handleInputAreaState: ConsoleStoreReducer = ( }; case 'updateInputTextEnteredState': - const { textEntered: newTextEntered, rightOfCursor: newRightOfCursor = { text: '' } } = - typeof payload === 'function' - ? payload({ - textEntered: state.input.textEntered, - rightOfCursor: state.input.rightOfCursor, - }) - : payload; + const { + leftOfCursorText: newTextEntered, + rightOfCursorText: newRightOfCursor = '', + argState: adjustedArgState, + } = typeof payload === 'function' ? payload(state.input) : payload; if ( - state.input.textEntered !== newTextEntered || - state.input.rightOfCursor !== newRightOfCursor + state.input.leftOfCursorText !== newTextEntered || + state.input.rightOfCursorText !== newRightOfCursor ) { - const fullCommandText = newTextEntered + newRightOfCursor.text; - const commandEntered = - // If the user has typed a command (some text followed by at space), - // then parse it to get the command name. - fullCommandText.trimStart().indexOf(' ') !== -1 - ? getCommandNameFromTextInput(fullCommandText) - : ''; + const parsedInput = parseCommandInput(newTextEntered + newRightOfCursor); + + let enteredCommand: ConsoleDataState['input']['enteredCommand'] = + state.input.enteredCommand; + + if (enteredCommand && adjustedArgState && enteredCommand?.argState !== adjustedArgState) { + enteredCommand = { + ...enteredCommand, + argState: adjustedArgState, + }; + } + + // Determine if `enteredCommand` should be re-defined + if ( + (parsedInput.name && + (!enteredCommand || parsedInput.name !== enteredCommand.commandDefinition.name)) || + (!parsedInput.name && enteredCommand) + ) { + enteredCommand = undefined; + + const commandDefinition = state.commands.find((def) => def.name === parsedInput.name); + + if (commandDefinition) { + let argsWithValueSelectors: EnteredCommand['argsWithValueSelectors']; + + for (const [argName, argDef] of Object.entries(commandDefinition.args ?? {})) { + if (argDef.SelectorComponent) { + if (!argsWithValueSelectors) { + argsWithValueSelectors = {}; + } + + argsWithValueSelectors[argName] = argDef; + } + } + + enteredCommand = { + argState: {}, + commandDefinition, + argsWithValueSelectors, + }; + } + } + + // Update parsed input with any values that were selected via argument selectors + setArgSelectorValueToParsedArgs(parsedInput, enteredCommand); return { ...state, input: { ...state.input, - textEntered: newTextEntered, - rightOfCursor: newRightOfCursor, - commandEntered, + leftOfCursorText: newTextEntered, + rightOfCursorText: newRightOfCursor, + parsedInput, + enteredCommand, }, }; } @@ -119,6 +185,38 @@ export const handleInputAreaState: ConsoleStoreReducer = ( }; } break; + + case 'updateInputCommandArgState': + if (state.input.enteredCommand) { + const { name: argName, instance: argInstance, state: newArgState } = payload; + const updatedArgState = [...(state.input.enteredCommand.argState[argName] ?? [])]; + + updatedArgState[argInstance] = newArgState; + + const updatedEnteredCommand = { + ...state.input.enteredCommand, + argState: { + ...state.input.enteredCommand.argState, + [argName]: updatedArgState, + }, + }; + + // store a new version of parsed input that contains the updated selector value + const updatedParsedInput = parseCommandInput( + state.input.leftOfCursorText + state.input.rightOfCursorText + ); + setArgSelectorValueToParsedArgs(updatedParsedInput, updatedEnteredCommand); + + return { + ...state, + input: { + ...state.input, + parsedInput: updatedParsedInput, + enteredCommand: updatedEnteredCommand, + }, + }; + } + break; } // No updates needed. Just return original state diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/translations.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/translations.tsx new file mode 100644 index 0000000000000..5922a71ff368b --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/state_update_handlers/translations.tsx @@ -0,0 +1,131 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import type { ReactNode } from 'react'; +import React from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { ConsoleCodeBlock } from '../../console_code_block'; + +export const executionTranslations = Object.freeze({ + mustHaveValue: (argName: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.mustHaveValue', { + defaultMessage: 'Argument --{argName} must have a value', + values: { argName }, + }); + }, + + mustBeNumber: (argName: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.mustBeNumber', { + defaultMessage: 'Argument --${argName} value must be a number', + values: { argName }, + }); + }, + + mustBeGreaterThanZero: (argName: string): string => { + return i18n.translate( + 'xpack.securitySolution.console.commandValidation.mustBeGreaterThanZero', + { + defaultMessage: 'Argument --{argName} value must be greater than zero', + values: { argName }, + } + ); + }, + + NO_ARGUMENTS_SUPPORTED: i18n.translate( + 'xpack.securitySolution.console.commandValidation.noArgumentsSupported', + { + defaultMessage: 'Command does not support any arguments', + } + ), + + missingRequiredArg: (argName: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.missingRequiredArg', { + defaultMessage: 'Missing required argument: --{argName}', + values: { + argName, + }, + }); + }, + + unsupportedArg: (argName: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.unsupportedArg', { + defaultMessage: 'Unsupported argument: --{argName}', + values: { argName }, + }); + }, + + noMultiplesAllowed: (argName: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.argSupportedOnlyOnce', { + defaultMessage: 'Argument can only be used once: --{argName}', + values: { argName }, + }); + }, + + argValueValidatorError: (argName: string, error: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.invalidArgValue', { + defaultMessage: 'Invalid argument value: --{argName}. {error}', + values: { argName, error }, + }); + }, + + missingArguments: (missingArgs: string): string => { + return i18n.translate('xpack.securitySolution.console.commandValidation.mustHaveArgs', { + defaultMessage: 'Missing required arguments: {missingArgs}', + values: { missingArgs }, + }); + }, + + MUST_HAVE_AT_LEAST_ONE_ARG: i18n.translate( + 'xpack.securitySolution.console.commandValidation.oneArgIsRequired', + { + defaultMessage: 'At least one argument must be used', + } + ), + + onlyOneFromExclusiveOr: (argNames: string): ReactNode => { + return ( + + + {argNames} + + ), + }} + /> + + ); + }, + + unknownArgument: (count: number, commandName: string, unknownArgs: string): ReactNode => { + return ( + + + {commandName} + + ), + unknownArgs: ( + + {unknownArgs} + + ), + }} + /> + + ); + }, +}); diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/types.ts b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/types.ts index 291f525196bba..67033eb09886a 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/console_state/types.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/components/console_state/types.ts @@ -5,9 +5,17 @@ * 2.0. */ +/* eslint-disable @typescript-eslint/no-explicit-any */ + import type { Dispatch, Reducer } from 'react'; +import type { ParsedCommandInterface } from '../../service/types'; import type { CommandInputProps } from '../command_input'; -import type { Command, CommandDefinition, CommandExecutionComponent } from '../../types'; +import type { + Command, + CommandDefinition, + CommandExecutionComponent, + CommandArgDefinition, +} from '../../types'; export interface ConsoleDataState { /** @@ -48,17 +56,22 @@ export interface ConsoleDataState { /** state for the command input area */ input: { /** - * The text the user is typing into the console input area. By default, this - * value goes into the left of the cursor position + * The left side of the cursor text entered by the user */ - textEntered: string; // FIXME:PT convert this to same structure as `rightOfCursor` + leftOfCursorText: string; - rightOfCursor: { - text: string; - }; + /** + * The right side of the cursor text entered by the user + */ + rightOfCursorText: string; + + /** + * The parsed user input + */ + parsedInput: ParsedCommandInterface; - /** The command name that was entered (derived from `textEntered` */ - commandEntered: string; + /** The entered command. Only defined if the command is "known" */ + enteredCommand: undefined | EnteredCommand; /** Placeholder text for the input area **/ placeholder: string; @@ -74,9 +87,36 @@ export interface ConsoleDataState { }; } +/** State that is provided/received to Argument Value Selectors */ +export interface ArgSelectorState { + value: any; + valueText: string | undefined; + /** + * A store (data) for the Argument Selector Component so that it can persist state between + * re-renders or between console being opened/closed + */ + store?: TState; +} + +export interface EnteredCommand { + commandDefinition: CommandDefinition; + + /** keeps a list of arguments definitions that are defined with a Value Selector component */ + argsWithValueSelectors: undefined | Record; + + argState: { + // Each arg has an array (just like the parsed input) and keeps the + // state that is provided to that instance of the argument on the input. + [argName: string]: ArgSelectorState[]; + }; +} + export interface InputHistoryItem { id: string; + /** The command that will be used internally if entry is selected again from the popup */ input: string; + /** The display value in the UI's input history popup */ + display: string; } export interface CommandHistoryItem { @@ -92,11 +132,20 @@ export interface CommandExecutionState { store: Record; } +export interface ExecuteCommandPayload { + input: string; + parsedInput: ParsedCommandInterface; + enteredCommand: ConsoleDataState['input']['enteredCommand']; +} + export type ConsoleDataAction = | { type: 'scrollDown' } | { type: 'addFocusToKeyCapture' } | { type: 'removeFocusFromKeyCapture' } - | { type: 'executeCommand'; payload: { input: string } } + | { + type: 'executeCommand'; + payload: ExecuteCommandPayload; + } | { type: 'clear' } | { type: 'showSidePanel'; @@ -119,11 +168,13 @@ export type ConsoleDataAction = } | { type: 'updateInputTextEnteredState'; - payload: PayloadValueOrFunction<{ - textEntered: string; - /** When omitted, the right side of the cursor value will be blanked out */ - rightOfCursor?: ConsoleDataState['input']['rightOfCursor']; - }>; + payload: PayloadValueOrFunction< + Pick & { + /** updates (if necessary) to any of the argument's state */ + argState?: Record; + }, + ConsoleDataState['input'] + >; } | { type: 'updateInputPopoverState'; @@ -146,7 +197,21 @@ export type ConsoleDataAction = | { type: 'updateInputHistoryState'; payload: { + /** The command that will be used internally if entry is selected again from the popup */ command: string; + /** The display value in the UI's input history popup. Defaults to `command` */ + display?: string; + }; + } + | { + type: 'updateInputCommandArgState'; + payload: { + /** Name of argument */ + name: string; + /** Instance of the argument */ + instance: number; + /** The updated state for the argument */ + state: ArgSelectorState; }; } | { @@ -154,7 +219,9 @@ export type ConsoleDataAction = payload?: never; }; -type PayloadValueOrFunction = T | ((options: Required) => T); +type PayloadValueOrFunction = + | T + | ((options: TCallbackArgs) => T); export interface ConsoleStore { state: ConsoleDataState; diff --git a/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_command_argument_state.ts b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_command_argument_state.ts new file mode 100644 index 0000000000000..e7b602d07c405 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_command_argument_state.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMemo } from 'react'; +import { useConsoleStore } from '../../components/console_state/console_state'; +import type { ArgSelectorState } from '../../components/console_state/types'; + +/** + * Returns the Command argument state for a given argument name. Should be used ONLY when a + * command has been entered that matches a `CommandDefinition` + * @param argName + * @param instance + */ +export const useWithCommandArgumentState = ( + argName: string, + instance: number +): ArgSelectorState => { + const enteredCommand = useConsoleStore().state.input.enteredCommand; + + return useMemo(() => { + const argInstanceState = enteredCommand?.argState[argName]?.at(instance); + + return ( + argInstanceState ?? { + value: undefined, + valueText: '', + } + ); + }, [argName, enteredCommand, instance]); +}; diff --git a/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_command_entered.ts b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_command_entered.ts index 827163aa32833..3833ae4a5f3d9 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_command_entered.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_command_entered.ts @@ -6,8 +6,13 @@ */ import { useConsoleStore } from '../../components/console_state/console_state'; -import type { ConsoleDataState } from '../../components/console_state/types'; -export const useWithInputCommandEntered = (): ConsoleDataState['input']['commandEntered'] => { - return useConsoleStore().state.input.commandEntered; +/** + * Retrieves the command name from the text the user entered. Will only return a value if a space + * has been entered, which is the trigger to being able to actually parse out the command name + */ +export const useWithInputCommandEntered = (): string => { + const parsedInput = useConsoleStore().state.input.parsedInput; + + return parsedInput.input.trimStart().indexOf(' ') !== -1 ? parsedInput.name : ''; }; diff --git a/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_text_entered.ts b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_text_entered.ts index 61164ed1f8421..b5bbd1cbe9415 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_text_entered.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/hooks/state_selectors/use_with_input_text_entered.ts @@ -9,18 +9,24 @@ import { useMemo } from 'react'; import { useConsoleStore } from '../../components/console_state/console_state'; import type { ConsoleDataState } from '../../components/console_state/types'; -type InputTextEntered = Pick & { +type InputTextEntered = Pick< + ConsoleDataState['input'], + 'leftOfCursorText' | 'rightOfCursorText' | 'parsedInput' | 'enteredCommand' +> & { fullTextEntered: string; }; export const useWithInputTextEntered = (): InputTextEntered => { - const inputState = useConsoleStore().state.input; + const { leftOfCursorText, rightOfCursorText, parsedInput, enteredCommand } = + useConsoleStore().state.input; return useMemo(() => { return { - textEntered: inputState.textEntered, - rightOfCursor: inputState.rightOfCursor, - fullTextEntered: inputState.textEntered + inputState.rightOfCursor.text, + leftOfCursorText, + rightOfCursorText, + parsedInput, + enteredCommand, + fullTextEntered: leftOfCursorText + rightOfCursorText, }; - }, [inputState.rightOfCursor, inputState.textEntered]); + }, [enteredCommand, leftOfCursorText, parsedInput, rightOfCursorText]); }; diff --git a/x-pack/plugins/security_solution/public/management/components/console/mocks.tsx b/x-pack/plugins/security_solution/public/management/components/console/mocks.tsx index ef550605714e1..b50e5ff108512 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/mocks.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/mocks.tsx @@ -7,12 +7,17 @@ /* eslint-disable import/no-extraneous-dependencies */ -import React, { useEffect } from 'react'; +import React, { memo, useEffect } from 'react'; import { EuiCode } from '@elastic/eui'; import userEvent from '@testing-library/user-event'; import { act } from '@testing-library/react'; import { Console } from './console'; -import type { ConsoleProps, CommandDefinition, CommandExecutionComponent } from './types'; +import type { + ConsoleProps, + CommandDefinition, + CommandExecutionComponent, + CommandArgumentValueSelectorProps, +} from './types'; import type { AppContextTestRender } from '../../../common/mock/endpoint'; import { createAppRootMockRenderer } from '../../../common/mock/endpoint'; @@ -236,7 +241,35 @@ export const getCommandListMock = (): CommandDefinition[] => { }, }, }, + { + name: 'cmd7', + about: 'Command with argument selector', + RenderComponent: jest.fn(RenderComponent), + args: { + foo: { + about: 'foo stuff', + required: true, + allowMultiples: true, + SelectorComponent: ArgumentSelectorComponentMock, + }, + }, + }, ]; return commands; }; + +export const ArgumentSelectorComponentMock = memo< + CommandArgumentValueSelectorProps<{ selection: string }> +>(({ value, valueText, onChange, argName, argIndex }) => { + useEffect(() => { + if (!value) { + onChange({ valueText: 'foo selected', value: { selection: 'foo' } }); + } + }, [onChange, value]); + + return ( + {`${argName}[${argIndex}]: ${valueText}`} + ); +}); +ArgumentSelectorComponentMock.displayName = 'ArgumentSelectorComponentMock'; diff --git a/x-pack/plugins/security_solution/public/management/components/console/service/parse_command_input.test.ts b/x-pack/plugins/security_solution/public/management/components/console/service/parse_command_input.test.ts index a4d3a983041fd..c976df72259e6 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/service/parse_command_input.test.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/service/parse_command_input.test.ts @@ -5,8 +5,8 @@ * 2.0. */ -import type { ParsedCommandInterface } from './parsed_command_input'; import { parseCommandInput } from './parsed_command_input'; +import type { ParsedCommandInterface } from './types'; describe('when using parsed command input utils', () => { describe('when using parseCommandInput()', () => { diff --git a/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts b/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts index 78ab197ebd227..65c2f5daadc24 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts @@ -5,22 +5,9 @@ * 2.0. */ -/* eslint-disable @typescript-eslint/no-explicit-any */ - +import type { ParsedCommandInput, ParsedCommandInterface } from './types'; import type { CommandDefinition } from '..'; -export type PossibleArgDataTypes = string | boolean; - -export type ParsedArgData = Array< - T extends PossibleArgDataTypes ? T : never ->; - -interface ParsedCommandInput { - name: string; - args: { - [key in keyof TArgs]: ParsedArgData[key]>; - }; -} const parseInputString = (rawInput: string): ParsedCommandInput => { const input = rawInput.trim(); const response: ParsedCommandInput = { @@ -89,22 +76,6 @@ const parseInputString = (rawInput: string): ParsedCommandInput => { return response; }; -export interface ParsedCommandInterface - extends ParsedCommandInput { - input: string; - - /** - * Checks if the given argument name was entered by the user - * @param argName - */ - hasArg(argName: string): boolean; - - /** - * if any argument was entered - */ - hasArgs: boolean; -} - class ParsedCommand implements ParsedCommandInterface { public readonly name: string; public readonly args: Record; diff --git a/x-pack/plugins/security_solution/public/management/components/console/service/types.ts b/x-pack/plugins/security_solution/public/management/components/console/service/types.ts new file mode 100644 index 0000000000000..18f1e2bbae1b1 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console/service/types.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable @typescript-eslint/no-explicit-any */ + +export type PossibleArgDataTypes = string | boolean; +export type ParsedArgData = Array< + T extends PossibleArgDataTypes ? T : never +>; + +export interface ParsedCommandInput { + name: string; + args: { + [key in keyof TArgs]: ParsedArgData[key]>; + }; +} + +export interface ParsedCommandInterface + extends ParsedCommandInput { + input: string; + + /** + * Checks if the given argument name was entered by the user + * @param argName + */ + hasArg(argName: string): boolean; + + /** + * if any argument was entered + */ + hasArgs: boolean; +} diff --git a/x-pack/plugins/security_solution/public/management/components/console/types.ts b/x-pack/plugins/security_solution/public/management/components/console/types.ts index 9102d77d66d09..30f8880486907 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/types.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/types.ts @@ -9,41 +9,69 @@ import type { ComponentType, ReactNode } from 'react'; import type { CommonProps } from '@elastic/eui'; +import type { ParsedArgData, ParsedCommandInterface, PossibleArgDataTypes } from './service/types'; import type { CommandExecutionResultComponent } from './components/command_execution_result'; -import type { CommandExecutionState } from './components/console_state/types'; +import type { CommandExecutionState, ArgSelectorState } from './components/console_state/types'; import type { Immutable, MaybeImmutable } from '../../../../common/endpoint/types'; -import type { - ParsedArgData, - ParsedCommandInterface, - PossibleArgDataTypes, -} from './service/parsed_command_input'; +/** + * Definition interface for a Command argument + */ +export interface CommandArgDefinition { + /** + * If the argument is required to be entered by the user. NOTE that this will only validate that + * the user has entered the argument name - it does not validate that the argument must have a + * value. Arguments that have no value entered by the user have (by default) a value of + * `true` boolean. + */ + required: boolean; + allowMultiples: boolean; + about: string; + /** + * If argument (when used) should have a value defined by the user. + * Default is `false` which mean that argument can be entered without any value - internally the + * value for the argument will be a boolean `true`. + * When set to `true` the argument is expected to have a value that is non-boolean + * In addition, the following options can be used with this parameter to further validate the user's input: + * + * - `non-empty-string`: user's value must be a string whose length is greater than zero. Note that + * the value entered will first be `trim()`'d. + * - `number`: user's value will be converted to a Number and ensured to be a `safe integer` + * - `number-greater-than-zero`: user's value must be a number greater than zero + */ + mustHaveValue?: boolean | 'non-empty-string' | 'number' | 'number-greater-than-zero'; + exclusiveOr?: boolean; + /** + * Validate the individual values given to this argument. + * Should return `true` if valid or a string with the error message + */ + validate?: (argData: ParsedArgData) => true | string; + + /** + * If defined, the provided Component will be rendered in place of this argument's value and + * it will be up to the Selector to provide the desired interface to the user for selecting + * the argument's value. + */ + SelectorComponent?: CommandArgumentValueSelectorComponent; +} + +/** List of arguments for a Command */ export interface CommandArgs { - [longName: string]: { - required: boolean; - allowMultiples: boolean; - exclusiveOr?: boolean; - about: string; - /** - * Validate the individual values given to this argument. - * Should return `true` if valid or a string with the error message - */ - validate?: (argData: ParsedArgData) => true | string; - - // Selector: Idea is that the schema can plugin in a rich component for the - // user to select something (ex. a file) - // FIXME: implement selector - selector?: ComponentType; - }; + [longName: string]: CommandArgDefinition; } export interface CommandDefinition { + /** Name of the command. This will be the value that the user will enter on the console to access this command */ name: string; + + /** Some information about the command */ about: ReactNode; + /** * The Component that will be used to render the Command */ RenderComponent: CommandExecutionComponent; + /** Will be used to sort the commands when building the output for the `help` command */ helpCommandPosition?: number; @@ -57,14 +85,17 @@ export interface CommandDefinition { * the console's built in output. */ HelpComponent?: CommandExecutionComponent; + /** * If defined, the button to add to the text bar will be disabled and the user will not be able to use this command if entered into the console. */ helpDisabled?: boolean; + /** * If defined, the command will be hidden from in the Help menu and help text. It will warn the user and not execute the command if manually typed in. */ helpHidden?: boolean; + /** * A store for any data needed when the command is executed. * The entire `CommandDefinition` is passed along to the component @@ -116,6 +147,11 @@ export interface Command< > { /** The raw input entered by the user */ input: string; + /** + * The input value for display on the UI. This could differ from + * `input` when Argument Value Selectors were used. + */ + inputDisplay: string; /** An object with the arguments entered by the user and their value */ args: ParsedCommandInterface; /** The command definition associated with this user command */ @@ -177,6 +213,55 @@ export type CommandExecutionComponent< TMeta = any > = ComponentType>; +/** + * The component props for an argument `SelectorComponent` + */ +export interface CommandArgumentValueSelectorProps { + /** + * The current value that was selected. This will not be displayed in the UI, but will + * be passed on to the command execution as part of the argument's value + */ + value: TSelection | undefined; + + /** + * A string value for display purposes only that describes the selected value. This + * will be used when the command is entered and displayed in the console as well as in + * the command input history popover + */ + valueText: string; + + /** + * The name of the Argument + */ + argName: string; + + /** + * The index (zero based) of the argument in the current command. This is a zero-based number indicating + * which instance of the argument is being rendered. + */ + argIndex: number; + + /** + * A store for the Argument Selector. Should be used for any component state that needs to be + * persisted across re-renders by the console. + */ + store: TState; + + /** + * callback for the Value Selector to call and provide the selection value. + * This selection value will then be passed along with the argument to the command execution + * component. + * @param newData + */ + onChange: (newData: ArgSelectorState) => void; +} + +/** + * Component for rendering an argument's value selector + */ +export type CommandArgumentValueSelectorComponent = + ComponentType; + export interface ConsoleProps extends CommonProps { /** * The list of Commands that will be available in the console for the user to execute diff --git a/x-pack/plugins/security_solution/public/management/components/console_argument_selectors/file_selector.tsx b/x-pack/plugins/security_solution/public/management/components/console_argument_selectors/file_selector.tsx new file mode 100644 index 0000000000000..4dda91f2ab232 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/console_argument_selectors/file_selector.tsx @@ -0,0 +1,131 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { memo, useCallback, useMemo } from 'react'; +import { + EuiButtonIcon, + EuiFilePicker, + EuiFlexGroup, + EuiFlexItem, + EuiPopover, + htmlIdGenerator, +} from '@elastic/eui'; +import type { EuiFilePickerProps } from '@elastic/eui/src/components/form/file_picker/file_picker'; +import { i18n } from '@kbn/i18n'; +import type { CommandArgumentValueSelectorProps } from '../console/types'; + +const INITIAL_DISPLAY_LABEL = i18n.translate( + 'xpack.securitySolution.consoleArgumentSelectors.fileSelector.initialDisplayLabel', + { defaultMessage: 'Click to select file' } +); + +const OPEN_FILE_PICKER_LABEL = i18n.translate( + 'xpack.securitySolution.consoleArgumentSelectors.fileSelector.filePickerButtonLabel', + { defaultMessage: 'Open file picker' } +); + +const NO_FILE_SELECTED = i18n.translate( + 'xpack.securitySolution.consoleArgumentSelectors.fileSelector.noFileSelected', + { defaultMessage: 'No file selected' } +); + +interface ArgumentFileSelectorState { + isPopoverOpen: boolean; +} + +/** + * A Console Argument Selector component that enables the user to select a file from the local machine + */ +export const ArgumentFileSelector = memo< + CommandArgumentValueSelectorProps +>(({ value, valueText, onChange, store: _store }) => { + const state = useMemo(() => { + return _store ?? { isPopoverOpen: true }; + }, [_store]); + + const setIsPopoverOpen = useCallback( + (newValue: boolean) => { + onChange({ + value, + valueText, + store: { + ...state, + isPopoverOpen: newValue, + }, + }); + }, + [onChange, state, value, valueText] + ); + + const filePickerUUID = useMemo(() => { + return htmlIdGenerator('console')(); + }, []); + + const handleOpenPopover = useCallback(() => { + setIsPopoverOpen(true); + }, [setIsPopoverOpen]); + + const handleClosePopover = useCallback(() => { + setIsPopoverOpen(false); + }, [setIsPopoverOpen]); + + const handleFileSelection: EuiFilePickerProps['onChange'] = useCallback( + (selectedFiles) => { + // Get only the first file selected + const file = selectedFiles?.item(0); + + onChange({ + value: file ?? undefined, + valueText: file ? file.name : '', + store: { + ...state, + isPopoverOpen: false, + }, + }); + }, + [onChange, state] + ); + + return ( +
    + + +
    + {valueText || INITIAL_DISPLAY_LABEL} +
    +     + + + + + } + > + {state.isPopoverOpen && ( + + )} +     +
    + ); +}); +ArgumentFileSelector.displayName = 'ArgumentFileSelector'; diff --git a/x-pack/test/saved_object_tagging/functional/tests/constants.ts b/x-pack/plugins/security_solution/public/management/components/console_argument_selectors/index.ts similarity index 70% rename from x-pack/test/saved_object_tagging/functional/tests/constants.ts rename to x-pack/plugins/security_solution/public/management/components/console_argument_selectors/index.ts index 7c5a441e2cefe..515352120b171 100644 --- a/x-pack/test/saved_object_tagging/functional/tests/constants.ts +++ b/x-pack/plugins/security_solution/public/management/components/console_argument_selectors/index.ts @@ -4,6 +4,4 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - -export const TAGFILTER_DROPDOWN_SELECTOR = - '.euiFilterGroup .euiPopover:nth-child(2) .euiFilterButton'; +export * from './file_selector'; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts index b4068c95d1407..1c57fb6401ec6 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/console_commands_definition.ts @@ -6,6 +6,8 @@ */ import { i18n } from '@kbn/i18n'; +import type { ParsedArgData } from '../../console/service/types'; +import { getUploadCommand } from './dev_only'; import { ExperimentalFeaturesService } from '../../../../common/experimental_features_service'; import type { EndpointCapabilities, @@ -19,7 +21,6 @@ import { KillProcessActionResult } from '../command_render_components/kill_proce import { SuspendProcessActionResult } from '../command_render_components/suspend_process_action'; import { EndpointStatusActionResult } from '../command_render_components/status_action'; import { GetProcessesActionResult } from '../command_render_components/get_processes_action'; -import type { ParsedArgData } from '../../console/service/parsed_command_input'; import type { EndpointPrivileges, ImmutableArray } from '../../../../../common/endpoint/types'; import { INSUFFICIENT_PRIVILEGES_FOR_COMMAND, @@ -370,6 +371,14 @@ export const getEndpointConsoleCommands = ({ }, ]; + // FIXME: DELETE PRIOR TO MERGE + // for dev purposes only - command only shown if url has `show_upload=` + if (location.search.includes('show_upload=')) { + consoleCommands.push( + getUploadCommand({ endpointAgentId, endpointPrivileges, endpointCapabilities }) + ); + } + // `get-file` is currently behind feature flag if (isGetFileEnabled) { consoleCommands.push({ diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/dev_only.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/dev_only.tsx new file mode 100644 index 0000000000000..6ec6cdf801092 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/lib/dev_only.tsx @@ -0,0 +1,111 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable @typescript-eslint/no-explicit-any */ + +import React, { memo, useEffect } from 'react'; +import type { CommandArgumentValueSelectorProps } from '../../console/types'; +import type { CommandDefinition } from '../../console'; +import { ArgumentFileSelector } from '../../console_argument_selectors'; + +// FOR DEV PURPOSES ONLY. WILL BE DELETED PRIOR TO MERGE +// FIXME:PT DELETE FILE +export const getUploadCommand = ({ + endpointAgentId, + endpointPrivileges, + endpointCapabilities, +}: { + endpointAgentId: string; + endpointCapabilities: any; + endpointPrivileges: any; +}): CommandDefinition => { + return { + name: 'upload', + about: 'Upload and execute a file on host machine', + RenderComponent: (props) => { + window.console.log(`upload command rendering...`); + window.console.log(props); + + return ( +
    +
    {`ExecuteFileAction DEV MOCK`}
    +
    + {`File Selected: ${props.command.args.args.file[0].name}`} +
    +
    + ); + }, + meta: { + endpointId: endpointAgentId, + capabilities: endpointCapabilities, + privileges: endpointPrivileges, + }, + exampleUsage: 'some example goes here', + exampleInstruction: 'some instructions here', + args: { + file: { + about: 'Select the file that should be uploaded and executed', + required: true, + allowMultiples: false, + mustHaveValue: true, + validate: () => { + // FIXME:PT Validate File was selected + return true; + }, + SelectorComponent: ArgumentFileSelector, + }, + + n: { + required: false, + allowMultiples: true, + mustHaveValue: 'number-greater-than-zero', + about: 'just a number greater than zero', + }, + + nn: { + required: false, + allowMultiples: true, + mustHaveValue: 'number', + about: 'just a number', + }, + + mock: { + required: false, + allowMultiples: false, + about: 'using a selector', + SelectorComponent: ArgumentSelectorComponentTest, + }, + + comment: { + required: false, + allowMultiples: false, + mustHaveValue: 'non-empty-string', + about: 'A comment', + }, + }, + helpGroupLabel: 'DEV', + helpGroupPosition: 0, + helpCommandPosition: 0, + }; +}; + +const ArgumentSelectorComponentTest = memo< + CommandArgumentValueSelectorProps<{ selection: string }> +>(({ value, valueText, onChange, argIndex, argName }) => { + useEffect(() => { + if (!value) { + onChange({ valueText: 'foo selected', value: { selection: 'foo' } }); + } + }, [onChange, value]); + + return ( + {`${argName}[${argIndex}]: ${valueText}`} + ); +}); +ArgumentSelectorComponentTest.displayName = 'ArgumentSelectorComponentTest'; + +document.body.classList.add('style2'); diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/endpoint_policy_create_extension/endpoint_policy_create_extension.tsx b/x-pack/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/endpoint_policy_create_extension/endpoint_policy_create_extension.tsx index 216875237cf43..6f509f232def2 100644 --- a/x-pack/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/endpoint_policy_create_extension/endpoint_policy_create_extension.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/endpoint_policy_create_extension/endpoint_policy_create_extension.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { memo, useState, useEffect, useRef, useCallback } from 'react'; +import React, { memo, useState, useEffect, useCallback } from 'react'; import { EuiForm, EuiRadio, @@ -89,7 +89,6 @@ export const EndpointPolicyCreateExtension = memo('NGAV'); const [selectedCloudEvent, setSelectedCloudEvent] = useState('INTERACTIVE_ONLY'); const [selectedEnvironment, setSelectedEnvironment] = useState('endpoint'); - const initialRender = useRef(true); // Show NGAV license note when Gold and below // Show other licenses note when Platinum and Below @@ -102,7 +101,7 @@ export const EndpointPolicyCreateExtension = memo { - if (initialRender.current) { + if (newPolicy.inputs.length === 0) { onChange({ isValid: false, updatedPolicy: { @@ -127,13 +126,6 @@ export const EndpointPolicyCreateExtension = memo { - // Skip triggering this onChange on the initial render - if (initialRender.current) { - initialRender.current = false; } else { onChange({ isValid: true, diff --git a/x-pack/plugins/security_solution/scripts/endpoint/agent_emulator/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/agent_emulator/index.ts index 5daba7f613fa9..86c43ce2f2a43 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/agent_emulator/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/agent_emulator/index.ts @@ -22,8 +22,8 @@ export const cli = () => { string: ['kibana', 'elastic', 'username', 'password'], boolean: ['asSuperuser'], default: { - kibana: 'http://localhost:5601', - elasticsearch: 'http://localhost:9200', + kibana: 'http://127.0.0.1:5601', + elasticsearch: 'http://127.0.0.1:9200', username: 'elastic', password: 'changeme', asSuperuser: false, @@ -39,8 +39,8 @@ export const cli = () => { --asSuperuser If defined, then a Security super user will be created using the the credentials defined via 'username' and 'password' options. This new user will then be used to run this utility. - --kibana The url to Kibana (Default: http://localhost:5601) - --elasticsearch The url to Elasticsearch (Default: http://localhost:9200) + --kibana The url to Kibana (Default: http://127.0.0.1:5601) + --elasticsearch The url to Elasticsearch (Default: http://127.0.0.1:9200) --checkinInterval The interval between how often the Agent is checked into fleet and a metadata document update is sent for the endpoint. Default is 1 minute --actionDelay The delay (in milliseconds) that should be applied before responding diff --git a/x-pack/plugins/security_solution/scripts/endpoint/blocklists/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/blocklists/index.ts index 77c6b164a4698..f56149ac9f7ca 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/blocklists/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/blocklists/index.ts @@ -40,11 +40,11 @@ export const cli = () => { string: ['kibana'], default: { count: 10, - kibana: 'http://elastic:changeme@localhost:5601', + kibana: 'http://elastic:changeme@127.0.0.1:5601', }, help: ` --count Number of blocklists to create. Default: 10 - --kibana The URL to kibana including credentials. Default: http://elastic:changeme@localhost:5601 + --kibana The URL to kibana including credentials. Default: http://elastic:changeme@127.0.0.1:5601 `, }, } diff --git a/x-pack/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts index 6d5d1dcd63b33..5367a606f66bd 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/endpoint_policies/index.ts @@ -53,11 +53,11 @@ export const cli = () => { string: ['kibana'], default: { count: 15, - kibana: 'http://elastic:changeme@localhost:5601', + kibana: 'http://elastic:changeme@127.0.0.1:5601', }, help: ` --count Number of Endpoint Policies to create. Default: 15 - --kibana The URL to kibana including credentials. Default: http://elastic:changeme@localhost:5601 + --kibana The URL to kibana including credentials. Default: http://elastic:changeme@127.0.0.1:5601 `, }, } diff --git a/x-pack/plugins/security_solution/scripts/endpoint/event_filters/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/event_filters/index.ts index 76cfdc11bde4e..a06af8d60f1e0 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/event_filters/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/event_filters/index.ts @@ -44,11 +44,11 @@ export const cli = () => { string: ['kibana'], default: { count: 10, - kibana: 'http://elastic:changeme@localhost:5601', + kibana: 'http://elastic:changeme@127.0.0.1:5601', }, help: ` --count Number of event filters to create. Default: 10 - --kibana The URL to kibana including credentials. Default: http://elastic:changeme@localhost:5601 + --kibana The URL to kibana including credentials. Default: http://elastic:changeme@127.0.0.1:5601 `, }, } diff --git a/x-pack/plugins/security_solution/scripts/endpoint/host_isolation_exceptions/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/host_isolation_exceptions/index.ts index 246f3e16ef78c..d0ba1c0fb2762 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/host_isolation_exceptions/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/host_isolation_exceptions/index.ts @@ -38,11 +38,11 @@ export const cli = () => { string: ['kibana'], default: { count: 10, - kibana: 'http://elastic:changeme@localhost:5601', + kibana: 'http://elastic:changeme@127.0.0.1:5601', }, help: ` --count Number of host isolation exceptions to create. Default: 10 - --kibana The URL to kibana including credentials. Default: http://elastic:changeme@localhost:5601 + --kibana The URL to kibana including credentials. Default: http://elastic:changeme@127.0.0.1:5601 `, }, } diff --git a/x-pack/plugins/security_solution/scripts/endpoint/resolver_generator_script.ts b/x-pack/plugins/security_solution/scripts/endpoint/resolver_generator_script.ts index 6c8eab6f8cffc..b944835e0c8da 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/resolver_generator_script.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/resolver_generator_script.ts @@ -170,13 +170,13 @@ async function main() { node: { alias: 'n', describe: 'elasticsearch node url', - default: 'http://elastic:changeme@localhost:9200', + default: 'http://elastic:changeme@127.0.0.1:9200', type: 'string', }, kibana: { alias: 'k', describe: 'kibana url', - default: 'http://elastic:changeme@localhost:5601', + default: 'http://elastic:changeme@127.0.0.1:5601', type: 'string', }, eventIndex: { diff --git a/x-pack/plugins/security_solution/scripts/endpoint/trusted_apps/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/trusted_apps/index.ts index f1da0eda44962..ccd0561c8110a 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/trusted_apps/index.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/trusted_apps/index.ts @@ -33,7 +33,7 @@ export const cli = async () => { string: ['kibana'], default: { count: 10, - kibana: 'http://elastic:changeme@localhost:5601', + kibana: 'http://elastic:changeme@127.0.0.1:5601', }, }; const options: RunOptions = minimist(process.argv.slice(2), cliDefaults); @@ -70,7 +70,7 @@ interface RunOptions { } export const run: (options?: RunOptions) => Promise = async ({ count = 10, - kibana = 'http://elastic:changeme@localhost:5601', + kibana = 'http://elastic:changeme@127.0.0.1:5601', logger = defaultLogger, }: RunOptions = {}) => { const kbnClient = new KbnClient({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts index b7cb97f906bf0..9cd7a6bce13dc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts @@ -80,6 +80,7 @@ export const mlExecutor = async ({ ...jobSummaries.map((job) => [ `job id: "${job.id}"`, + `job name: "${job?.customSettings?.security_app_display_name ?? job.id}"`, `job status: "${job.jobState}"`, `datafeed status: "${job.datafeedState}"`, ].join(', ') diff --git a/x-pack/plugins/stack_connectors/server/connector_types/email/send_email_graph_api.test.ts b/x-pack/plugins/stack_connectors/server/connector_types/email/send_email_graph_api.test.ts index 199681a13e968..4ab03837f416b 100644 --- a/x-pack/plugins/stack_connectors/server/connector_types/email/send_email_graph_api.test.ts +++ b/x-pack/plugins/stack_connectors/server/connector_types/email/send_email_graph_api.test.ts @@ -90,7 +90,6 @@ describe('sendEmailGraphApi', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, @@ -181,7 +180,6 @@ describe('sendEmailGraphApi', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, @@ -271,7 +269,6 @@ describe('sendEmailGraphApi', () => { "maxSockets": Infinity, "maxTotalSockets": Infinity, "options": Object { - "noDelay": true, "path": null, "rejectUnauthorized": true, }, diff --git a/x-pack/plugins/synthetics/common/constants/synthetics/client_defaults.ts b/x-pack/plugins/synthetics/common/constants/synthetics/client_defaults.ts new file mode 100644 index 0000000000000..3ea9546a1bfac --- /dev/null +++ b/x-pack/plugins/synthetics/common/constants/synthetics/client_defaults.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const CLIENT_DEFAULTS_SYNTHETICS = { + /** + * The beginning of the default date range is 15m ago. + */ + DATE_RANGE_START: 'now-24h', + /** + * The end of the default date range is now. + */ + DATE_RANGE_END: 'now', +}; diff --git a/x-pack/plugins/synthetics/e2e/journeys/uptime/private_locations/add_monitor_private_location.ts b/x-pack/plugins/synthetics/e2e/journeys/uptime/private_locations/add_monitor_private_location.ts index 776a13afae910..19a2d54a79458 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/uptime/private_locations/add_monitor_private_location.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/uptime/private_locations/add_monitor_private_location.ts @@ -57,6 +57,7 @@ journey('AddPrivateLocationMonitor', async ({ page, params: { kibanaUrl } }) => page.waitForNavigation(/* { url: '${kibanaUrl}/app/integrations/browse' }*/), page.click('text=Integrations'), ]); + await page.click('text=Display beta integrations'); await page.click('text=Installed integrations'); expect(page.url()).toBe(`${kibanaUrl}/app/integrations/installed`); await page.click(`text=Elastic Synthetics`); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/components/monitor_location_select.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/components/monitor_location_select.tsx index 9e2d864e720b0..6795341510f34 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/components/monitor_location_select.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/components/monitor_location_select.tsx @@ -52,7 +52,10 @@ export const MonitorLocationSelect = ({ return ''; } - if (monitorLocations.length > 1) { + const showSelection = + monitorLocations.length === 1 && monitorLocations[0].id !== selectedLocation?.id; + + if (monitorLocations.length > 1 || showSelection) { const button = ( {selectedLocation.label} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/date_picker/synthetics_date_picker.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/date_picker/synthetics_date_picker.test.tsx index 7040da99c39a3..5a417b511c119 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/date_picker/synthetics_date_picker.test.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/date_picker/synthetics_date_picker.test.tsx @@ -21,7 +21,7 @@ describe('SyntheticsDatePicker component', () => { it('renders properly with mock data', async () => { const { findByText } = render(); - expect(await findByText('Last 15 minutes')).toBeInTheDocument(); + expect(await findByText('Last 24 hours')).toBeInTheDocument(); expect(await findByText('Refresh')).toBeInTheDocument(); }); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/header/action_menu_content.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/header/action_menu_content.test.tsx index b672e732c791e..343c548385515 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/header/action_menu_content.test.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/header/action_menu_content.test.tsx @@ -14,7 +14,7 @@ describe('ActionMenuContent', () => { const { getByRole, getByText } = render(); const settingsAnchor = getByRole('link', { name: 'Navigate to the Uptime settings page' }); - expect(settingsAnchor.getAttribute('href')).toBe('/settings'); + expect(settingsAnchor.getAttribute('href')).toBe('/settings?dateRangeStart=now-24h'); expect(getByText('Settings')); }); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/error_details/error_details_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/error_details/error_details_page.tsx index 1545c5a1df10b..67bace31a8ef2 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/error_details/error_details_page.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/error_details/error_details_page.tsx @@ -26,7 +26,7 @@ export function ErrorDetailsPage() { const checkGroupId = failedTests?.[0]?.monitor.check_group ?? ''; - const { data, isFailed, failedStep, loading: stepsLoading } = useJourneySteps(checkGroupId); + const { data, isFailedStep, failedStep, loading: stepsLoading } = useJourneySteps(checkGroupId); const lastTestRun = failedTests?.[0]; @@ -61,7 +61,7 @@ export function ErrorDetailsPage() { {data?.details?.journey && failedStep && ( - + )} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_journey_steps.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_journey_steps.tsx index 75d6b623e34e0..bd3d45a0a59f0 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_journey_steps.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_journey_steps.tsx @@ -34,12 +34,6 @@ export const useJourneySteps = (checkGroup?: string, lastRefresh?: number) => { } }, [checkGroupId, dispatch, lastRefresh]); - const isFailed = - journeyData?.steps.some( - (step) => - step.synthetics?.step?.status === 'failed' || step.synthetics?.step?.status === 'skipped' - ) ?? false; - const stepEnds: JourneyStep[] = (journeyData?.steps ?? []).filter(isStepEnd); const failedStep = journeyData?.steps.find((step) => step.synthetics?.step?.status === 'failed'); const stepLabels = stepEnds.map((stepEnd) => stepEnd?.synthetics?.step?.name ?? ''); @@ -48,13 +42,17 @@ export const useJourneySteps = (checkGroup?: string, lastRefresh?: number) => { ? stepEnds.find((step) => step.synthetics?.step?.index === Number(stepIndex)) : undefined; + const isFailedStep = + failedStep?.synthetics?.step && failedStep.synthetics.step.index === Number(stepIndex); + return { data: journeyData as SyntheticsJourneyApiResponse, loading: loading ?? false, - isFailed, stepEnds, stepLabels, currentStep, failedStep, + isFailedStep, + isFailed: false, }; }; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/errors_tab_content.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/errors_tab_content.tsx index 87077c11eb5db..cc7ea08168ccc 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/errors_tab_content.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/errors_tab_content.tsx @@ -35,7 +35,7 @@ export const ErrorsTabContent = ({ <> - + {monitorId && ( @@ -61,11 +61,7 @@ export const ErrorsTabContent = ({ - - - - - + ); @@ -82,7 +78,3 @@ const OVERVIEW_LABEL = i18n.translate('xpack.synthetics.errors.overview', { const FAILED_TESTS_LABEL = i18n.translate('xpack.synthetics.errors.failedTests', { defaultMessage: 'Failed tests', }); - -const FAILED_TESTS_BY_STEPS_LABEL = i18n.translate('xpack.synthetics.errors.failedTests.byStep', { - defaultMessage: 'Failed tests by step', -}); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests.tsx index 1a192a4d7abf0..1af3a904197e9 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests.tsx @@ -9,6 +9,9 @@ import React from 'react'; import { useKibana } from '@kbn/kibana-react-plugin/public'; import { useParams } from 'react-router-dom'; import { i18n } from '@kbn/i18n'; +import moment from 'moment'; +import { EuiFlexGroup, EuiFlexItem, EuiHealth, EuiText } from '@elastic/eui'; +import { useUrlParams } from '../../../hooks'; import { useMonitorQueryId } from '../hooks/use_monitor_query_id'; import { ClientPluginsStart } from '../../../../../plugin'; @@ -21,28 +24,48 @@ export const MonitorFailedTests = ({ time }: { time: { to: string; from: string const { errorStateId } = useParams<{ errorStateId: string }>(); + const [, updateUrl] = useUrlParams(); + if (!monitorId && !errorStateId) { return null; } return ( - + + ]} + onBrushEnd={({ range }) => { + updateUrl({ + dateRangeStart: moment(range[0]).toISOString(), + dateRangeEnd: moment(range[1]).toISOString(), + }); + }} + /> + + + {FAILED_TESTS_LABEL} + + + + {BRUSH_LABEL} + + + + ); }; @@ -52,3 +75,7 @@ export const FAILED_TESTS_LABEL = i18n.translate( defaultMessage: 'Failed tests', } ); + +export const BRUSH_LABEL = i18n.translate('xpack.synthetics.monitorDetails.summary.brushArea', { + defaultMessage: 'Brush an area for higher fidelity', +}); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests_by_step.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests_by_step.tsx index 3f5b278fd3927..10c420e5e3da4 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests_by_step.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_details/monitor_errors/failed_tests_by_step.tsx @@ -6,42 +6,56 @@ */ import React, { Fragment } from 'react'; -import { EuiProgress, EuiSpacer, EuiLoadingContent } from '@elastic/eui'; +import { EuiProgress, EuiSpacer, EuiFlexItem, EuiLoadingContent } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import { PanelWithTitle } from '../../common/components/panel_with_title'; +import { useSelectedMonitor } from '../hooks/use_selected_monitor'; import { useFailedTestByStep } from '../hooks/use_failed_tests_by_step'; export const FailedTestsByStep = ({ time }: { time: { to: string; from: string } }) => { const { failedSteps, loading } = useFailedTestByStep(time); + const { monitor } = useSelectedMonitor(); + + if (monitor?.type !== 'browser') { + return null; + } + if (loading && !failedSteps) { return ; } return ( - <> - -
    - {failedSteps?.map((item) => ( - - - {i18n.translate('xpack.synthetics.monitorDetails.summary.failedTests.count', { - defaultMessage: 'Failed {count}', - values: { count: item.count }, - })} - - } - max={100} - color="danger" - size="l" - value={item.percent} - label={`${item.index}. ${item.name}`} - /> - - - ))} -
    - + + + +
    + {failedSteps?.map((item) => ( + + + {i18n.translate('xpack.synthetics.monitorDetails.summary.failedTests.count', { + defaultMessage: 'Failed {count}', + values: { count: item.count }, + })} + + } + max={100} + color="danger" + size="l" + value={item.percent} + label={`${item.index}. ${item.name}`} + /> + + + ))} +
    +     +     ); }; + +const FAILED_TESTS_BY_STEPS_LABEL = i18n.translate('xpack.synthetics.errors.failedTests.byStep', { + defaultMessage: 'Failed tests by step', +}); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_stats.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_stats.tsx index 853a627803fa1..71a52993ad6f7 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_stats.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_stats.tsx @@ -19,7 +19,6 @@ import { import { euiStyled } from '@kbn/kibana-react-plugin/common'; import { OverviewStatusState } from '../../../../../../../common/runtime_types'; -import { useSyntheticsRefreshContext } from '../../../../contexts/synthetics_refresh_context'; import * as labels from '../labels'; import { MonitorTestRunsCount } from './monitor_test_runs'; @@ -27,8 +26,6 @@ import { MonitorTestRunsSparkline } from './monitor_test_runs_sparkline'; export const MonitorStats = ({ status }: { status: OverviewStatusState | null }) => { const { euiTheme } = useEuiTheme(); - const { lastRefresh } = useSyntheticsRefreshContext(); - const to = new Date(lastRefresh).toISOString(); return ( <> @@ -67,9 +64,9 @@ export const MonitorStats = ({ status }: { status: OverviewStatusState | null }) - + - + diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_test_runs.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_test_runs.tsx index 5a6c3553e82be..8874690f0e0e5 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_test_runs.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_stats/monitor_test_runs.tsx @@ -11,30 +11,25 @@ import { useKibana } from '@kbn/kibana-react-plugin/public'; import { useTheme } from '@kbn/observability-plugin/public'; import { ReportTypes } from '@kbn/observability-plugin/public'; +import { useAbsoluteDate } from '../../../../hooks'; import { ClientPluginsStart } from '../../../../../../plugin'; import * as labels from '../labels'; -interface MonitorCompleteCountProps { - from?: string; - to?: string; -} - -export const MonitorTestRunsCount = ({ - from = 'now-30d', - to = 'now', -}: MonitorCompleteCountProps) => { +export const MonitorTestRunsCount = () => { const { observability } = useKibana().services; const theme = useTheme(); const { ExploratoryViewEmbeddable } = observability; + const { from: absFrom, to: absTo } = useAbsoluteDate({ from: 'now-30d', to: 'now' }); + return ( { +export const MonitorTestRunsSparkline = () => { const { observability } = useKibana().services; const { ExploratoryViewEmbeddable } = observability; const theme = useTheme(); + const { from, to } = useAbsoluteDate({ from: 'now-30d', to: 'now' }); + return ( { const stepIndex = Number(stepIndexString); + const selectedLocation = useSelectedLocation(); + const { data: journey, stepEnds } = useJourneySteps(checkGroupId); const memoized = useMemo( @@ -35,7 +38,13 @@ export const useStepDetailPage = () => { const { basePath } = useSyntheticsSettingsContext(); const handleStepHref = (stepNo: number) => - `${basePath}/app/synthetics/monitor/${monitorId}/test-run/${checkGroupId}/step/${stepNo}`; + getStepDetailLink({ + basePath, + monitorId, + checkGroupId, + stepIndex: stepNo, + locationId: selectedLocation?.id, + }); return { checkGroupId, @@ -52,7 +61,7 @@ export const useStepDetailLink = ({ stepIndex, }: { checkGroupId?: string; - stepIndex: string; + stepIndex: number | string; }) => { const { basePath } = useSyntheticsSettingsContext(); @@ -60,9 +69,33 @@ export const useStepDetailLink = ({ monitorId: string; }>(); + const selectedLocation = useSelectedLocation(); + if (!checkGroupId) { return ''; } - return `${basePath}/app/synthetics/monitor/${monitorId}/test-run/${checkGroupId}/step/${stepIndex}`; + return getStepDetailLink({ + basePath, + stepIndex, + monitorId, + checkGroupId, + locationId: selectedLocation?.id, + }); +}; + +const getStepDetailLink = ({ + checkGroupId, + stepIndex, + basePath, + monitorId, + locationId, +}: { + checkGroupId: string; + locationId?: string; + stepIndex: number | string; + basePath: string; + monitorId: string; +}) => { + return `${basePath}/app/synthetics/monitor/${monitorId}/test-run/${checkGroupId}/step/${stepIndex}?locationId=${locationId}`; }; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/step_details_page/step_detail_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/step_details_page/step_detail_page.tsx index be8b695221f2b..33d3fc740eb81 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/step_details_page/step_detail_page.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/step_details_page/step_detail_page.tsx @@ -30,7 +30,7 @@ export const StepDetailPage = () => { useTrackPageview({ app: 'synthetics', path: 'stepDetail' }); useTrackPageview({ app: 'synthetics', path: 'stepDetail', delay: 15000 }); - const { data, isFailed, currentStep } = useJourneySteps(); + const { data, isFailedStep, currentStep } = useJourneySteps(); useStepDetailsBreadcrumbs(); @@ -62,7 +62,7 @@ export const StepDetailPage = () => { {data?.details?.journey && currentStep && ( - + )} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.test.ts b/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.test.ts index 64b7a8d32796a..c428d43babf68 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.test.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.test.ts @@ -8,6 +8,7 @@ import DateMath from '@kbn/datemath'; import { getSupportedUrlParams } from './get_supported_url_params'; import { CLIENT_DEFAULTS } from '../../../../../common/constants'; +import { CLIENT_DEFAULTS_SYNTHETICS } from '../../../../../common/constants/synthetics/client_defaults'; describe('getSupportedUrlParams', () => { let dateMathSpy: any; @@ -51,15 +52,9 @@ describe('getSupportedUrlParams', () => { }); it('returns default values', () => { - const { - AUTOREFRESH_INTERVAL, - AUTOREFRESH_IS_PAUSED, - DATE_RANGE_START, - DATE_RANGE_END, - FILTERS, - SEARCH, - STATUS_FILTER, - } = CLIENT_DEFAULTS; + const { AUTOREFRESH_INTERVAL, AUTOREFRESH_IS_PAUSED, FILTERS, SEARCH, STATUS_FILTER } = + CLIENT_DEFAULTS; + const { DATE_RANGE_START, DATE_RANGE_END } = CLIENT_DEFAULTS_SYNTHETICS; const result = getSupportedUrlParams({}); expect(result).toEqual({ absoluteDateRangeStart: MOCK_DATE_VALUE, diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.ts b/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.ts index b86a9437907fb..902b296e3db0e 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/utils/url_params/get_supported_url_params.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { CLIENT_DEFAULTS_SYNTHETICS } from '../../../../../common/constants/synthetics/client_defaults'; import { parseIsPaused } from './parse_is_paused'; import { parseUrlInt } from './parse_url_int'; import { CLIENT_DEFAULTS } from '../../../../../common/constants'; @@ -37,13 +38,13 @@ const { ABSOLUTE_DATE_RANGE_END, AUTOREFRESH_INTERVAL, AUTOREFRESH_IS_PAUSED, - DATE_RANGE_START, - DATE_RANGE_END, SEARCH, FILTERS, STATUS_FILTER, } = CLIENT_DEFAULTS; +const { DATE_RANGE_START, DATE_RANGE_END } = CLIENT_DEFAULTS_SYNTHETICS; + /** * Gets the current URL values for the application. If no item is present * for the URL, a default value is supplied. diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/adapters/framework/adapter_types.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/adapters/framework/adapter_types.ts index fc088e2097ddc..ec77b83977a09 100644 --- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/adapters/framework/adapter_types.ts +++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/adapters/framework/adapter_types.ts @@ -28,7 +28,7 @@ import { MlPluginSetup as MlSetup } from '@kbn/ml-plugin/server'; import { RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server'; import { SecurityPluginStart } from '@kbn/security-plugin/server'; import { CloudSetup } from '@kbn/cloud-plugin/server'; -import { SpacesPluginSetup } from '@kbn/spaces-plugin/server'; +import { SpacesPluginStart } from '@kbn/spaces-plugin/server'; import { FleetStartContract } from '@kbn/fleet-plugin/server'; import { BfetchServerSetup } from '@kbn/bfetch-plugin/server'; import { UptimeEsClient } from '../../lib'; @@ -54,7 +54,7 @@ export interface UptimeServerSetup { router: UptimeRouter; config: UptimeConfig; cloud?: CloudSetup; - spaces: SpacesPluginSetup; + spaces: SpacesPluginStart; fleet: FleetStartContract; security: SecurityPluginStart; savedObjectsClient?: SavedObjectsClientContract; @@ -76,7 +76,6 @@ export interface UptimeCorePluginsSetup { usageCollection: UsageCollectionSetup; ml: MlSetup; cloud?: CloudSetup; - spaces: SpacesPluginSetup; ruleRegistry: RuleRegistryPluginSetupContract; encryptedSavedObjects: EncryptedSavedObjectsPluginSetup; taskManager: TaskManagerSetupContract; @@ -90,4 +89,5 @@ export interface UptimeCorePluginsStart { encryptedSavedObjects: EncryptedSavedObjectsPluginStart; taskManager: TaskManagerStartContract; telemetry: TelemetryPluginStart; + spaces: SpacesPluginStart; } diff --git a/x-pack/plugins/synthetics/server/plugin.ts b/x-pack/plugins/synthetics/server/plugin.ts index 77ce0ec1eaf60..598fdd18b229b 100644 --- a/x-pack/plugins/synthetics/server/plugin.ts +++ b/x-pack/plugins/synthetics/server/plugin.ts @@ -86,7 +86,6 @@ export class Plugin implements PluginType { logger: this.logger, telemetry: this.telemetryEventsSender, isDev: this.initContext.env.mode.dev, - spaces: plugins.spaces, } as UptimeServerSetup; this.syntheticsService = new SyntheticsService(this.server); @@ -126,6 +125,7 @@ export class Plugin implements PluginType { this.server.fleet = pluginsStart.fleet; this.server.encryptedSavedObjects = pluginsStart.encryptedSavedObjects; this.server.savedObjectsClient = this.savedObjectsClient; + this.server.spaces = pluginsStart.spaces; } this.syntheticsService?.start(pluginsStart.taskManager); diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor.ts index 0ef04580e0681..0db555a4c48b1 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor.ts @@ -58,8 +58,6 @@ export const addSyntheticsMonitorRoute: SyntheticsRestApiRouteFactory = () => ({ // usually id is auto generated, but this is useful for testing const { id } = request.query; - const spaceId = server.spaces.spacesService.getSpaceId(request); - const monitor: SyntheticsMonitor = request.body as SyntheticsMonitor; const monitorType = monitor[ConfigKey.MONITOR_TYPE]; const monitorWithDefaults = { @@ -79,6 +77,7 @@ export const addSyntheticsMonitorRoute: SyntheticsRestApiRouteFactory = () => ({ ); try { + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); const { errors, newMonitor } = await syncNewMonitor({ normalizedMonitor: validationResult.decodedMonitor, server, diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts index 924666b21cd53..11dbe95952fef 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts @@ -41,7 +41,6 @@ export const addSyntheticsProjectMonitorRoute: SyntheticsRestApiRouteFactory = ( const { projectName } = request.params; const decodedProjectName = decodeURI(projectName); const monitors = (request.body?.monitors as ProjectMonitor[]) || []; - const spaceId = server.spaces.spacesService.getSpaceId(request); if (monitors.length > 250) { return response.badRequest({ @@ -52,6 +51,7 @@ export const addSyntheticsProjectMonitorRoute: SyntheticsRestApiRouteFactory = ( } try { + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); const encryptedSavedObjectsClient = server.encryptedSavedObjects.getClient(); const pushMonitorFormatter = new ProjectMonitorFormatter({ @@ -74,6 +74,11 @@ export const addSyntheticsProjectMonitorRoute: SyntheticsRestApiRouteFactory = ( }; } catch (error) { server.logger.error(`Error adding monitors to project ${decodedProjectName}`); + if (error.output.statusCode === 404) { + const spaceId = server.spaces.spacesService.getSpaceId(request); + return response.notFound({ body: { message: `Kibana space '${spaceId}' does not exist` } }); + } + throw error; } }, diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project_legacy.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project_legacy.ts index f8f29e46c1fad..28fe5761a359f 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project_legacy.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project_legacy.ts @@ -39,9 +39,11 @@ export const addSyntheticsProjectMonitorRouteLegacy: SyntheticsStreamingRouteFac syntheticsMonitorClient, subject, }): Promise => { + const monitors = (request.body?.monitors as ProjectMonitor[]) || []; + try { - const monitors = (request.body?.monitors as ProjectMonitor[]) || []; - const spaceId = server.spaces.spacesService.getSpaceId(request); + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); + const { keep_stale: keepStale, project: projectId } = request.body || {}; const { publicLocations, privateLocations } = await getAllLocations( server, @@ -76,7 +78,13 @@ export const addSyntheticsProjectMonitorRouteLegacy: SyntheticsStreamingRouteFac failedStaleMonitors: pushMonitorFormatter.failedStaleMonitors, }); } catch (error) { - subject?.error(error); + if (error?.output?.statusCode === 404) { + const spaceId = server.spaces.spacesService.getSpaceId(request); + subject?.next(`Unable to create monitors. Kibana space '${spaceId}' does not exist.`); + subject?.next({ failedMonitors: monitors.map((m) => m.id) }); + } else { + subject?.error(error); + } } finally { subject?.complete(); } diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts index d720306f357c6..f5007986d2508 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/bulk_cruds/delete_monitor_bulk.ts @@ -35,9 +35,9 @@ export const deleteMonitorBulk = async ({ request: KibanaRequest; }) => { const { logger, telemetry, stackVersion } = server; - const spaceId = server.spaces.spacesService.getSpaceId(request); try { + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); const deleteSyncPromise = syntheticsMonitorClient.deleteMonitors( monitors.map((normalizedMonitor) => ({ ...normalizedMonitor.attributes, diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/delete_monitor.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/delete_monitor.ts index c650587048998..0dca273c2613e 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/delete_monitor.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/delete_monitor.ts @@ -88,7 +88,6 @@ export const deleteMonitor = async ({ request: KibanaRequest; }) => { const { logger, telemetry, stackVersion } = server; - const spaceId = server.spaces.spacesService.getSpaceId(request); const { monitor, monitorWithSecret } = await getMonitorToDelete( monitorId, @@ -96,6 +95,7 @@ export const deleteMonitor = async ({ server ); try { + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); const deleteSyncPromise = syntheticsMonitorClient.deleteMonitors( [ { diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/edit_monitor.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/edit_monitor.ts index fb20ca8c82de5..09b046b872ed6 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/edit_monitor.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/edit_monitor.ts @@ -56,9 +56,9 @@ export const editSyntheticsMonitorRoute: SyntheticsRestApiRouteFactory = () => ( const monitor = request.body as SyntheticsMonitor; const { monitorId } = request.params; - const spaceId = server.spaces.spacesService.getSpaceId(request); - try { + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); + const previousMonitor: SavedObject = await savedObjectsClient.get( syntheticsMonitorType, monitorId diff --git a/x-pack/plugins/synthetics/server/routes/settings/add_param.ts b/x-pack/plugins/synthetics/server/routes/settings/add_param.ts index 001967a754581..adb97493a51d8 100644 --- a/x-pack/plugins/synthetics/server/routes/settings/add_param.ts +++ b/x-pack/plugins/synthetics/server/routes/settings/add_param.ts @@ -27,8 +27,7 @@ export const addSyntheticsParamsRoute: SyntheticsRestApiRouteFactory = () => ({ writeAccess: true, handler: async ({ request, server, savedObjectsClient }): Promise => { const { namespaces, ...data } = request.body as SyntheticsParam; - - const spaceId = server.spaces.spacesService.getSpaceId(request); + const { id: spaceId } = await server.spaces.spacesService.getActiveSpace(request); const result = await savedObjectsClient.create(syntheticsParamType, data, { initialNamespaces: (namespaces ?? []).length > 0 ? namespaces : [spaceId], diff --git a/x-pack/plugins/synthetics/server/synthetics_service/service_api_client.test.ts b/x-pack/plugins/synthetics/server/synthetics_service/service_api_client.test.ts index 52056b77ae8b7..62a54db4460a6 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/service_api_client.test.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/service_api_client.test.ts @@ -200,7 +200,7 @@ describe('callAPI', () => { 'x-kibana-version': '8.7.0', }, httpsAgent: expect.objectContaining({ - options: { noDelay: true, rejectUnauthorized: true, path: null }, + options: { rejectUnauthorized: true, path: null }, }), method: 'POST', url: 'https://service.dev/monitors', @@ -213,7 +213,7 @@ describe('callAPI', () => { 'x-kibana-version': '8.7.0', }, httpsAgent: expect.objectContaining({ - options: { noDelay: true, rejectUnauthorized: true, path: null }, + options: { rejectUnauthorized: true, path: null }, }), method: 'POST', url: 'https://qa.service.elstc.co/monitors', @@ -226,7 +226,7 @@ describe('callAPI', () => { 'x-kibana-version': '8.7.0', }, httpsAgent: expect.objectContaining({ - options: { noDelay: true, rejectUnauthorized: true, path: null }, + options: { rejectUnauthorized: true, path: null }, }), method: 'POST', url: 'https://qa.service.stg.co/monitors', @@ -293,7 +293,6 @@ describe('callAPI', () => { httpsAgent: expect.objectContaining({ options: { rejectUnauthorized: true, - noDelay: true, path: null, cert: 'test-certificate', key: 'test-key', diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 7bc02c0c7cdf1..637865388ad51 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -2072,9 +2072,6 @@ "discover.fieldChooser.discoverField.addButtonAriaLabel": "Ajouter {field} au tableau", "discover.fieldChooser.discoverField.removeButtonAriaLabel": "Supprimer {field} du tableau", "discover.fieldChooser.fieldCalculator.fieldIsNotPresentInDocumentsErrorMessage": "Ce champ est présent dans votre mapping Elasticsearch, mais pas dans les {hitsLength} documents affichés dans le tableau des documents. Cependant, vous pouvez toujours le consulter ou effectuer une recherche dessus.", - "discover.fieldChooser.filter.fieldSelectorLabel": "Sélection des options du filtre {id}", - "discover.fieldNameDescription.dateRangeField": "Range of {dateFieldTypeLink} values. {viewSupportedDateFormatsLink}", - "discover.fieldNameDescription.versionField": "Versions des logiciels. Prend en charge les règles de priorité de {SemanticVersioningLink}.", "discover.grid.copyClipboardButtonTitle": "Copier la valeur de {column}", "discover.grid.copyColumnValuesToClipboard.toastTitle": "Valeurs de la colonne \"{column}\" copiées dans le presse-papiers", "discover.grid.filterForAria": "Filtrer sur cette {value}", @@ -2104,7 +2101,6 @@ "discover.advancedSettings.defaultColumnsText": "Les colonnes affichées par défaut dans l'application Discover. Si elles sont vides, un résumé du document s’affiche.", "discover.advancedSettings.defaultColumnsTitle": "Colonnes par défaut", "discover.advancedSettings.disableDocumentExplorer": "Explorateur de documents ou vue classique", - "discover.advancedSettings.discover.fieldNameDescription.versionFieldLinkText": "Gestion sémantique des versions", "discover.advancedSettings.discover.fieldStatisticsLinkText": "Vue des statistiques de champ", "discover.advancedSettings.discover.modifyColumnsOnSwitchText": "Supprimez les colonnes qui ne sont pas disponibles dans la nouvelle vue de données.", "discover.advancedSettings.discover.modifyColumnsOnSwitchTitle": "Modifier les colonnes en cas de changement des vues de données", @@ -2271,64 +2267,10 @@ "discover.fieldChooser.discoverField.value": "Valeur", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForGeoFieldsErrorMessage": "L'analyse n'est pas disponible pour les champs géométriques.", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForObjectFieldsErrorMessage": "L'analyse n'est pas disponible pour les champs d'objet.", - "discover.fieldChooser.fieldFilterButtonLabel": "Filtrer par type", "discover.fieldChooser.fieldsMobileButtonLabel": "Champs", - "discover.fieldChooser.filter.aggregatableLabel": "Regroupable", - "discover.fieldChooser.filter.filterByTypeLabel": "Filtrer par type", "discover.fieldChooser.filter.indexAndFieldsSectionAriaLabel": "Index et champs", - "discover.fieldChooser.filter.searchableLabel": "Interrogeable", - "discover.fieldChooser.filter.toggleButton.any": "tout", - "discover.fieldChooser.filter.toggleButton.no": "non", - "discover.fieldChooser.filter.toggleButton.yes": "oui", - "discover.fieldChooser.filter.typeLabel": "Type", - "discover.fieldChooser.popoverTitle": "Types de champ", - "discover.fieldChooser.searchPlaceHolder": "Rechercher les noms de champs", - "discover.fieldChooser.toggleFieldFilterButtonHideAriaLabel": "Masquer les paramètres de filtre de champs", - "discover.fieldChooser.toggleFieldFilterButtonShowAriaLabel": "Afficher les paramètres de filtre de champs", "discover.fieldList.flyoutBackIcon": "Retour", "discover.fieldList.flyoutHeading": "Liste des champs", - "discover.fieldNameDescription.booleanField": "Valeurs vraies ou fausses.", - "discover.fieldNameDescription.conflictField": "Le champ possède des valeurs de différents types. Corrigez le problème dans Gestion > Vues de données.", - "discover.fieldNameDescription.dateField": "Chaîne de date ou nombre de secondes ou de millisecondes depuis 1/1/1970.", - "discover.fieldNameDescription.dateRangeFieldLinkText": "date", - "discover.fieldNameDescription.geoPointField": "Points de latitude et de longitude.", - "discover.fieldNameDescription.geoShapeField": "Formes complexes, telles que des polygones.", - "discover.fieldNameDescription.histogramField": "Valeurs numériques pré-agrégées sous forme d'histogramme.", - "discover.fieldNameDescription.ipAddressField": "Adresses IPv4 et IPv6.", - "discover.fieldNameDescription.ipAddressRangeField": "Plage de valeurs IP prenant en charge les adresses IPv4 ou IPv6 (ou les 2).", - "discover.fieldNameDescription.keywordField": "Contenu structuré tel qu'un ID, une adresse e-mail, un nom d'hôte, un code de statut, ou une balise.", - "discover.fieldNameDescription.murmur3Field": "Champ qui calcule et stocke les hachages de valeurs.", - "discover.fieldNameDescription.nestedField": "Objet JSON qui conserve la relation entre ses sous-champs.", - "discover.fieldNameDescription.numberField": "Valeurs Long, Entier, Court, Octet, Double et Élément flottant.", - "discover.fieldNameDescription.stringField": "Texte intégral tel que le corps d'un e-mail ou la description d'un produit.", - "discover.fieldNameDescription.textField": "Texte intégral tel que le corps d'un e-mail ou la description d'un produit.", - "discover.fieldNameDescription.unknownField": "Champ inconnu", - "discover.fieldNameDescription.viewSupportedDateFormatsLinkText": "Affichez les formats de date pris en charge.", - "discover.fieldNameIcons.booleanAriaLabel": "Champ booléen", - "discover.fieldNameIcons.conflictFieldAriaLabel": "Champ conflictuel", - "discover.fieldNameIcons.dateFieldAriaLabel": "Champ de date", - "discover.fieldNameIcons.dateRangeFieldAriaLabel": "Champ de plage de dates", - "discover.fieldNameIcons.geoPointFieldAriaLabel": "Champ de point géographique", - "discover.fieldNameIcons.geoShapeFieldAriaLabel": "Champ de forme géométrique", - "discover.fieldNameIcons.histogramFieldAriaLabel": "Champ d'histogramme", - "discover.fieldNameIcons.ipAddressFieldAriaLabel": "Champ d'adresse IP", - "discover.fieldNameIcons.ipRangeFieldAriaLabel": "Champ de plage d’IP", - "discover.fieldNameIcons.keywordFieldAriaLabel": "Champ de mot-clé", - "discover.fieldNameIcons.murmur3FieldAriaLabel": "Champ Murmur3", - "discover.fieldNameIcons.nestedFieldAriaLabel": "Champ imbriqué", - "discover.fieldNameIcons.numberFieldAriaLabel": "Champ numérique", - "discover.fieldNameIcons.sourceFieldAriaLabel": "Champ source", - "discover.fieldNameIcons.stringFieldAriaLabel": "Champ de chaîne", - "discover.fieldNameIcons.textFieldAriaLabel": "Champ de texte", - "discover.fieldNameIcons.unknownFieldAriaLabel": "Champ inconnu", - "discover.fieldNameIcons.versionFieldAriaLabel": "Champ de version", - "discover.fieldTypesPopover.buttonAriaLabel": "Aide sur le type de filtre", - "discover.fieldTypesPopover.dataTypeColumnTitle": "Type de données", - "discover.fieldTypesPopover.descriptionColumnTitle": "Description", - "discover.fieldTypesPopover.fieldTypesDocLinkLabel": "types de champ", - "discover.fieldTypesPopover.iconTitle": "Aide sur le type de filtre", - "discover.fieldTypesPopover.learnMoreText": "Découvrez", - "discover.fieldTypesPopover.tableTitle": "Description des types de champ", "discover.grid.closePopover": "Fermer la fenêtre contextuelle", "discover.grid.copyClipboardButton": "Copier dans le presse-papiers", "discover.grid.copyColumnNameToClipboard.toastTitle": "Copié dans le presse-papiers", @@ -5162,9 +5104,6 @@ "unifiedFieldList.fieldStats.filterOutValueButtonAriaLabel": "Exclure le {field} : \"{value}\"", "unifiedFieldList.fieldStats.filterValueButtonAriaLabel": "Filtrer sur le {field} : \"{value}\"", "unifiedFieldList.fieldStats.noFieldDataInSampleDescription": "Aucune donnée de champ pour {sampledDocumentsFormatted} {sampledDocuments, plural, one {exemple d'enregistrement} other {exemples d'enregistrement}}.", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.deprecation": "Ce paramètre est déclassé et ne sera plus pris en charge à partir de la version 8.6.", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.description": "Lorsque cette option est activée, l’échantillonnage de document est utilisé pour déterminer l’existence des champs (disponibles ou vides) pour la liste de champs Lens au lieu de se fonder sur les mappings d’index.", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.title": "Utiliser l’échantillonnage d’existence des champs", "unifiedFieldList.fieldList.noFieldsCallout.noDataLabel": "Aucun champ.", "unifiedFieldList.fieldList.noFieldsCallout.noFields.extendTimeBullet": "Extension de la plage temporelle", "unifiedFieldList.fieldList.noFieldsCallout.noFields.fieldTypeFilterBullet": "Utilisation de différents filtres de champ", @@ -18191,7 +18130,6 @@ "xpack.lens.indexPattern.timeShiftSmallWarning": "{label} utilise un décalage temporel de {columnTimeShift} qui est inférieur à l'intervalle de l'histogramme des dates de {interval}. Pour éviter une non-correspondance des données, utilisez un multiple de {interval} comme décalage.", "xpack.lens.indexPattern.tsdbRollupWarning": "{label} utilise une fonction qui n'est pas prise en charge par les données cumulées. Sélectionnez une autre fonction ou modifiez la plage temporelle.", "xpack.lens.indexPattern.uniqueLabel": "{label} [{num}]", - "xpack.lens.indexPattern.useFieldExistenceSamplingBody": "L'échantillonnage d'existence des champs a été déclassé et sera retiré dans Kibana {version}. Vous pouvez désactiver cette fonctionnalité dans {link}.", "xpack.lens.indexPattern.valueCountOf": "Nombre de {name}", "xpack.lens.indexPatternSuggestion.removeLayerLabel": "Afficher uniquement {indexPatternTitle}", "xpack.lens.indexPatternSuggestion.removeLayerPositionLabel": "Afficher uniquement le calque {layerNumber}", @@ -18525,7 +18463,6 @@ "xpack.lens.indexPattern.advancedSettings": "Avancé", "xpack.lens.indexPattern.allFieldsForTextBasedLabelHelp": "Glissez-déposez les champs disponibles dans l’espace de travail et créez des visualisations. Pour modifier les champs disponibles, modifiez votre requête.", "xpack.lens.indexPattern.allFieldsLabelHelp": "Glissez-déposez les champs disponibles dans l’espace de travail et créez des visualisations. Pour modifier les champs disponibles, sélectionnez une vue de données différente, modifiez vos requêtes ou utilisez une plage temporelle différente. Certains types de champ ne peuvent pas être visualisés dans Lens, y compris les champ de texte intégral et champs géographiques.", - "xpack.lens.indexPattern.allFieldsSamplingLabelHelp": "Les champs disponibles contiennent les données des 500 premiers documents correspondant aux filtres. Pour afficher tous les filtres, développez les champs vides. Vous ne pouvez pas créer de visualisations avec des champs de texte intégral, géographiques, lissés et d’objet.", "xpack.lens.indexPattern.ascendingCountPrecisionErrorWarning.link": "veuillez consulter la documentation", "xpack.lens.indexPattern.availableFieldsLabel": "Champs disponibles", "xpack.lens.indexPattern.avg": "Moyenne", @@ -18592,7 +18529,6 @@ "xpack.lens.indexPattern.fieldStatsButtonEmptyLabel": "Ce champ ne comporte aucune donnée mais vous pouvez toujours effectuer un glisser-déposer pour visualiser.", "xpack.lens.indexPattern.fieldStatsButtonLabel": "Cliquez pour obtenir un aperçu du champ, ou effectuez un glisser-déposer pour visualiser.", "xpack.lens.indexPattern.fieldStatsNoData": "Lens ne peut pas créer de visualisation avec ce champ, car il ne contient pas de données. Pour créer une visualisation, glissez-déposez un autre champ.", - "xpack.lens.indexPattern.fieldStatsSamplingNoData": "Lens ne peut pas créer de visualisation avec ce champ, car il ne contient aucune donnée dans les 500 premiers documents correspondant aux filtres. Pour créer une visualisation, glissez-déposez un autre champ.", "xpack.lens.indexPattern.filterBy.clickToEdit": "Cliquer pour modifier", "xpack.lens.indexPattern.filterBy.emptyFilterQuery": "(vide)", "xpack.lens.indexPattern.filterBy.label": "Filtrer par", @@ -18792,7 +18728,6 @@ "xpack.lens.indexPattern.timeShift.year": "Il y a 1 an (1y)", "xpack.lens.indexPattern.timeShiftPlaceholder": "Saisissez des valeurs personnalisées (par ex. 8w)", "xpack.lens.indexPattern.useAsTopLevelAgg": "Agréger d'abord en fonction de cette dimension", - "xpack.lens.indexPattern.useFieldExistenceSampling.advancedSettings": "Paramètres avancés", "xpack.lens.label.gauge.labelMajor.header": "Titre", "xpack.lens.label.gauge.labelMinor.header": "Sous-titre", "xpack.lens.label.header": "Étiquette", @@ -26737,7 +26672,6 @@ "xpack.securitySolution.console.commandValidation.exclusiveOr": "Cette commande ne prend en charge qu'un seul des arguments suivants : {argNames}", "xpack.securitySolution.console.commandValidation.invalidArgValue": "Valeur d'argument non valide : {argName}. {error}", "xpack.securitySolution.console.commandValidation.missingRequiredArg": "Argument requis manquant : {argName}", - "xpack.securitySolution.console.commandValidation.mustHaveArgs": "Arguments requis manquants : {requiredArgs}", "xpack.securitySolution.console.commandValidation.unknownArgument": "{countOfInvalidArgs, plural, =1 {Argument} other {Arguments}} de {command} non pris en charge par cette commande : {unknownArgs}", "xpack.securitySolution.console.commandValidation.unsupportedArg": "Argument non pris en charge : {argName}", "xpack.securitySolution.console.sidePanel.helpDescription": "Utilisez le bouton Ajouter ({icon}) pour insérer une action de réponse dans la barre de texte. Le cas échéant, ajoutez des paramètres ou commentaires supplémentaires.", diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index f7737d7fcf9aa..eb9e2bb17df15 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -2070,9 +2070,6 @@ "discover.fieldChooser.discoverField.addButtonAriaLabel": "{field}を表に追加", "discover.fieldChooser.discoverField.removeButtonAriaLabel": "{field}を表から削除", "discover.fieldChooser.fieldCalculator.fieldIsNotPresentInDocumentsErrorMessage": "このフィールドはElasticsearchマッピングに表示されますが、ドキュメントテーブルの{hitsLength}件のドキュメントには含まれません。可視化や検索は可能な場合があります。", - "discover.fieldChooser.filter.fieldSelectorLabel": "{id}フィルターオプションの選択", - "discover.fieldNameDescription.dateRangeField": "{dateFieldTypeLink}値の範囲。{viewSupportedDateFormatsLink}", - "discover.fieldNameDescription.versionField": "ソフトウェアバージョン。{SemanticVersioningLink}優先度ルールをサポートします。", "discover.grid.copyClipboardButtonTitle": "{column}の値をコピー", "discover.grid.copyColumnValuesToClipboard.toastTitle": "\"{column}\"列の値がクリップボードにコピーされました", "discover.grid.filterForAria": "この{value}でフィルターを適用", @@ -2102,7 +2099,6 @@ "discover.advancedSettings.defaultColumnsText": "デフォルトでDiscoverアプリに表示される列。空の場合、ドキュメントの概要が表示されます。", "discover.advancedSettings.defaultColumnsTitle": "デフォルトの列", "discover.advancedSettings.disableDocumentExplorer": "ドキュメントエクスプローラーまたはクラシックビュー", - "discover.advancedSettings.discover.fieldNameDescription.versionFieldLinkText": "セマンティックバージョニング", "discover.advancedSettings.discover.fieldStatisticsLinkText": "フィールド統計情報ビュー", "discover.advancedSettings.discover.modifyColumnsOnSwitchText": "新しいデータビューで使用できない列を削除します。", "discover.advancedSettings.discover.modifyColumnsOnSwitchTitle": "データビューを変更するときに列を修正", @@ -2269,64 +2265,10 @@ "discover.fieldChooser.discoverField.value": "値", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForGeoFieldsErrorMessage": "ジオフィールドは分析できません。", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForObjectFieldsErrorMessage": "オブジェクトフィールドは分析できません。", - "discover.fieldChooser.fieldFilterButtonLabel": "タイプでフィルタリング", "discover.fieldChooser.fieldsMobileButtonLabel": "フィールド", - "discover.fieldChooser.filter.aggregatableLabel": "集約可能", - "discover.fieldChooser.filter.filterByTypeLabel": "タイプでフィルタリング", "discover.fieldChooser.filter.indexAndFieldsSectionAriaLabel": "インデックスとフィールド", - "discover.fieldChooser.filter.searchableLabel": "検索可能", - "discover.fieldChooser.filter.toggleButton.any": "すべて", - "discover.fieldChooser.filter.toggleButton.no": "いいえ", - "discover.fieldChooser.filter.toggleButton.yes": "はい", - "discover.fieldChooser.filter.typeLabel": "型", - "discover.fieldChooser.popoverTitle": "フィールド型", - "discover.fieldChooser.searchPlaceHolder": "検索フィールド名", - "discover.fieldChooser.toggleFieldFilterButtonHideAriaLabel": "フィールド設定を非表示", - "discover.fieldChooser.toggleFieldFilterButtonShowAriaLabel": "フィールド設定を表示", "discover.fieldList.flyoutBackIcon": "戻る", "discover.fieldList.flyoutHeading": "フィールドリスト", - "discover.fieldNameDescription.booleanField": "True および False 値。", - "discover.fieldNameDescription.conflictField": "フィールドには異なる型の値があります。[管理 > データビュー]で解決してください。", - "discover.fieldNameDescription.dateField": "日付文字列、または1/1/1970以降の秒またはミリ秒の数値。", - "discover.fieldNameDescription.dateRangeFieldLinkText": "日付", - "discover.fieldNameDescription.geoPointField": "緯度および経度点。", - "discover.fieldNameDescription.geoShapeField": "多角形などの複雑な図形。", - "discover.fieldNameDescription.histogramField": "ヒストグラムの形式の集計された数値。", - "discover.fieldNameDescription.ipAddressField": "IPv4およびIPv6アドレス。", - "discover.fieldNameDescription.ipAddressRangeField": "IPv4またはIPv6(または混合)のアドレスをサポートするIP値の範囲。", - "discover.fieldNameDescription.keywordField": "ID、電子メールアドレス、ホスト名、ステータスコード、タグなどの構造化されたコンテンツ。", - "discover.fieldNameDescription.murmur3Field": "値のハッシュタグを計算して格納するフィールド。", - "discover.fieldNameDescription.nestedField": "サブフィールド間の関係を保持するJSONオブジェクト。", - "discover.fieldNameDescription.numberField": "長整数、整数、短整数、バイト、倍精度浮動小数点数、浮動小数点数の値。", - "discover.fieldNameDescription.stringField": "電子メール本文や製品説明などの全文テキスト。", - "discover.fieldNameDescription.textField": "電子メール本文や製品説明などの全文テキスト。", - "discover.fieldNameDescription.unknownField": "不明なフィールド", - "discover.fieldNameDescription.viewSupportedDateFormatsLinkText": "サポートされている日付形式を表示します。", - "discover.fieldNameIcons.booleanAriaLabel": "ブールフィールド", - "discover.fieldNameIcons.conflictFieldAriaLabel": "矛盾フィールド", - "discover.fieldNameIcons.dateFieldAriaLabel": "日付フィールド", - "discover.fieldNameIcons.dateRangeFieldAriaLabel": "日付範囲フィールド", - "discover.fieldNameIcons.geoPointFieldAriaLabel": "地理ポイントフィールド", - "discover.fieldNameIcons.geoShapeFieldAriaLabel": "地理情報シェイプフィールド", - "discover.fieldNameIcons.histogramFieldAriaLabel": "ヒストグラムフィールド", - "discover.fieldNameIcons.ipAddressFieldAriaLabel": "IPアドレスフィールド", - "discover.fieldNameIcons.ipRangeFieldAriaLabel": "IP範囲フィールド", - "discover.fieldNameIcons.keywordFieldAriaLabel": "キーワードフィールド", - "discover.fieldNameIcons.murmur3FieldAriaLabel": "Murmur3フィールド", - "discover.fieldNameIcons.nestedFieldAriaLabel": "入れ子フィールド", - "discover.fieldNameIcons.numberFieldAriaLabel": "数値フィールド", - "discover.fieldNameIcons.sourceFieldAriaLabel": "ソースフィールド", - "discover.fieldNameIcons.stringFieldAriaLabel": "文字列フィールド", - "discover.fieldNameIcons.textFieldAriaLabel": "テキストフィールド", - "discover.fieldNameIcons.unknownFieldAriaLabel": "不明なフィールド", - "discover.fieldNameIcons.versionFieldAriaLabel": "バージョンフィールド", - "discover.fieldTypesPopover.buttonAriaLabel": "フィルタータイプのヘルプ", - "discover.fieldTypesPopover.dataTypeColumnTitle": "データ型", - "discover.fieldTypesPopover.descriptionColumnTitle": "説明", - "discover.fieldTypesPopover.fieldTypesDocLinkLabel": "フィールド型", - "discover.fieldTypesPopover.iconTitle": "フィルタータイプのヘルプ", - "discover.fieldTypesPopover.learnMoreText": "詳細", - "discover.fieldTypesPopover.tableTitle": "フィールド型の説明", "discover.grid.closePopover": "ポップオーバーを閉じる", "discover.grid.copyClipboardButton": "クリップボードにコピー", "discover.grid.copyColumnNameToClipboard.toastTitle": "クリップボードにコピーされました", @@ -5159,9 +5101,6 @@ "unifiedFieldList.fieldStats.filterOutValueButtonAriaLabel": "{field}を除外:\"{value}\"", "unifiedFieldList.fieldStats.filterValueButtonAriaLabel": "{field}を除外:\"{value}\"", "unifiedFieldList.fieldStats.noFieldDataInSampleDescription": "{sampledDocumentsFormatted}サンプル{sampledDocuments, plural, other {レコード}}のフィールドデータがありません。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.deprecation": "この設定はサポートが終了し、8.6以降ではサポートされません。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.description": "有効な場合、インデックスマッピングを使用するのではなく、ドキュメントサンプリングを使用して、Lensフィールドリストのフィールドの存在(使用可能または空)を決定します。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.title": "フィールド存在サンプリングを使用", "unifiedFieldList.fieldList.noFieldsCallout.noDataLabel": "フィールドがありません。", "unifiedFieldList.fieldList.noFieldsCallout.noFields.extendTimeBullet": "時間範囲を拡張中", "unifiedFieldList.fieldList.noFieldsCallout.noFields.fieldTypeFilterBullet": "別のフィールドフィルターを使用", @@ -18171,7 +18110,6 @@ "xpack.lens.indexPattern.timeShiftSmallWarning": "{label}は{columnTimeShift}の時間シフトを使用しています。これは{interval}の日付ヒストグラム間隔よりも小さいです。不一致のデータを防止するには、時間シフトとして{interval}を使用します。", "xpack.lens.indexPattern.tsdbRollupWarning": "{label}は、ロールアップされたデータによってサポートされていない関数を使用しています。別の関数を選択するか、時間範囲を選択してください。", "xpack.lens.indexPattern.uniqueLabel": "{label} [{num}]", - "xpack.lens.indexPattern.useFieldExistenceSamplingBody": "フィールド存在サンプリングは廃止予定であり、Kibana {version}で削除される予定です。{link}でこの機能を無効化できます。", "xpack.lens.indexPattern.valueCountOf": "{name}のカウント", "xpack.lens.indexPatternSuggestion.removeLayerLabel": "{indexPatternTitle}のみを表示", "xpack.lens.indexPatternSuggestion.removeLayerPositionLabel": "レイヤー{layerNumber}のみを表示", @@ -18507,7 +18445,6 @@ "xpack.lens.indexPattern.advancedSettings": "高度な設定", "xpack.lens.indexPattern.allFieldsForTextBasedLabelHelp": "使用可能なフィールドをワークスペースまでドラッグし、ビジュアライゼーションを作成します。使用可能なフィールドを変更するには、クエリを編集します。", "xpack.lens.indexPattern.allFieldsLabelHelp": "使用可能なフィールドをワークスペースまでドラッグし、ビジュアライゼーションを作成します。使用可能なフィールドを変更するには、別のデータビューを選択するか、クエリを編集するか、別の時間範囲を使用します。一部のフィールドタイプは、完全なテキストおよびグラフィックフィールドを含む Lens では、ビジュアライゼーションできません。", - "xpack.lens.indexPattern.allFieldsSamplingLabelHelp": "使用可能なフィールドには、フィルターと一致する最初の 500 件のドキュメントのデータがあります。すべてのフィールドを表示するには、空のフィールドを展開します。全文、地理、フラット化、オブジェクトフィールドでビジュアライゼーションを作成できません。", "xpack.lens.indexPattern.ascendingCountPrecisionErrorWarning.link": "ドキュメントをご覧ください", "xpack.lens.indexPattern.availableFieldsLabel": "利用可能なフィールド", "xpack.lens.indexPattern.avg": "平均", @@ -18574,7 +18511,6 @@ "xpack.lens.indexPattern.fieldStatsButtonEmptyLabel": "このフィールドにはデータがありませんが、ドラッグアンドドロップで可視化できます。", "xpack.lens.indexPattern.fieldStatsButtonLabel": "フィールドプレビューを表示するには、クリックします。可視化するには、ドラッグアンドドロップします。", "xpack.lens.indexPattern.fieldStatsNoData": "Lensはこのフィールドのビジュアライゼーションを作成できません。フィールドにデータがありません。ビジュアライゼーションを作成するには、別のフィールドをドラッグします。", - "xpack.lens.indexPattern.fieldStatsSamplingNoData": "Lensはこのフィールドのビジュアライゼーションを作成できません。フィルターと一致する最初の500件のドキュメントではフィールドにデータがありません。ビジュアライゼーションを作成するには、別のフィールドをドラッグします。", "xpack.lens.indexPattern.filterBy.clickToEdit": "クリックして編集", "xpack.lens.indexPattern.filterBy.emptyFilterQuery": "(空)", "xpack.lens.indexPattern.filterBy.label": "フィルタリング条件", @@ -18774,7 +18710,6 @@ "xpack.lens.indexPattern.timeShift.year": "1年前(1y)", "xpack.lens.indexPattern.timeShiftPlaceholder": "カスタム値を入力(例:8w)", "xpack.lens.indexPattern.useAsTopLevelAgg": "最初にこのディメンションで集約", - "xpack.lens.indexPattern.useFieldExistenceSampling.advancedSettings": "高度な設定", "xpack.lens.label.gauge.labelMajor.header": "タイトル", "xpack.lens.label.gauge.labelMinor.header": "サブタイトル", "xpack.lens.label.header": "ラベル", @@ -26713,7 +26648,6 @@ "xpack.securitySolution.console.commandValidation.exclusiveOr": "このコマンドは次の引数のいずれかのみをサポートします:{argNames}", "xpack.securitySolution.console.commandValidation.invalidArgValue": "無効な引数値:{argName}。{error}", "xpack.securitySolution.console.commandValidation.missingRequiredArg": "不足している必須の引数:{argName}", - "xpack.securitySolution.console.commandValidation.mustHaveArgs": "不足している必須の引数:{requiredArgs}", "xpack.securitySolution.console.commandValidation.unknownArgument": "次の{command} {countOfInvalidArgs, plural, other {引数}}はこのコマンドでサポートされていません:{unknownArgs}", "xpack.securitySolution.console.commandValidation.unsupportedArg": "サポートされていない引数:{argName}", "xpack.securitySolution.console.sidePanel.helpDescription": "追加({icon})ボタンを使用して、テキストバーに対応アクションを入力します。必要に応じて、パラメーターまたはコメントを追加します。", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 2cf614e7aedea..5468d9820cd69 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -2074,9 +2074,6 @@ "discover.fieldChooser.discoverField.addButtonAriaLabel": "将 {field} 添加到表中", "discover.fieldChooser.discoverField.removeButtonAriaLabel": "从表中移除 {field}", "discover.fieldChooser.fieldCalculator.fieldIsNotPresentInDocumentsErrorMessage": "此字段在您的 Elasticsearch 映射中,但不在文档表中显示的 {hitsLength} 个文档中。您可能仍能够基于它可视化或搜索。", - "discover.fieldChooser.filter.fieldSelectorLabel": "{id} 筛选选项的选择", - "discover.fieldNameDescription.dateRangeField": "{dateFieldTypeLink} 值的范围。{viewSupportedDateFormatsLink}", - "discover.fieldNameDescription.versionField": "软件版本。支持 {SemanticVersioningLink} 优先规则。", "discover.grid.copyClipboardButtonTitle": "复制 {column} 的值", "discover.grid.copyColumnValuesToClipboard.toastTitle": "“{column}”列的值已复制到剪贴板", "discover.grid.filterForAria": "筛留此 {value}", @@ -2106,7 +2103,6 @@ "discover.advancedSettings.defaultColumnsText": "Discover 应用中默认显示的列。如果为空,将显示文档摘要。", "discover.advancedSettings.defaultColumnsTitle": "默认列", "discover.advancedSettings.disableDocumentExplorer": "Document Explorer 或经典视图", - "discover.advancedSettings.discover.fieldNameDescription.versionFieldLinkText": "语义版本控制", "discover.advancedSettings.discover.fieldStatisticsLinkText": "字段统计信息视图", "discover.advancedSettings.discover.modifyColumnsOnSwitchText": "移除新数据视图中不存在的列。", "discover.advancedSettings.discover.modifyColumnsOnSwitchTitle": "在更改数据视图时修改列", @@ -2273,64 +2269,10 @@ "discover.fieldChooser.discoverField.value": "值", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForGeoFieldsErrorMessage": "分析不适用于地理字段。", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForObjectFieldsErrorMessage": "分析不适用于对象字段。", - "discover.fieldChooser.fieldFilterButtonLabel": "按类型筛选", "discover.fieldChooser.fieldsMobileButtonLabel": "字段", - "discover.fieldChooser.filter.aggregatableLabel": "可聚合", - "discover.fieldChooser.filter.filterByTypeLabel": "按类型筛选", "discover.fieldChooser.filter.indexAndFieldsSectionAriaLabel": "索引和字段", - "discover.fieldChooser.filter.searchableLabel": "可搜索", - "discover.fieldChooser.filter.toggleButton.any": "任意", - "discover.fieldChooser.filter.toggleButton.no": "否", - "discover.fieldChooser.filter.toggleButton.yes": "是", - "discover.fieldChooser.filter.typeLabel": "类型", - "discover.fieldChooser.popoverTitle": "字段类型", - "discover.fieldChooser.searchPlaceHolder": "搜索字段名称", - "discover.fieldChooser.toggleFieldFilterButtonHideAriaLabel": "隐藏字段筛选设置", - "discover.fieldChooser.toggleFieldFilterButtonShowAriaLabel": "显示字段筛选设置", "discover.fieldList.flyoutBackIcon": "返回", "discover.fieldList.flyoutHeading": "字段列表", - "discover.fieldNameDescription.booleanField": "True 和 False 值。", - "discover.fieldNameDescription.conflictField": "字体具有不同类型的值。在“管理”>“数据视图”中解析。", - "discover.fieldNameDescription.dateField": "日期字符串或 1/1/1970 以来的秒数或毫秒数。", - "discover.fieldNameDescription.dateRangeFieldLinkText": "日期", - "discover.fieldNameDescription.geoPointField": "纬度和经度点。", - "discover.fieldNameDescription.geoShapeField": "复杂形状,如多边形。", - "discover.fieldNameDescription.histogramField": "直方图形式的预聚合数字值。", - "discover.fieldNameDescription.ipAddressField": "IPv4 和 IPv6 地址。", - "discover.fieldNameDescription.ipAddressRangeField": "支持 IPv4 或 IPv6(或混合)地址的 IP 值的范围。", - "discover.fieldNameDescription.keywordField": "结构化内容,如 ID、电子邮件地址、主机名、状态代码或标签。", - "discover.fieldNameDescription.murmur3Field": "计算和存储值哈希的字段。", - "discover.fieldNameDescription.nestedField": "保留其子字段之间关系的 JSON 对象。", - "discover.fieldNameDescription.numberField": "长整型、整数、短整型、字节、双精度和浮点值。", - "discover.fieldNameDescription.stringField": "全文本,如电子邮件正文或产品描述。", - "discover.fieldNameDescription.textField": "全文本,如电子邮件正文或产品描述。", - "discover.fieldNameDescription.unknownField": "未知字段", - "discover.fieldNameDescription.viewSupportedDateFormatsLinkText": "查看支持的日期格式。", - "discover.fieldNameIcons.booleanAriaLabel": "布尔值字段", - "discover.fieldNameIcons.conflictFieldAriaLabel": "冲突字段", - "discover.fieldNameIcons.dateFieldAriaLabel": "日期字段", - "discover.fieldNameIcons.dateRangeFieldAriaLabel": "日期范围字段", - "discover.fieldNameIcons.geoPointFieldAriaLabel": "地理点字段", - "discover.fieldNameIcons.geoShapeFieldAriaLabel": "几何形状字段", - "discover.fieldNameIcons.histogramFieldAriaLabel": "直方图字段", - "discover.fieldNameIcons.ipAddressFieldAriaLabel": "IP 地址字段", - "discover.fieldNameIcons.ipRangeFieldAriaLabel": "IP 范围字段", - "discover.fieldNameIcons.keywordFieldAriaLabel": "关键字字段", - "discover.fieldNameIcons.murmur3FieldAriaLabel": "Murmur3 字段", - "discover.fieldNameIcons.nestedFieldAriaLabel": "嵌套字段", - "discover.fieldNameIcons.numberFieldAriaLabel": "数字字段", - "discover.fieldNameIcons.sourceFieldAriaLabel": "源字段", - "discover.fieldNameIcons.stringFieldAriaLabel": "字符串字段", - "discover.fieldNameIcons.textFieldAriaLabel": "文本字段", - "discover.fieldNameIcons.unknownFieldAriaLabel": "未知字段", - "discover.fieldNameIcons.versionFieldAriaLabel": "版本字段", - "discover.fieldTypesPopover.buttonAriaLabel": "筛选类型帮助", - "discover.fieldTypesPopover.dataTypeColumnTitle": "数据类型", - "discover.fieldTypesPopover.descriptionColumnTitle": "描述", - "discover.fieldTypesPopover.fieldTypesDocLinkLabel": "字段类型", - "discover.fieldTypesPopover.iconTitle": "筛选类型帮助", - "discover.fieldTypesPopover.learnMoreText": "详细了解", - "discover.fieldTypesPopover.tableTitle": "字段类型描述", "discover.grid.closePopover": "关闭弹出框", "discover.grid.copyClipboardButton": "复制到剪贴板", "discover.grid.copyColumnNameToClipboard.toastTitle": "已复制到剪贴板", @@ -5165,9 +5107,6 @@ "unifiedFieldList.fieldStats.filterOutValueButtonAriaLabel": "筛除 {field}:“{value}”", "unifiedFieldList.fieldStats.filterValueButtonAriaLabel": "筛留 {field}:“{value}”", "unifiedFieldList.fieldStats.noFieldDataInSampleDescription": "{sampledDocumentsFormatted} 个样例{sampledDocuments, plural, other {记录}}无字段数据。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.deprecation": "此设置已过时,自 8.6 中起不再受支持。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.description": "如果启用,文档采样将用于确定 Lens 字段列表中的字段是否存在(可用或为空),而不依赖索引映射。", - "unifiedFieldList.advancedSettings.useFieldExistenceSampling.title": "使用字段存在采样", "unifiedFieldList.fieldList.noFieldsCallout.noDataLabel": "无字段。", "unifiedFieldList.fieldList.noFieldsCallout.noFields.extendTimeBullet": "延伸时间范围", "unifiedFieldList.fieldList.noFieldsCallout.noFields.fieldTypeFilterBullet": "使用不同的字段筛选", @@ -18196,7 +18135,6 @@ "xpack.lens.indexPattern.timeShiftSmallWarning": "{label} 使用的时间偏移 {columnTimeShift} 小于 Date Histogram 时间间隔 {interval} 。要防止数据不匹配,请使用 {interval} 的倍数作为时间偏移。", "xpack.lens.indexPattern.tsdbRollupWarning": "{label} 使用的函数不受汇总/打包数据支持。请选择其他函数,或更改时间范围。", "xpack.lens.indexPattern.uniqueLabel": "{label} [{num}]", - "xpack.lens.indexPattern.useFieldExistenceSamplingBody": "字段存在采样已过时,将在 Kibana {version} 中移除。您可以在 {link} 中禁用此功能。", "xpack.lens.indexPattern.valueCountOf": "{name} 的计数", "xpack.lens.indexPatternSuggestion.removeLayerLabel": "仅显示 {indexPatternTitle}", "xpack.lens.indexPatternSuggestion.removeLayerPositionLabel": "仅显示图层 {layerNumber}", @@ -18532,7 +18470,6 @@ "xpack.lens.indexPattern.advancedSettings": "高级", "xpack.lens.indexPattern.allFieldsForTextBasedLabelHelp": "将可用字段拖放到工作区并创建可视化。要更改可用字段,请编辑您的查询。", "xpack.lens.indexPattern.allFieldsLabelHelp": "将可用字段拖放到工作区并创建可视化。要更改可用字段,请选择不同数据视图,编辑您的查询或使用不同时间范围。一些字段类型无法在 Lens 中可视化,包括全文本字段和地理字段。", - "xpack.lens.indexPattern.allFieldsSamplingLabelHelp": "可用字段包含与您的筛选匹配的前 500 个文档中的数据。要查看所有字段,请展开空字段。无法使用全文本、地理、扁平和对象字段创建可视化。", "xpack.lens.indexPattern.ascendingCountPrecisionErrorWarning.link": "访问文档", "xpack.lens.indexPattern.availableFieldsLabel": "可用字段", "xpack.lens.indexPattern.avg": "平均值", @@ -18599,7 +18536,6 @@ "xpack.lens.indexPattern.fieldStatsButtonEmptyLabel": "此字段不包含任何数据,但您仍然可以拖放以进行可视化。", "xpack.lens.indexPattern.fieldStatsButtonLabel": "单击以进行字段预览,或拖放以进行可视化。", "xpack.lens.indexPattern.fieldStatsNoData": "Lens 无法使用此字段创建可视化,因为其中未包含数据。要创建可视化,请拖放其他字段。", - "xpack.lens.indexPattern.fieldStatsSamplingNoData": "Lens 无法使用此字段创建可视化,因为其中未包含与您的筛选匹配的前 500 个文档中的数据。要创建可视化,请拖放其他字段。", "xpack.lens.indexPattern.filterBy.clickToEdit": "单击以编辑", "xpack.lens.indexPattern.filterBy.emptyFilterQuery": "(空)", "xpack.lens.indexPattern.filterBy.label": "筛选依据", @@ -18799,7 +18735,6 @@ "xpack.lens.indexPattern.timeShift.year": "1 年前 (1y)", "xpack.lens.indexPattern.timeShiftPlaceholder": "键入定制值(如 8w)", "xpack.lens.indexPattern.useAsTopLevelAgg": "首先按此维度聚合", - "xpack.lens.indexPattern.useFieldExistenceSampling.advancedSettings": "高级设置", "xpack.lens.label.gauge.labelMajor.header": "标题", "xpack.lens.label.gauge.labelMinor.header": "子标题", "xpack.lens.label.header": "标签", @@ -26745,7 +26680,6 @@ "xpack.securitySolution.console.commandValidation.exclusiveOr": "此命令只支持以下参数之一:{argNames}", "xpack.securitySolution.console.commandValidation.invalidArgValue": "无效的参数值:{argName}。{error}", "xpack.securitySolution.console.commandValidation.missingRequiredArg": "缺少所需参数:{argName}", - "xpack.securitySolution.console.commandValidation.mustHaveArgs": "缺少所需参数:{requiredArgs}", "xpack.securitySolution.console.commandValidation.unknownArgument": "此命令不支持以下 {command} {countOfInvalidArgs, plural, other {参数}}:{unknownArgs}", "xpack.securitySolution.console.commandValidation.unsupportedArg": "不支持的参数:{argName}", "xpack.securitySolution.console.sidePanel.helpDescription": "使用添加 ({icon}) 按钮将响应操作填充到文本栏。在必要时添加其他参数或注释。", diff --git a/x-pack/test/api_integration/apis/management/index_management/indices.js b/x-pack/test/api_integration/apis/management/index_management/indices.js index b617a1ba14f4a..26dd64aeffda3 100644 --- a/x-pack/test/api_integration/apis/management/index_management/indices.js +++ b/x-pack/test/api_integration/apis/management/index_management/indices.js @@ -33,15 +33,10 @@ export default function ({ getService }) { clearCache, } = registerHelpers({ supertest }); - // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/145022 - describe.skip('indices', () => { + describe('indices', () => { after(() => Promise.all([cleanUpEsResources()])); describe('clear cache', () => { - it('should clear the cache on all indices', async () => { - await clearCache('*').expect(200); - }); - it('should clear the cache on a single index', async () => { const index = await createIndex(); await clearCache(index).expect(200); diff --git a/x-pack/test/api_integration/apis/synthetics/add_monitor_project.ts b/x-pack/test/api_integration/apis/synthetics/add_monitor_project.ts index f3920d78588f3..0ac7d13808a2a 100644 --- a/x-pack/test/api_integration/apis/synthetics/add_monitor_project.ts +++ b/x-pack/test/api_integration/apis/synthetics/add_monitor_project.ts @@ -99,6 +99,20 @@ export default function ({ getService }: FtrProviderContext) { }); }); + it('project monitors - returns 404 for non-existing spaces', async () => { + const project = `test-project-${uuidv4()}`; + await supertest + .put( + `/s/i_dont_exist${API_URLS.SYNTHETICS_MONITORS_PROJECT_UPDATE.replace( + '{projectName}', + project + )}` + ) + .set('kbn-xsrf', 'true') + .send(projectMonitors) + .expect(404); + }); + it('project monitors - handles browser monitors', async () => { const successfulMonitors = [projectMonitors.monitors[0]]; const project = `test-project-${uuidv4()}`; diff --git a/x-pack/test/api_integration/apis/synthetics/add_monitor_project_legacy.ts b/x-pack/test/api_integration/apis/synthetics/add_monitor_project_legacy.ts index c3a48d22da1c5..ff0c1bbf0f9a1 100644 --- a/x-pack/test/api_integration/apis/synthetics/add_monitor_project_legacy.ts +++ b/x-pack/test/api_integration/apis/synthetics/add_monitor_project_legacy.ts @@ -559,6 +559,19 @@ export default function ({ getService }: FtrProviderContext) { } }); + it('project monitors - returns error if the space does not exist', async () => { + const messages = await parseStreamApiResponse( + kibanaServerUrl + '/s/i_dont_exist' + API_URLS.SYNTHETICS_MONITORS_PROJECT_LEGACY, + JSON.stringify(projectMonitors) + ); + + expect(messages).to.have.length(2); + expect(messages[0]).to.equal( + "Unable to create monitors. Kibana space 'i_dont_exist' does not exist." + ); + expect(messages[1].failedMonitors).to.eql(projectMonitors.monitors.map((m) => m.id)); + }); + it('project monitors - returns a list of successfully updated monitors', async () => { try { await supertest diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/trial/internal/get_connectors.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/trial/internal/get_connectors.ts index e4bea7009bf3e..3d1b59a2018ab 100644 --- a/x-pack/test/cases_api_integration/security_and_spaces/tests/trial/internal/get_connectors.ts +++ b/x-pack/test/cases_api_integration/security_and_spaces/tests/trial/internal/get_connectors.ts @@ -145,7 +145,7 @@ export default ({ getService }: FtrProviderContext): void => { urgency: '2', }); - expect(snConnector.needsToBePushed).to.be(false); + expect(snConnector.push.needsToBePushed).to.be(false); expect(snConnector.name).to.be('ServiceNow Connector'); expect(snConnector.id).to.be(connector.id); }); @@ -232,6 +232,92 @@ export default ({ getService }: FtrProviderContext): void => { }); describe('push', () => { + describe('externalService', () => { + it('sets externalService field to the most recent push info', async () => { + const { postedCase, connector } = await createCaseWithConnector({ + supertest, + serviceNowSimulatorURL, + actionsRemover, + }); + + await pushCase({ + supertest, + caseId: postedCase.id, + connectorId: connector.id, + }); + + const pachedCase = await createComment({ + supertest, + caseId: postedCase.id, + params: postCommentUserReq, + }); + + const serviceNow2 = await createConnector({ + supertest, + req: { + ...getServiceNowConnector(), + name: 'ServiceNow 2 Connector', + config: { apiUrl: serviceNowSimulatorURL }, + }, + }); + + actionsRemover.add('default', serviceNow2.id, 'action', 'actions'); + + // change to serviceNow2 connector + await updateCase({ + supertest, + params: { + cases: [ + { + id: pachedCase.id, + version: pachedCase.version, + connector: { + id: serviceNow2.id, + name: 'ServiceNow 2 Connector', + type: ConnectorTypes.serviceNowITSM, + fields: { + urgency: '2', + impact: '2', + severity: '2', + category: 'software', + subcategory: 'os', + }, + }, + }, + ], + }, + }); + + await pushCase({ + supertest, + caseId: pachedCase.id, + connectorId: serviceNow2.id, + }); + + const [userActions, connectors] = await Promise.all([ + getCaseUserActions({ supertest, caseID: postedCase.id }), + getConnectors({ caseId: postedCase.id, supertest }), + ]); + + const pushes = userActions.filter((ua) => ua.type === ActionTypes.pushed); + const latestPush = pushes[pushes.length - 1]; + + expect(Object.keys(connectors).length).to.be(2); + expect(connectors[serviceNow2.id].push.latestUserActionPushDate).to.eql( + latestPush.created_at + ); + expect(connectors[serviceNow2.id].push.externalService?.connector_id).to.eql( + serviceNow2.id + ); + expect(connectors[serviceNow2.id].push.externalService?.connector_name).to.eql( + serviceNow2.name + ); + expect(connectors[serviceNow2.id].push.externalService?.connector_name).to.not.eql( + connector.name + ); + }); + }); + describe('latestPushDate', () => { it('does not set latestPushDate or oldestPushDate when the connector has not been used to push', async () => { const { postedCase, connector } = await createCaseWithConnector({ @@ -244,8 +330,8 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors).to.have.property(connector.id); - expect(connectors[connector.id].latestPushDate).to.be(undefined); - expect(connectors[connector.id].oldestPushDate).to.be(undefined); + expect(connectors[connector.id].push.latestUserActionPushDate).to.be(undefined); + expect(connectors[connector.id].push.oldestUserActionPushDate).to.be(undefined); }); it('sets latestPushDate to the most recent push date and oldestPushDate to the first push date', async () => { @@ -283,8 +369,12 @@ export default ({ getService }: FtrProviderContext): void => { const latestPush = pushes[pushes.length - 1]; expect(Object.keys(connectors).length).to.be(1); - expect(connectors[connector.id].latestPushDate).to.eql(latestPush.created_at); - expect(connectors[connector.id].oldestPushDate).to.eql(oldestPush.created_at); + expect(connectors[connector.id].push.latestUserActionPushDate).to.eql( + latestPush.created_at + ); + expect(connectors[connector.id].push.oldestUserActionPushDate).to.eql( + oldestPush.created_at + ); }); }); @@ -299,7 +389,7 @@ export default ({ getService }: FtrProviderContext): void => { const connectors = await getConnectors({ caseId: postedCase.id, supertest }); expect(Object.keys(connectors).length).to.be(1); - expect(connectors[connector.id].hasBeenPushed).to.be(false); + expect(connectors[connector.id].push.hasBeenPushed).to.be(false); }); it('sets hasBeenPushed to true when the connector was used to push', async () => { @@ -318,7 +408,7 @@ export default ({ getService }: FtrProviderContext): void => { const connectors = await getConnectors({ caseId: postedCase.id, supertest }); expect(Object.keys(connectors).length).to.be(1); - expect(connectors[connector.id].hasBeenPushed).to.be(true); + expect(connectors[connector.id].push.hasBeenPushed).to.be(true); }); }); @@ -334,7 +424,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[connector.id].id).to.be(connector.id); - expect(connectors[connector.id].needsToBePushed).to.be(true); + expect(connectors[connector.id].push.needsToBePushed).to.be(true); }); it('sets needs to push to false when a push has occurred', async () => { @@ -354,7 +444,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[connector.id].id).to.be(connector.id); - expect(connectors[connector.id].needsToBePushed).to.be(false); + expect(connectors[connector.id].push.needsToBePushed).to.be(false); }); it('sets needs to push to true when a comment was created after the last push', async () => { @@ -380,7 +470,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[connector.id].id).to.be(connector.id); - expect(connectors[connector.id].needsToBePushed).to.be(true); + expect(connectors[connector.id].push.needsToBePushed).to.be(true); }); it('sets needs to push to false when the severity of a case was changed after the last push', async () => { @@ -413,7 +503,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[connector.id].id).to.be(connector.id); - expect(connectors[connector.id].needsToBePushed).to.be(false); + expect(connectors[connector.id].push.needsToBePushed).to.be(false); }); it('sets needs to push to false the service now connector and true for jira', async () => { @@ -461,9 +551,9 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(2); expect(connectors[serviceNowConnector.id].id).to.be(serviceNowConnector.id); - expect(connectors[serviceNowConnector.id].needsToBePushed).to.be(false); + expect(connectors[serviceNowConnector.id].push.needsToBePushed).to.be(false); expect(connectors[jiraConnector.id].id).to.be(jiraConnector.id); - expect(connectors[jiraConnector.id].needsToBePushed).to.be(true); + expect(connectors[jiraConnector.id].push.needsToBePushed).to.be(true); }); describe('changing connector fields', () => { @@ -564,7 +654,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[serviceNowConnector.id].id).to.be(serviceNowConnector.id); - expect(connectors[serviceNowConnector.id].needsToBePushed).to.be(false); + expect(connectors[serviceNowConnector.id].push.needsToBePushed).to.be(false); }); it('sets needs to push to true when the latest connector fields do not match those used in the push', async () => { @@ -609,7 +699,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(Object.keys(connectors).length).to.be(1); expect(connectors[serviceNowConnector.id].id).to.be(serviceNowConnector.id); - expect(connectors[serviceNowConnector.id].needsToBePushed).to.be(true); + expect(connectors[serviceNowConnector.id].push.needsToBePushed).to.be(true); }); }); }); diff --git a/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json b/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json new file mode 100644 index 0000000000000..2591ad96d87a3 --- /dev/null +++ b/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json @@ -0,0 +1,142 @@ +{ + "id": "tag-1", + "type": "tag", + "attributes": { + "name": "tag-1", + "description": "My first tag!", + "color": "#FF00FF" + }, + "references": [], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "tag-2", + "type": "tag", + "attributes": { + "name": "tag-2", + "description": "Another awesome tag", + "color": "#123456" + }, + "references": [], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "tag-3", + "type": "tag", + "attributes": { + "name": "tag-3", + "description": "Last but not least", + "color": "#000000" + }, + "references": [], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "logstash-*", + "type": "index-pattern", + "attributes": { + "fieldFormatMap": "{\"bytes\":{\"id\":\"bytes\"}}", + "fields": "[{\"name\":\"referer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:image:width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"xss.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"headings.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"meta.user.lastname\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.article:tag.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"geo.dest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.twitter:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.article:section.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"utc_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.twitter:card\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"meta.char\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"clientip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:image:height\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"machine.ram\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"links\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"@tags.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"phpmemory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.twitter:card.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.article:modified_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:site_name.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"request.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.article:tag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"agent.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"spaces\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:site.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"headings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"relatedContent.og:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"index.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"relatedContent.twitter:site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"geo.coordinates\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"meta.related\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:title.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"response.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"@message.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"machine.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.article:section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"xss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"links.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"geo.srcdest\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"url.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"extension.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"machine.os.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"@tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"host.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:type.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"geo.src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"spaces.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:image:height.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:site_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"@message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.twitter:image.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"meta.user.firstname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"relatedContent.og:image:width.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.og:description.raw\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"relatedContent.article:published_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false}]", + "timeFieldName": "@timestamp", + "title": "logstash-*" + }, + "references": [], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "vis-area-1", + "type": "visualization", + "attributes": { + "title": "Visualization 1 (tag-1)", + "description": "AreaChart", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Visualization AreaChart\",\"type\":\"area\"}" + }, + "references": [ + { + "type": "tag", + "id": "tag-1", + "name": "tag-1-ref" + } + ], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "vis-area-2", + "type": "visualization", + "attributes": { + "title": "Visualization 2 (tag-2)", + "description": "AreaChart", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Visualization AreaChart\",\"type\":\"area\"}" + }, + "references": [ + { + "type": "tag", + "id": "tag-2", + "name": "tag-2-ref" + } + ], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "vis-area-3", + "type": "visualization", + "attributes": { + "title": "Visualization 3 (tag-1 + tag-3)", + "description": "AreaChart", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Visualization AreaChart\",\"type\":\"area\"}" + }, + "references": [ + { "type": "tag", + "id": "tag-1", + "name": "tag-1-ref" + }, + { "type": "tag", + "id": "tag-3", + "name": "tag-3-ref" + } + ], + "updated_at": "2021-06-17T18:57:58.076Z" +} + +{ + "id": "vis-area-4", + "type": "visualization", + "attributes": { + "title": "Visualization 4 (tag-2)", + "description": "AreaChart", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" + }, + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Visualization AreaChart\",\"type\":\"area\"}" + }, + "references": [ + { "type": "tag", + "id": "tag-2", + "name": "tag-2-ref" + } + ], + "updated_at": "2021-06-17T18:57:58.076Z" +} diff --git a/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json b/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json new file mode 100644 index 0000000000000..2706fcf932108 --- /dev/null +++ b/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json @@ -0,0 +1,11 @@ +{ + "id": "space_1-tag-3", + "type": "tag", + "attributes": { + "name": "tag-3", + "description": "Tag 3 in space 1", + "color": "#117744" + }, + "references": [], + "updated_at": "2021-06-17T18:57:58.076Z" +} diff --git a/x-pack/test/ftr_apis/common/lib/authentication.ts b/x-pack/test/ftr_apis/common/lib/authentication.ts new file mode 100644 index 0000000000000..7f4802ecfb372 --- /dev/null +++ b/x-pack/test/ftr_apis/common/lib/authentication.ts @@ -0,0 +1,243 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const ROLES = { + KIBANA_RBAC_DEFAULT_SPACE_READ_USER: { + name: 'kibana_rbac_default_space_read_user', + privileges: { + kibana: [ + { + base: ['read'], + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_WRITE_USER: { + name: 'kibana_rbac_default_space_write_user', + privileges: { + kibana: [ + { + base: ['all'], + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER: { + name: 'kibana_rbac_default_space_so_management_write_user', + privileges: { + kibana: [ + { + feature: { + savedObjectsManagement: ['all'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_SO_MANAGEMENT_READ_USER: { + name: 'kibana_rbac_default_space_so_management_read_user', + privileges: { + kibana: [ + { + feature: { + savedObjectsManagement: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_SO_TAGGING_READ_USER: { + name: 'kibana_rbac_default_space_so_tagging_read_user', + privileges: { + kibana: [ + { + feature: { + savedObjectsTagging: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_SO_TAGGING_WRITE_USER: { + name: 'kibana_rbac_default_space_so_tagging_write_user', + privileges: { + kibana: [ + { + feature: { + savedObjectsTagging: ['all'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_DASHBOARD_READ_USER: { + name: 'kibana_rbac_default_space_dashboard_read_user', + privileges: { + kibana: [ + { + feature: { + dashboard: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_DASHBOARD_WRITE_USER: { + name: 'kibana_rbac_default_space_dashboard_write_user', + privileges: { + kibana: [ + { + feature: { + dashboard: ['all'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_VISUALIZE_READ_USER: { + name: 'kibana_rbac_default_space_visualize_read_user', + privileges: { + kibana: [ + { + feature: { + visualize: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_VISUALIZE_WRITE_USER: { + name: 'kibana_rbac_default_space_visualize_write_user', + privileges: { + kibana: [ + { + feature: { + visualize: ['all'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER: { + name: 'kibana_rbac_default_space_advanced_settings_read_user', + privileges: { + kibana: [ + { + feature: { + advancedSettings: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, + KIBANA_RBAC_DEFAULT_SPACE_MAPS_READ_USER: { + name: 'kibana_rbac_default_space_maps_read_user', + privileges: { + kibana: [ + { + feature: { + maps: ['read'], + }, + spaces: ['default'], + }, + ], + }, + }, +}; + +export const USERS = { + NOT_A_KIBANA_USER: { + username: 'not_a_kibana_user', + password: 'password', + roles: [], + description: 'user with no access', + }, + SUPERUSER: { + username: 'elastic', + password: 'changeme', + roles: [], + superuser: true, + description: 'superuser', + }, + DEFAULT_SPACE_READ_USER: { + username: 'a_kibana_rbac_default_space_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.name], + description: 'rbac user with read on default space', + }, + DEFAULT_SPACE_WRITE_USER: { + username: 'a_kibana_rbac_default_space_write_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_WRITE_USER.name], + description: 'rbac user with all on default space', + }, + DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER: { + username: 'a_kibana_rbac_default_space_so_management_write_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER.name], + description: 'rbac user with all on SO management on default space', + }, + DEFAULT_SPACE_SO_TAGGING_READ_USER: { + username: 'a_kibana_rbac_default_space_so_tagging_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_SO_TAGGING_READ_USER.name], + }, + DEFAULT_SPACE_SO_TAGGING_READ_SO_MANAGEMENT_READ_USER: { + username: 'a_kibana_rbac_default_space_so_tagging_read_so_management_read_user', + password: 'password', + roles: [ + ROLES.KIBANA_RBAC_DEFAULT_SPACE_SO_TAGGING_READ_USER.name, + ROLES.KIBANA_RBAC_DEFAULT_SPACE_SO_MANAGEMENT_READ_USER.name, + ], + }, + DEFAULT_SPACE_SO_TAGGING_WRITE_USER: { + username: 'a_kibana_rbac_default_space_so_tagging_write_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_SO_TAGGING_WRITE_USER.name], + }, + DEFAULT_SPACE_DASHBOARD_READ_USER: { + username: 'a_kibana_rbac_default_space_dashboard_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_DASHBOARD_READ_USER.name], + }, + DEFAULT_SPACE_VISUALIZE_READ_USER: { + username: 'a_kibana_rbac_default_space_visualize_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_VISUALIZE_READ_USER.name], + }, + DEFAULT_SPACE_DASHBOARD_WRITE_USER: { + username: 'a_kibana_rbac_default_space_dashboard_write_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_DASHBOARD_WRITE_USER.name], + }, + DEFAULT_SPACE_VISUALIZE_WRITE_USER: { + username: 'a_kibana_rbac_default_space_visualize_write_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_VISUALIZE_WRITE_USER.name], + }, + DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER: { + username: 'a_kibana_rbac_default_space_advanced_settings_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER.name], + }, + DEFAULT_SPACE_MAPS_READ_USER: { + username: 'a_kibana_rbac_default_space_maps_read_user', + password: 'password', + roles: [ROLES.KIBANA_RBAC_DEFAULT_SPACE_MAPS_READ_USER.name], + }, +}; diff --git a/x-pack/test/ftr_apis/common/lib/create_users_and_roles.ts b/x-pack/test/ftr_apis/common/lib/create_users_and_roles.ts new file mode 100644 index 0000000000000..2987d561f7762 --- /dev/null +++ b/x-pack/test/ftr_apis/common/lib/create_users_and_roles.ts @@ -0,0 +1,40 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext as CommonFtrProviderContext } from '../../../common/ftr_provider_context'; +import { USERS, ROLES } from './authentication'; +import { User, Role } from './types'; + +export const createUsersAndRoles = async (getService: CommonFtrProviderContext['getService']) => { + const security = getService('security'); + + const createRole = async ({ name, privileges }: Role) => { + return await security.role.create(name, privileges); + }; + + const createUser = async ({ username, password, roles, superuser }: User) => { + // no need to create superuser + if (superuser) { + return; + } + + return await security.user.create(username, { + password, + roles, + full_name: username.replace('_', ' '), + email: `${username}@elastic.co`, + }); + }; + + for (const role of Object.values(ROLES)) { + await createRole(role); + } + + for (const user of Object.values(USERS)) { + await createUser(user); + } +}; diff --git a/x-pack/test/ftr_apis/common/lib/index.ts b/x-pack/test/ftr_apis/common/lib/index.ts new file mode 100644 index 0000000000000..9d23dc2541f8c --- /dev/null +++ b/x-pack/test/ftr_apis/common/lib/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export type { Role, User, ExpectedResponse } from './types'; +export { ROLES, USERS } from './authentication'; +export { createUsersAndRoles } from './create_users_and_roles'; diff --git a/x-pack/test/ftr_apis/common/lib/types.ts b/x-pack/test/ftr_apis/common/lib/types.ts new file mode 100644 index 0000000000000..76cdeba36d0a9 --- /dev/null +++ b/x-pack/test/ftr_apis/common/lib/types.ts @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface User { + username: string; + password: string; + roles: string[]; + superuser?: boolean; + description?: string; +} + +export interface Role { + name: string; + privileges: any; +} + +export interface ExpectedResponse { + httpCode: number; + expectResponse: (body: Record) => void | Promise; +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts new file mode 100644 index 0000000000000..1ba800413237e --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts @@ -0,0 +1,92 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createTestSpaces, deleteTestSpaces, createData, deleteData } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('POST /internal/ftr/kbn_client_so/_bulk_delete', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body.statuses.length).to.eql(1); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: 'Forbidden', + }); + }, + }, + }; + + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.NOT_A_KIBANA_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .post(`/internal/ftr/kbn_client_so/_bulk_delete`) + .send([{ type: 'tag', id: 'tag-1' }]) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/create.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/create.ts new file mode 100644 index 0000000000000..50aee16f1b9f0 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/create.ts @@ -0,0 +1,103 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createTestSpaces, deleteTestSpaces, createData, deleteData } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('POST /internal/ftr/kbn_client_so/{type}', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body.attributes).to.eql({ + name: 'My new tag', + description: 'I just created that', + color: '#009000', + }); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: 'Forbidden', + }); + }, + }, + }; + + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.DEFAULT_SPACE_MAPS_READ_USER, + USERS.NOT_A_KIBANA_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .post(`/internal/ftr/kbn_client_so/tag`) + .send({ + attributes: { + name: 'My new tag', + description: 'I just created that', + color: '#009000', + }, + }) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts new file mode 100644 index 0000000000000..f3b04c3cab492 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts @@ -0,0 +1,92 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createTestSpaces, deleteTestSpaces, createData, deleteData } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('DELETE /internal/ftr/kbn_client_so/{type}/{id}', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body).to.eql({}); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: 'Forbidden', + }); + }, + }, + }; + + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.DEFAULT_SPACE_MAPS_READ_USER, + USERS.NOT_A_KIBANA_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .delete(`/internal/ftr/kbn_client_so/visualization/vis-area-1`) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/find.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/find.ts new file mode 100644 index 0000000000000..803db0affbfa7 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/find.ts @@ -0,0 +1,94 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createData, createTestSpaces, deleteData, deleteTestSpaces } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('GET /internal/ftr/kbn_client_so/_find', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body.saved_objects.length).to.be.greaterThan(0); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + error: 'Forbidden', + message: 'Forbidden', + statusCode: 403, + }); + }, + }, + }; + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_MAPS_READ_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.NOT_A_KIBANA_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .get(`/internal/ftr/kbn_client_so/_find`) + .query({ + type: 'tag', + }) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/get.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/get.ts new file mode 100644 index 0000000000000..db4f507a64645 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/get.ts @@ -0,0 +1,92 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createTestSpaces, deleteTestSpaces, createData, deleteData } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('GET /internal/ftr/kbn_client_so/{type}/{id}', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body.id).to.eql('vis-area-4'); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: 'Forbidden', + }); + }, + }, + }; + + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.NOT_A_KIBANA_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_MAPS_READ_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .get(`/internal/ftr/kbn_client_so/visualization/vis-area-4`) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/index.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/index.ts new file mode 100644 index 0000000000000..ca5bf0cb89221 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/index.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../services'; +import { createUsersAndRoles } from '../../common/lib'; + +// eslint-disable-next-line import/no-default-export +export default function ({ getService, loadTestFile }: FtrProviderContext) { + describe('FTR API - security and spaces integration', function () { + before(async () => { + await createUsersAndRoles(getService); + }); + + loadTestFile(require.resolve('./get')); + loadTestFile(require.resolve('./create')); + loadTestFile(require.resolve('./update')); + loadTestFile(require.resolve('./delete')); + loadTestFile(require.resolve('./find')); + loadTestFile(require.resolve('./bulk_delete')); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/test_utils.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/test_utils.ts new file mode 100644 index 0000000000000..7ab99302043fa --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/test_utils.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../services'; + +export const createTestSpaces = async ({ getService }: FtrProviderContext) => { + const spaceService = getService('spaces'); + await spaceService.create({ + id: 'space_1', + name: 'Space 1', + description: 'This is the first test space', + }); + await spaceService.create({ + id: 'space_2', + name: 'Space 2', + description: 'This is the second test space', + }); +}; + +export const deleteTestSpaces = async ({ getService }: FtrProviderContext) => { + const spaceService = getService('spaces'); + await spaceService.delete('space_1'); + await spaceService.delete('space_2'); +}; + +export const createData = async ({ getService }: FtrProviderContext) => { + const kibanaServer = getService('kibanaServer'); + await kibanaServer.importExport.load( + 'x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json' + ); + await kibanaServer.importExport.load( + 'x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json', + { space: 'space_1' } + ); +}; + +export const deleteData = async ({ getService }: FtrProviderContext) => { + const kibanaServer = getService('kibanaServer'); + await kibanaServer.importExport.unload( + 'x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json' + ); + await kibanaServer.importExport.unload( + 'x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json', + { space: 'space_1' } + ); +}; diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/update.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/update.ts new file mode 100644 index 0000000000000..fe3ade47195a6 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/apis/update.ts @@ -0,0 +1,95 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { USERS, User, ExpectedResponse } from '../../common/lib'; +import { FtrProviderContext } from '../services'; +import { createTestSpaces, deleteTestSpaces, createData, deleteData } from './test_utils'; + +// eslint-disable-next-line import/no-default-export +export default function (ftrContext: FtrProviderContext) { + const supertest = ftrContext.getService('supertestWithoutAuth'); + + describe('PUT /internal/ftr/kbn_client_so/{type}/{id}', () => { + before(async () => { + await createTestSpaces(ftrContext); + }); + + after(async () => { + await deleteTestSpaces(ftrContext); + }); + + beforeEach(async () => { + await createData(ftrContext); + }); + + afterEach(async () => { + await deleteData(ftrContext); + }); + + const responses: Record = { + authorized: { + httpCode: 200, + expectResponse: ({ body }) => { + expect(body.attributes.name).to.eql('Updated title'); + }, + }, + unauthorized: { + httpCode: 403, + expectResponse: ({ body }) => { + expect(body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: 'Forbidden', + }); + }, + }, + }; + + const expectedResults: Record = { + authorized: [USERS.SUPERUSER], + unauthorized: [ + USERS.DEFAULT_SPACE_SO_MANAGEMENT_WRITE_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_WRITE_USER, + USERS.DEFAULT_SPACE_READ_USER, + USERS.DEFAULT_SPACE_SO_TAGGING_READ_USER, + USERS.DEFAULT_SPACE_DASHBOARD_READ_USER, + USERS.DEFAULT_SPACE_VISUALIZE_READ_USER, + USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER, + USERS.DEFAULT_SPACE_MAPS_READ_USER, + USERS.NOT_A_KIBANA_USER, + ], + }; + + const createUserTest = ( + { username, password, description }: User, + { httpCode, expectResponse }: ExpectedResponse + ) => { + it(`returns expected ${httpCode} response for ${description ?? username}`, async () => { + await supertest + .put(`/internal/ftr/kbn_client_so/tag/tag-1`) + .send({ + attributes: { name: 'Updated title' }, + }) + .auth(username, password) + .expect(httpCode) + .then(expectResponse); + }); + }; + + const createTestSuite = () => { + Object.entries(expectedResults).forEach(([responseId, users]) => { + const response: ExpectedResponse = responses[responseId]; + users.forEach((user) => { + createUserTest(user, response); + }); + }); + }; + + createTestSuite(); + }); +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/config.ts b/x-pack/test/ftr_apis/security_and_spaces/config.ts new file mode 100644 index 0000000000000..8cfc662bb0b96 --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/config.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; +import { services } from './services'; + +// eslint-disable-next-line import/no-default-export +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const apiIntegrationConfig = await readConfigFile( + require.resolve('../../api_integration/config.ts') + ); + + return { + testFiles: [require.resolve('./apis')], + servers: apiIntegrationConfig.get('servers'), + services, + junit: { + reportName: 'X-Pack FTR API Integration Tests - Security and Spaces', + }, + esTestCluster: { + ...apiIntegrationConfig.get('esTestCluster'), + license: 'trial', + }, + kbnTestServer: { + ...apiIntegrationConfig.get('kbnTestServer'), + serverArgs: [ + ...apiIntegrationConfig.get('kbnTestServer.serverArgs'), + '--server.xsrf.disableProtection=true', + `--xpack.fleet.registryUrl=http://localhost:12345`, // setting to invalid registry url to prevent installing preconfigured packages + ], + }, + }; +} diff --git a/x-pack/test/ftr_apis/security_and_spaces/services.ts b/x-pack/test/ftr_apis/security_and_spaces/services.ts new file mode 100644 index 0000000000000..cb1db3f8469ee --- /dev/null +++ b/x-pack/test/ftr_apis/security_and_spaces/services.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { GenericFtrProviderContext } from '@kbn/test'; +import { services as apiIntegrationServices } from '../../api_integration/services'; + +export const services = { + ...apiIntegrationServices, +}; + +export type FtrProviderContext = GenericFtrProviderContext; diff --git a/x-pack/test/functional/apps/dashboard/group2/dashboard_tagging.ts b/x-pack/test/functional/apps/dashboard/group2/dashboard_tagging.ts deleted file mode 100644 index 1bd258233a7cc..0000000000000 --- a/x-pack/test/functional/apps/dashboard/group2/dashboard_tagging.ts +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; - -export default function ({ getService, getPageObjects }: FtrProviderContext) { - const listingTable = getService('listingTable'); - const testSubjects = getService('testSubjects'); - const kibanaServer = getService('kibanaServer'); - const esArchiver = getService('esArchiver'); - const find = getService('find'); - const PageObjects = getPageObjects([ - 'common', - 'tagManagement', - 'header', - 'dashboard', - 'visualize', - 'lens', - ]); - - const dashboardTag = 'extremely-cool-dashboard'; - const dashboardTitle = 'Coolest Blank Dashboard'; - - describe('dashboard tagging', () => { - const verifyTagFromListingPage = async () => { - await PageObjects.dashboard.gotoDashboardLandingPage(); - await listingTable.waitUntilTableIsLoaded(); - - // open the filter dropdown - const filterButton = await find.byCssSelector( - '.euiFilterGroup .euiPopover:nth-child(2) .euiFilterButton' - ); - await filterButton.click(); - await testSubjects.click( - `tag-searchbar-option-${PageObjects.tagManagement.testSubjFriendly(dashboardTag)}` - ); - // click elsewhere to close the filter dropdown - const searchFilter = await find.byCssSelector('.euiPageTemplate .euiFieldSearch'); - await searchFilter.click(); - // wait until the table refreshes - await listingTable.waitUntilTableIsLoaded(); - const itemNames = await listingTable.getAllItemsNames(); - expect(itemNames).to.contain(dashboardTitle); - }; - - const createTagFromDashboard = async () => { - await testSubjects.click('dashboardSaveMenuItem'); - await testSubjects.click('savedObjectTagSelector'); - await testSubjects.click(`tagSelectorOption-action__create`); - - expect(await PageObjects.tagManagement.tagModal.isOpened()).to.be(true); - - await PageObjects.tagManagement.tagModal.fillForm( - { - name: dashboardTag, - color: '#fc03db', - description: '', - }, - { - submit: true, - } - ); - expect(await PageObjects.tagManagement.tagModal.isOpened()).to.be(false); - }; - - before(async () => { - await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/logstash_functional'); - await kibanaServer.importExport.load( - 'x-pack/test/functional/fixtures/kbn_archiver/lens/lens_basic.json' - ); - await PageObjects.common.navigateToApp('dashboard'); - await PageObjects.dashboard.preserveCrossAppState(); - await PageObjects.dashboard.clickNewDashboard(); - }); - - after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/logstash_functional'); - await kibanaServer.importExport.unload( - 'x-pack/test/functional/fixtures/kbn_archiver/lens/lens_basic.json' - ); - await kibanaServer.savedObjects.cleanStandardList(); - }); - - it('adds a new tag to a new Dashboard', async () => { - await createTagFromDashboard(); - PageObjects.dashboard.saveDashboard(dashboardTitle, {}, false); - await verifyTagFromListingPage(); - }); - - it('retains its saved object tags after quicksave', async () => { - await PageObjects.dashboard.gotoDashboardEditMode(dashboardTitle); - await PageObjects.dashboard.useMargins(false); // turn margins off to cause quicksave to be enabled - await PageObjects.dashboard.clickQuickSave(); - await verifyTagFromListingPage(); - }); - }); -} diff --git a/x-pack/test/functional/apps/dashboard/group2/index.ts b/x-pack/test/functional/apps/dashboard/group2/index.ts index 666756735e80f..bc6a13af29c5f 100644 --- a/x-pack/test/functional/apps/dashboard/group2/index.ts +++ b/x-pack/test/functional/apps/dashboard/group2/index.ts @@ -11,7 +11,6 @@ export default function ({ loadTestFile }: FtrProviderContext) { describe('dashboard', function () { loadTestFile(require.resolve('./sync_colors')); loadTestFile(require.resolve('./_async_dashboard')); - loadTestFile(require.resolve('./dashboard_tagging')); loadTestFile(require.resolve('./dashboard_lens_by_value')); loadTestFile(require.resolve('./dashboard_maps_by_value')); loadTestFile(require.resolve('./panel_titles')); diff --git a/x-pack/test/functional/apps/discover/reporting.ts b/x-pack/test/functional/apps/discover/reporting.ts index ddb5d774765bb..026129e7f0778 100644 --- a/x-pack/test/functional/apps/discover/reporting.ts +++ b/x-pack/test/functional/apps/discover/reporting.ts @@ -98,7 +98,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { // get clipboard value using field search input, since // 'browser.getClipboardValue()' doesn't work, due to permissions - const textInput = await testSubjects.find('fieldFilterSearchInput'); + const textInput = await testSubjects.find('fieldListFiltersFieldSearch'); await textInput.click(); await browser.getActions().keyDown(Key.CONTROL).perform(); await browser.getActions().keyDown('v').perform(); diff --git a/x-pack/test/functional/apps/lens/group2/dashboard.ts b/x-pack/test/functional/apps/lens/group2/dashboard.ts index 08811fd836858..caa2dd3ca1785 100644 --- a/x-pack/test/functional/apps/lens/group2/dashboard.ts +++ b/x-pack/test/functional/apps/lens/group2/dashboard.ts @@ -173,11 +173,14 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await dashboardAddPanel.clickOpenAddPanel(); await dashboardAddPanel.filterEmbeddableNames('lnsPieVis'); await find.clickByButtonText('lnsPieVis'); + await PageObjects.header.waitUntilLoadingHasFinished(); await dashboardAddPanel.closeAddPanel(); - await panelActions.openContextMenu(); - await panelActions.clickContextMenuMoreItem(); - await testSubjects.existOrFail(ACTION_TEST_SUBJ); + await retry.try(async () => { + await panelActions.openContextMenu(); + await panelActions.clickContextMenuMoreItem(); + await testSubjects.existOrFail(ACTION_TEST_SUBJ); + }); }); it('should show all data from all layers in the inspector', async () => { diff --git a/x-pack/test/functional/apps/maps/group4/discover.js b/x-pack/test/functional/apps/maps/group4/discover.js index fe0143911768d..b1a0e4677ce32 100644 --- a/x-pack/test/functional/apps/maps/group4/discover.js +++ b/x-pack/test/functional/apps/maps/group4/discover.js @@ -14,9 +14,7 @@ export default function ({ getService, getPageObjects }) { const from = 'Sep 22, 2015 @ 00:00:00.000'; const to = 'Sep 22, 2015 @ 04:00:00.000'; - // Failing: See https://github.com/elastic/kibana/issues/137408 - // Failing: See https://github.com/elastic/kibana/issues/149358 - describe.skip('discover visualize button', () => { + describe('discover visualize button', () => { beforeEach(async () => { await security.testUser.setRoles([ 'test_logstash_reader', diff --git a/x-pack/test/saved_object_tagging/functional/tests/dashboard_integration.ts b/x-pack/test/saved_object_tagging/functional/tests/dashboard_integration.ts index e0c1f162371ce..37da0d3205c9c 100644 --- a/x-pack/test/saved_object_tagging/functional/tests/dashboard_integration.ts +++ b/x-pack/test/saved_object_tagging/functional/tests/dashboard_integration.ts @@ -7,7 +7,6 @@ import expect from '@kbn/expect'; import { FtrProviderContext } from '../ftr_provider_context'; -import { TAGFILTER_DROPDOWN_SELECTOR } from './constants'; // eslint-disable-next-line import/no-default-export export default function ({ getPageObjects, getService }: FtrProviderContext) { @@ -15,28 +14,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { const kibanaServer = getService('kibanaServer'); const listingTable = getService('listingTable'); const testSubjects = getService('testSubjects'); - const find = getService('find'); - const PageObjects = getPageObjects(['dashboard', 'tagManagement', 'common', 'header']); - - /** - * Select tags in the searchbar's tag filter. - */ - const selectFilterTags = async (...tagNames: string[]) => { - // open the filter dropdown - const filterButton = await find.byCssSelector(TAGFILTER_DROPDOWN_SELECTOR); - await filterButton.click(); - // select the tags - for (const tagName of tagNames) { - await testSubjects.click( - `tag-searchbar-option-${PageObjects.tagManagement.testSubjFriendly(tagName)}` - ); - } - // click elsewhere to close the filter dropdown - const searchFilter = await find.byCssSelector('.euiPageTemplate .euiFieldSearch'); - await searchFilter.click(); - // wait until the table refreshes - await listingTable.waitUntilTableIsLoaded(); - }; + const PageObjects = getPageObjects(['dashboard', 'tagManagement', 'common']); describe('dashboard integration', () => { before(async () => { @@ -76,7 +54,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by selecting a tag in the filter menu', async () => { - await selectFilterTags('tag-3'); + await listingTable.selectFilterTags('tag-3'); await listingTable.expectItemsCount('dashboard', 2); const itemNames = await listingTable.getAllItemsNames(); @@ -84,7 +62,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by multiple tags', async () => { - await selectFilterTags('tag-2', 'tag-3'); + await listingTable.selectFilterTags('tag-2', 'tag-3'); await listingTable.expectItemsCount('dashboard', 3); const itemNames = await listingTable.getAllItemsNames(); @@ -113,7 +91,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.dashboard.gotoDashboardLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('tag-1'); + await listingTable.selectFilterTags('tag-1'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('my-new-dashboard'); }); @@ -150,14 +128,13 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.dashboard.gotoDashboardLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('my-new-tag'); + await listingTable.selectFilterTags('my-new-tag'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('dashboard-with-new-tag'); }); }); - // FLAKY: https://github.com/elastic/kibana/issues/106547 - describe.skip('editing', () => { + describe('editing', () => { beforeEach(async () => { await PageObjects.common.navigateToApp('dashboard'); await PageObjects.dashboard.gotoDashboardLandingPage(); @@ -176,7 +153,21 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.dashboard.gotoDashboardLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('tag-3'); + await listingTable.selectFilterTags('tag-3'); + const itemNames = await listingTable.getAllItemsNames(); + expect(itemNames).to.contain('dashboard 4 with real data (tag-1)'); + }); + + it('retains dashboard saved object tags after quicksave', async () => { + // edit and save dashboard + await PageObjects.dashboard.gotoDashboardEditMode('dashboard 4 with real data (tag-1)'); + await PageObjects.dashboard.useMargins(false); // turn margins off to cause quicksave to be enabled + await PageObjects.dashboard.clickQuickSave(); + + // verify dashboard still has original tags + await PageObjects.dashboard.gotoDashboardLandingPage(); + await listingTable.waitUntilTableIsLoaded(); + await listingTable.selectFilterTags('tag-3'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('dashboard 4 with real data (tag-1)'); }); diff --git a/x-pack/test/saved_object_tagging/functional/tests/maps_integration.ts b/x-pack/test/saved_object_tagging/functional/tests/maps_integration.ts index fb484b61b96d5..7532263b4518c 100644 --- a/x-pack/test/saved_object_tagging/functional/tests/maps_integration.ts +++ b/x-pack/test/saved_object_tagging/functional/tests/maps_integration.ts @@ -7,36 +7,15 @@ import expect from '@kbn/expect'; import { FtrProviderContext } from '../ftr_provider_context'; -import { TAGFILTER_DROPDOWN_SELECTOR } from './constants'; // eslint-disable-next-line import/no-default-export export default function ({ getPageObjects, getService }: FtrProviderContext) { const kibanaServer = getService('kibanaServer'); const listingTable = getService('listingTable'); const testSubjects = getService('testSubjects'); - const find = getService('find'); - const PageObjects = getPageObjects(['maps', 'tagManagement', 'common', 'visualize']); - - /** - * Select tags in the searchbar's tag filter. - */ - const selectFilterTags = async (...tagNames: string[]) => { - // open the filter dropdown - const filterButton = await find.byCssSelector(TAGFILTER_DROPDOWN_SELECTOR); - await filterButton.click(); - // select the tags - for (const tagName of tagNames) { - await testSubjects.click( - `tag-searchbar-option-${PageObjects.tagManagement.testSubjFriendly(tagName)}` - ); - } - // click elsewhere to close the filter dropdown - const searchFilter = await find.byCssSelector('.euiPageTemplate .euiFieldSearch'); - await searchFilter.click(); - }; - - // Failing: See https://github.com/elastic/kibana/issues/89073 - describe.skip('maps integration', () => { + const PageObjects = getPageObjects(['maps', 'common', 'tagManagement', 'visualize']); + + describe('maps integration', () => { before(async () => { await kibanaServer.importExport.load( 'x-pack/test/saved_object_tagging/common/fixtures/es_archiver/maps/data.json' @@ -51,8 +30,9 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { describe('listing', () => { beforeEach(async () => { + // force refresh of maps listing page between tests await PageObjects.common.navigateToUrlWithBrowserHistory('maps', '/'); - await PageObjects.maps.gotoMapListingPage(); + await listingTable.waitUntilTableIsLoaded(); }); it('allows to manually type tag filter query', async () => { @@ -64,7 +44,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by selecting a tag in the filter menu', async () => { - await selectFilterTags('tag-3'); + await listingTable.selectFilterTags('tag-3'); await listingTable.expectItemsCount('map', 2); const itemNames = await listingTable.getAllItemsNames(); @@ -72,7 +52,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by multiple tags', async () => { - await selectFilterTags('tag-2', 'tag-3'); + await listingTable.selectFilterTags('tag-2', 'tag-3'); await listingTable.expectItemsCount('map', 3); const itemNames = await listingTable.getAllItemsNames(); @@ -89,7 +69,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.maps.saveMap('my-new-map', true, true, ['tag-1', 'tag-3']); await PageObjects.maps.gotoMapListingPage(); - await selectFilterTags('tag-1'); + await listingTable.waitUntilTableIsLoaded(); + await listingTable.selectFilterTags('tag-1'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('my-new-map'); }); @@ -125,7 +106,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await testSubjects.click('confirmSaveSavedObjectButton'); await PageObjects.maps.gotoMapListingPage(); - await selectFilterTags('my-new-tag'); + await listingTable.waitUntilTableIsLoaded(); + await listingTable.selectFilterTags('my-new-tag'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('map-with-new-tag'); }); @@ -133,16 +115,19 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { describe('editing', () => { beforeEach(async () => { + // force refresh of maps listing page between tests await PageObjects.common.navigateToUrlWithBrowserHistory('maps', '/'); + await listingTable.waitUntilTableIsLoaded(); }); it('allows to select tags for an existing map', async () => { await listingTable.clickItemLink('map', 'map 4 (tag-1)'); - await PageObjects.maps.saveMap('map 4 (tag-1)', true, true, ['tag-3']); + await PageObjects.maps.saveMap('map 4 (tag-1)', true, false, ['tag-3']); await PageObjects.maps.gotoMapListingPage(); - await selectFilterTags('tag-3'); + await listingTable.waitUntilTableIsLoaded(); + await listingTable.selectFilterTags('tag-3'); const itemNames = await listingTable.getAllItemsNames(); expect(itemNames).to.contain('map 4 (tag-1)'); }); diff --git a/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts b/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts index eeb9a162c24a7..d7160a590185d 100644 --- a/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts +++ b/x-pack/test/saved_object_tagging/functional/tests/visualize_integration.ts @@ -7,7 +7,6 @@ import expect from '@kbn/expect'; import { FtrProviderContext } from '../ftr_provider_context'; -import { TAGFILTER_DROPDOWN_SELECTOR } from './constants'; // eslint-disable-next-line import/no-default-export export default function ({ getPageObjects, getService }: FtrProviderContext) { @@ -15,7 +14,6 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { const kibanaServer = getService('kibanaServer'); const listingTable = getService('listingTable'); const testSubjects = getService('testSubjects'); - const find = getService('find'); const retry = getService('retry'); const PageObjects = getPageObjects([ 'visualize', @@ -25,26 +23,6 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { 'header', ]); - /** - * Select tags in the searchbar's tag filter. - */ - const selectFilterTags = async (...tagNames: string[]) => { - // open the filter dropdown - const filterButton = await find.byCssSelector(TAGFILTER_DROPDOWN_SELECTOR); - await filterButton.click(); - // select the tags - for (const tagName of tagNames) { - await testSubjects.click( - `tag-searchbar-option-${PageObjects.tagManagement.testSubjFriendly(tagName)}` - ); - } - // click elsewhere to close the filter dropdown - const searchFilter = await find.byCssSelector('.euiPageTemplate .euiFieldSearch'); - await searchFilter.click(); - // wait until the table refreshes - await listingTable.waitUntilTableIsLoaded(); - }; - const selectSavedObjectTags = async (...tagNames: string[]) => { await testSubjects.click('savedObjectTagSelector'); for (const tagName of tagNames) { @@ -120,7 +98,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by selecting a tag in the filter menu', async () => { - await selectFilterTags('tag-1'); + await listingTable.selectFilterTags('tag-1'); await listingTable.expectItemsCount('visualize', 2); const itemNames = await listingTable.getAllSelectableItemsNames(); @@ -128,7 +106,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { }); it('allows to filter by multiple tags', async () => { - await selectFilterTags('tag-2', 'tag-3'); + await listingTable.selectFilterTags('tag-2', 'tag-3'); await listingTable.expectItemsCount('visualize', 2); const itemNames = await listingTable.getAllSelectableItemsNames(); @@ -153,7 +131,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.visualize.gotoVisualizationLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('myextratag'); + await listingTable.selectFilterTags('myextratag'); const itemNames = await listingTable.getAllSelectableItemsNames(); expect(itemNames).to.contain('My new markdown viz'); }); @@ -197,7 +175,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.visualize.gotoVisualizationLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('my-new-tag'); + await listingTable.selectFilterTags('my-new-tag'); const itemNames = await listingTable.getAllSelectableItemsNames(); expect(itemNames).to.contain('vis-with-new-tag'); }); @@ -233,7 +211,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.visualize.gotoVisualizationLandingPage(); await listingTable.waitUntilTableIsLoaded(); - await selectFilterTags('myextratag'); + await listingTable.selectFilterTags('myextratag'); const itemNames = await listingTable.getAllSelectableItemsNames(); expect(itemNames).to.contain('MarkdownViz'); }); diff --git a/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts b/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts index 4c5ae878bbf6e..5c519c8ae5b67 100644 --- a/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts +++ b/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts @@ -770,7 +770,8 @@ export function copyToSpaceTestSuiteFactory(context: FtrProviderContext) { await testDataLoader.deleteFtrSpaces(); }); - describe('single-namespace types', () => { + // FLAKY: https://github.com/elastic/kibana/issues/86545 + describe.skip('single-namespace types', () => { beforeEach(async () => { await testDataLoader.createFtrSavedObjectsData(SPACE_DATA_TO_LOAD); }); diff --git a/yarn.lock b/yarn.lock index c77393870b07f..eacc6c1c31d2b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2849,6 +2849,10 @@ version "0.0.0" uid "" +"@kbn/ci-stats-shipper-cli@link:packages/kbn-ci-stats-shipper-cli": + version "0.0.0" + uid "" + "@kbn/cli-dev-mode@link:packages/kbn-cli-dev-mode": version "0.0.0" uid "" @@ -6531,7 +6535,7 @@ resolved "https://registry.yarnpkg.com/@types/async/-/async-3.2.15.tgz#26d4768fdda0e466f18d6c9918ca28cc89a4e1fe" integrity sha512-PAmPfzvFA31mRoqZyTVsgJMsvbynR429UTTxhmfsUCrWGh3/fxOrzqBtaTPJsn4UtzTv4Vb0+/O7CARWb69N4g== -"@types/babel__core@*", "@types/babel__core@^7.1.14", "@types/babel__core@^7.1.20": +"@types/babel__core@*", "@types/babel__core@^7.1.14": version "7.1.20" resolved "https://registry.yarnpkg.com/@types/babel__core/-/babel__core-7.1.20.tgz#e168cdd612c92a2d335029ed62ac94c95b362359" integrity sha512-PVb6Bg2QuscZ30FvOU7z4guG6c926D9YRvOxEaelzndpMsvP+YM74Q/dAFASpg2l6+XLalxSGxcq/lrgYWZtyQ== @@ -6542,6 +6546,17 @@ "@types/babel__template" "*" "@types/babel__traverse" "*" +"@types/babel__core@^7.20.0": + version "7.20.0" + resolved "https://registry.yarnpkg.com/@types/babel__core/-/babel__core-7.20.0.tgz#61bc5a4cae505ce98e1e36c5445e4bee060d8891" + integrity sha512-+n8dL/9GWblDO0iU6eZAwEIJVr5DWigtle+Q6HLOrh/pdbXOhOtqzq8VPPE2zvNJzSKY4vH/z3iT3tn0A3ypiQ== + dependencies: + "@babel/parser" "^7.20.7" + "@babel/types" "^7.20.7" + "@types/babel__generator" "*" + "@types/babel__template" "*" + "@types/babel__traverse" "*" + "@types/babel__generator@*": version "7.0.2" resolved "https://registry.yarnpkg.com/@types/babel__generator/-/babel__generator-7.0.2.tgz#d2112a6b21fad600d7674274293c85dce0cb47fc" @@ -7420,10 +7435,10 @@ dependencies: "@types/node" "*" -"@types/node@*", "@types/node@18.11.18", "@types/node@>= 8", "@types/node@>=12.12.47", "@types/node@>=13.7.0", "@types/node@>=8.9.0", "@types/node@^10.1.0", "@types/node@^14.0.10 || ^16.0.0", "@types/node@^14.14.20 || ^16.0.0", "@types/node@^14.14.31": - version "18.11.18" - resolved "https://registry.yarnpkg.com/@types/node/-/node-18.11.18.tgz#8dfb97f0da23c2293e554c5a50d61ef134d7697f" - integrity sha512-DHQpWGjyQKSHj3ebjFI/wRKcqQcdR+MoFBygntYOZytCqNfkd2ZC4ARDJ2DQqhjH5p85Nnd3jhUJIXrszFX/JA== +"@types/node@*", "@types/node@16.11.68", "@types/node@>= 8", "@types/node@>=12.12.47", "@types/node@>=13.7.0", "@types/node@>=8.9.0", "@types/node@^10.1.0", "@types/node@^14.0.10 || ^16.0.0", "@types/node@^14.14.20 || ^16.0.0", "@types/node@^14.14.31": + version "16.11.68" + resolved "https://registry.yarnpkg.com/@types/node/-/node-16.11.68.tgz#30ee923f4d940793e0380f5ce61c0bd4b7196b6c" + integrity sha512-JkRpuVz3xCNCWaeQ5EHLR/6woMbHZz/jZ7Kmc63AkU+1HxnoUugzSWMck7dsR4DvNYX8jp9wTi9K7WvnxOIQZQ== "@types/nodemailer@^6.4.0": version "6.4.0" @@ -8626,7 +8641,7 @@ abab@^2.0.3, abab@^2.0.4, abab@^2.0.5, abab@^2.0.6: resolved "https://registry.yarnpkg.com/abab/-/abab-2.0.6.tgz#41b80f2c871d19686216b82309231cfd3cb3d291" integrity sha512-j2afSsaIENvHZN2B8GOpF566vZ5WVk5opAiMTvWgaQT8DkbOqsTfvNAvHoRGU2zzP8cPoqys+xHTRDWW8L+/BA== -abbrev@1, abbrev@^1.0.0: +abbrev@1: version "1.1.1" resolved "https://registry.yarnpkg.com/abbrev/-/abbrev-1.1.1.tgz#f8f2c887ad10bf67f634f005b6987fed3179aac8" integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q== @@ -11324,10 +11339,10 @@ core-js@^2.4.0, core-js@^2.5.0, core-js@^2.6.9: resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.6.9.tgz#6b4b214620c834152e179323727fc19741b084f2" integrity sha512-HOpZf6eXmnl7la+cUdMnLvUxKNqLUzJvgIziQ0DiF3JwSImNphIqdGqzj6hIKyX04MmV0poclQ7+wjWvxQyR2A== -core-js@^3.0.4, core-js@^3.27.1, core-js@^3.6.5, core-js@^3.8.2, core-js@^3.8.3: - version "3.27.1" - resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.27.1.tgz#23cc909b315a6bb4e418bf40a52758af2103ba46" - integrity sha512-GutwJLBChfGCpwwhbYoqfv03LAfmiz7e7D/BNxzeMxwQf10GRSzqiOjx7AmtEk+heiD/JWmBuyBPgFtx0Sg1ww== +core-js@^3.0.4, core-js@^3.27.2, core-js@^3.6.5, core-js@^3.8.2, core-js@^3.8.3: + version "3.27.2" + resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.27.2.tgz#85b35453a424abdcacb97474797815f4d62ebbf7" + integrity sha512-9ashVQskuh5AZEZ1JdQWp1GqSoC1e1G87MzRqg2gIfVAQ7Qn9K+uFj8EcniUFA4P2NLZfV+TOlX1SzoKfo+s7w== core-util-is@1.0.2, core-util-is@^1.0.2, core-util-is@~1.0.0: version "1.0.2" @@ -13046,10 +13061,10 @@ ejs@^3.1.8: dependencies: jake "^10.8.5" -elastic-apm-http-client@11.0.4, elastic-apm-http-client@^11.0.1: - version "11.0.4" - resolved "https://registry.yarnpkg.com/elastic-apm-http-client/-/elastic-apm-http-client-11.0.4.tgz#3e44e56fa42235b1b16a33c6a7656cfde595f9ff" - integrity sha512-449Qj/STi9hgnIk2KQ7719E7lpM3/i4Afs7NUhSOX8wV3sxn/+ItIHx9kKJthzhDDezxIfQcH83v83AF67GspQ== +elastic-apm-http-client@11.2.0, elastic-apm-http-client@^11.0.1: + version "11.2.0" + resolved "https://registry.yarnpkg.com/elastic-apm-http-client/-/elastic-apm-http-client-11.2.0.tgz#4da8b975ca326c1e5beb59746ab1124c4feddad3" + integrity sha512-XHXK+gQmd34eRN/ffrml7AN4h1VwujB79WEO2C/J59ufvEk+mT1OGBhl6pntHPUWn4Um52C5m84O6jIXzaQwfw== dependencies: agentkeepalive "^4.2.1" breadth-filter "^2.0.0" @@ -13061,10 +13076,10 @@ elastic-apm-http-client@11.0.4, elastic-apm-http-client@^11.0.1: semver "^6.3.0" stream-chopper "^3.0.1" -elastic-apm-node@^3.38.0, elastic-apm-node@^3.41.1: - version "3.41.1" - resolved "https://registry.yarnpkg.com/elastic-apm-node/-/elastic-apm-node-3.41.1.tgz#e0829d69d5e8a6062ef567d0a8db0ec0e3736ea8" - integrity sha512-bLCVIyAgQC+ZfY5fd/UaAId+8dh3vusaxZF2A0YtHBAwx1YGpIA3dqOt5zc1UuYmbjCdsEAiUjaUEAHOWdjTzA== +elastic-apm-node@^3.38.0, elastic-apm-node@^3.42.0: + version "3.42.0" + resolved "https://registry.yarnpkg.com/elastic-apm-node/-/elastic-apm-node-3.42.0.tgz#22c11e98708a0df7a7de8c8fb195929b4fc90c00" + integrity sha512-Q9sugfpaw6jQ8xDeP09LlyF0MwE5k0hphQmUiap+qQKE2jrLvY00zk4WierDQ2GF/AguE6BtRZmXpUELDbHFyA== dependencies: "@elastic/ecs-pino-format" "^1.2.0" "@opentelemetry/api" "^1.1.0" @@ -13074,7 +13089,8 @@ elastic-apm-node@^3.38.0, elastic-apm-node@^3.41.1: basic-auth "^2.0.1" cookie "^0.5.0" core-util-is "^1.0.2" - elastic-apm-http-client "11.0.4" + debug "^4.1.1" + elastic-apm-http-client "11.2.0" end-of-stream "^1.4.4" error-callsites "^2.0.4" error-stack-parser "^2.0.6" @@ -13084,13 +13100,14 @@ elastic-apm-node@^3.38.0, elastic-apm-node@^3.41.1: is-native "^1.0.1" lru-cache "^6.0.0" measured-reporting "^1.51.1" + module-details-from-path "^1.0.3" monitor-event-loop-delay "^1.0.0" object-filter-sequence "^1.0.0" object-identity-map "^1.0.2" original-url "^1.2.3" pino "^6.11.2" relative-microtime "^2.0.0" - require-in-the-middle "^5.2.0" + resolve "^1.22.1" semver "^6.3.0" set-cookie-serde "^1.0.0" shallow-clone-shim "^2.0.0" @@ -16477,7 +16494,7 @@ inquirer@^8.2.3: through "^2.3.6" wrap-ansi "^7.0.0" -install-artifact-from-github@^1.3.1: +install-artifact-from-github@^1.3.0: version "1.3.1" resolved "https://registry.yarnpkg.com/install-artifact-from-github/-/install-artifact-from-github-1.3.1.tgz#eefaad9af35d632e5d912ad1569c1de38c3c2462" integrity sha512-3l3Bymg2eKDsN5wQuMfgGEj2x6l5MCAv0zPL6rxHESufFVlEAKW/6oY9F1aGgvY/EgWm5+eWGRjINveL4X7Hgg== @@ -19210,7 +19227,7 @@ make-error@^1.1.1: resolved "https://registry.yarnpkg.com/make-error/-/make-error-1.3.6.tgz#2eb2e37ea9b67c4891f684a1394799af484cf7a2" integrity sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw== -make-fetch-happen@^10.0.3, make-fetch-happen@^10.0.4: +make-fetch-happen@^10.0.4: version "10.2.1" resolved "https://registry.yarnpkg.com/make-fetch-happen/-/make-fetch-happen-10.2.1.tgz#f5e3835c5e9817b617f2770870d9492d28678164" integrity sha512-NgOPbRiaQM10DYXvN3/hhGVI2M5MtITFryzBGxHM5p4wnFxsVCbxkrBrDsk+EZ5OB4jEOT7AjDxtdF+KVEFT7w== @@ -20235,7 +20252,7 @@ mute-stream@0.0.8: resolved "https://registry.yarnpkg.com/mute-stream/-/mute-stream-0.0.8.tgz#1630c42b2251ff81e2a283de96a5497ea92e5e0d" integrity sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA== -nan@^2.16.0, nan@^2.17.0: +nan@^2.15.0, nan@^2.17.0: version "2.17.0" resolved "https://registry.yarnpkg.com/nan/-/nan-2.17.0.tgz#c0150a2368a182f033e9aa5195ec76ea41a199cb" integrity sha512-2ZTgtl0nJsO0KQCjEpxcIr5D+Yv90plTitZt9JBfQvVJDS5seMl3FOvsh3+9CoYWXf/1l5OaZzzF6nDm4cagaQ== @@ -20499,22 +20516,6 @@ node-gyp@^8.4.1: tar "^6.1.2" which "^2.0.2" -node-gyp@^9.0.0: - version "9.3.0" - resolved "https://registry.yarnpkg.com/node-gyp/-/node-gyp-9.3.0.tgz#f8eefe77f0ad8edb3b3b898409b53e697642b319" - integrity sha512-A6rJWfXFz7TQNjpldJ915WFb1LnhO4lIve3ANPbWreuEoLoKlFT3sxIepPBkLhM27crW8YmN+pjlgbasH6cH/Q== - dependencies: - env-paths "^2.2.0" - glob "^7.1.4" - graceful-fs "^4.2.6" - make-fetch-happen "^10.0.3" - nopt "^6.0.0" - npmlog "^6.0.0" - rimraf "^3.0.2" - semver "^7.3.5" - tar "^6.1.2" - which "^2.0.2" - node-int64@^0.4.0: version "0.4.0" resolved "https://registry.yarnpkg.com/node-int64/-/node-int64-0.4.0.tgz#87a9065cdb355d3182d8f94ce11188b825c68a3b" @@ -20616,13 +20617,6 @@ nopt@^5.0.0: dependencies: abbrev "1" -nopt@^6.0.0: - version "6.0.0" - resolved "https://registry.yarnpkg.com/nopt/-/nopt-6.0.0.tgz#245801d8ebf409c6df22ab9d95b65e1309cdb16d" - integrity sha512-ZwLpbTgdhuZUnZzjd7nb1ZV+4DoiC6/sfiVKok72ym/4Tlf+DFdlHYmT2JPmcNNWV6Pi3SDf1kT+A4r9RTuT9g== - dependencies: - abbrev "^1.0.0" - normalize-package-data@^2.0.0, normalize-package-data@^2.3.2, normalize-package-data@^2.3.4, normalize-package-data@^2.5.0: version "2.5.0" resolved "https://registry.yarnpkg.com/normalize-package-data/-/normalize-package-data-2.5.0.tgz#e66db1838b200c1dfc233225d12cb36520e234a8" @@ -22776,14 +22770,14 @@ re-resizable@^6.1.1: dependencies: fast-memoize "^2.5.1" -re2@1.17.7: - version "1.17.7" - resolved "https://registry.yarnpkg.com/re2/-/re2-1.17.7.tgz#e14cab85a177a5534c7215c322d1b043c55aa1e9" - integrity sha512-X8GSuiBoVWwcjuppqSjsIkRxNUKDdjhkO9SBekQbZ2ksqWUReCy7DQPWOVpoTnpdtdz5PIpTTxTFzvJv5UMfjA== +re2@1.17.4: + version "1.17.4" + resolved "https://registry.yarnpkg.com/re2/-/re2-1.17.4.tgz#7bf29290bdde963014e77bd2c2e799a6d788386e" + integrity sha512-xyZ4h5PqE8I9tAxTh3G0UttcK5ufrcUxReFjGzfX61vtanNbS1XZHjnwRSyPcLgChI4KLxVgOT/ioZXnUAdoTA== dependencies: - install-artifact-from-github "^1.3.1" - nan "^2.16.0" - node-gyp "^9.0.0" + install-artifact-from-github "^1.3.0" + nan "^2.15.0" + node-gyp "^8.4.1" react-ace@^7.0.5: version "7.0.5" @@ -24013,15 +24007,6 @@ require-from-string@^2.0.2: resolved "https://registry.yarnpkg.com/require-from-string/-/require-from-string-2.0.2.tgz#89a7fdd938261267318eafe14f9c32e598c36909" integrity sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw== -require-in-the-middle@^5.2.0: - version "5.2.0" - resolved "https://registry.yarnpkg.com/require-in-the-middle/-/require-in-the-middle-5.2.0.tgz#4b71e3cc7f59977100af9beb76bf2d056a5a6de2" - integrity sha512-efCx3b+0Z69/LGJmm9Yvi4cqEdxnoGnxYxGxBghkkTTFeXRtTCmmhO0AnAfHz59k957uTSuy8WaHqOs8wbYUWg== - dependencies: - debug "^4.1.1" - module-details-from-path "^1.0.3" - resolve "^1.22.1" - require-in-the-middle@^6.0.0: version "6.0.0" resolved "https://registry.yarnpkg.com/require-in-the-middle/-/require-in-the-middle-6.0.0.tgz#01cc6416286fb5e672d0fe031d996f8bc202509d" @@ -26613,12 +26598,7 @@ tslib@^1.10.0, tslib@^1.8.1, tslib@^1.9.0, tslib@^1.9.3: resolved "https://registry.yarnpkg.com/tslib/-/tslib-1.13.0.tgz#c881e13cc7015894ed914862d276436fa9a47043" integrity sha512-i/6DQjL8Xf3be4K/E6Wgpekn5Qasl1usyw++dAA35Ue5orEn65VIxOA+YvNNl9HV3qv70T7CNwjODHZrLwvd1Q== -tslib@^2.0.0, tslib@^2.0.1, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.2.0, tslib@^2.3.1, tslib@~2.4.0: - version "2.4.0" - resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.4.0.tgz#7cecaa7f073ce680a05847aa77be941098f36dc3" - integrity sha512-d6xOpEDfsi2CZVlPQzGeux8XMwLT9hssAsaPYExaQMuYskwb+x1x7J371tWlbBdWHroy99KnVB6qIkUbs5X3UQ== - -tslib@^2.4.0: +tslib@^2.0.0, tslib@^2.0.1, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.2.0, tslib@^2.3.1, tslib@^2.4.0, tslib@~2.4.0: version "2.4.1" resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.4.1.tgz#0d0bfbaac2880b91e22df0768e55be9753a5b17e" integrity sha512-tGyy4dAjRIEwI7BzsB0lynWgOpfqjUdq91XXAlIWD2OwKBH7oCl/GZG/HT4BOHrTlPMOASlMQ7veyTqpmRcrNA== @@ -26793,14 +26773,7 @@ unc-path-regex@^0.1.2: resolved "https://registry.yarnpkg.com/unc-path-regex/-/unc-path-regex-0.1.2.tgz#e73dd3d7b0d7c5ed86fbac6b0ae7d8c6a69d50fa" integrity sha1-5z3T17DXxe2G+6xrCufYxqadUPo= -undici@^5.11.0: - version "5.11.0" - resolved "https://registry.yarnpkg.com/undici/-/undici-5.11.0.tgz#1db25f285821828fc09d3804b9e2e934ae86fc13" - integrity sha512-oWjWJHzFet0Ow4YZBkyiJwiK5vWqEYoH7BINzJAJOLedZ++JpAlCbUktW2GQ2DS2FpKmxD/JMtWUUWl1BtghGw== - dependencies: - busboy "^1.6.0" - -undici@^5.5.1: +undici@^5.11.0, undici@^5.5.1: version "5.14.0" resolved "https://registry.yarnpkg.com/undici/-/undici-5.14.0.tgz#1169d0cdee06a4ffdd30810f6228d57998884d00" integrity sha512-yJlHYw6yXPPsuOH0x2Ib1Km61vu4hLiRRQoafs+WUgX1vO64vgnxiCEN9dpIrhZyHFsai3F0AEj4P9zy19enEQ==