diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx index fb083b7a7da2f..5a6759fd07221 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx @@ -25,15 +25,15 @@ const AuthenticationTableManage = manageQuery(AuthenticationTable); const ID = 'authenticationsOverTimeQuery'; const authStackByOptions: MatrixHistogramOption[] = [ { - text: 'event.type', - value: 'event.type', + text: 'event.outcome', + value: 'event.outcome', }, ]; -const DEFAULT_STACK_BY = 'event.type'; +const DEFAULT_STACK_BY = 'event.outcome'; enum AuthMatrixDataGroup { - authSuccess = 'authentication_success', - authFailure = 'authentication_failure', + authSuccess = 'success', + authFailure = 'failure', } export const authMatrixDataMappingFields: MatrixHistogramMappingTypes = { diff --git a/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts index 333cc79fadabc..b9ed88e91f87d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts @@ -70,7 +70,7 @@ export const buildQuery = ({ failures: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, aggs: { @@ -86,7 +86,7 @@ export const buildQuery = ({ successes: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, aggs: { diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts index b82a540900bd0..ed9fbf0ba0646 100644 --- a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts +++ b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts @@ -356,15 +356,15 @@ export const mockKpiHostDetailsUniqueIpsQuery = [ ]; const mockAuthAggs = { - authentication_success: { filter: { term: { 'event.type': 'authentication_success' } } }, + authentication_success: { filter: { term: { 'event.outcome': 'success' } } }, authentication_success_histogram: { auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.type': 'authentication_success' } } } }, + aggs: { count: { filter: { term: { 'event.outcome': 'success' } } } }, }, - authentication_failure: { filter: { term: { 'event.type': 'authentication_failure' } } }, + authentication_failure: { filter: { term: { 'event.outcome': 'failure' } } }, authentication_failure_histogram: { auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.type': 'authentication_failure' } } } }, + aggs: { count: { filter: { term: { 'event.outcome': 'failure' } } } }, }, }; diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts index 5734aa6ee88cc..0b7803d007194 100644 --- a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts @@ -49,7 +49,7 @@ export const buildAuthQuery = ({ authentication_success: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, }, @@ -62,7 +62,7 @@ export const buildAuthQuery = ({ count: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, }, @@ -71,7 +71,7 @@ export const buildAuthQuery = ({ authentication_failure: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, }, @@ -84,7 +84,7 @@ export const buildAuthQuery = ({ count: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, }, diff --git a/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts index ccf0d235abdd3..34a3804f974de 100644 --- a/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts @@ -13,10 +13,21 @@ export const buildAuthenticationsOverTimeQuery = ({ sourceConfiguration: { fields: { timestamp }, }, - stackByField = 'event.type', + stackByField = 'event.outcome', }: MatrixHistogramRequestOptions) => { const filter = [ ...createQueryFilterClauses(filterQuery), + { + bool: { + must: [ + { + term: { + 'event.category': 'authentication', + }, + }, + ], + }, + }, { range: { [timestamp]: { @@ -45,7 +56,7 @@ export const buildAuthenticationsOverTimeQuery = ({ eventActionGroup: { terms: { field: stackByField, - include: ['authentication_success', 'authentication_failure'], + include: ['success', 'failure'], order: { _count: 'desc', },