diff --git a/.eslintrc.js b/.eslintrc.js index 0c2c78cd1dd7f..60f3ae1528fbc 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -156,6 +156,78 @@ const DEV_PATTERNS = [ 'x-pack/plugins/*/server/scripts/**/*', ]; +/** Restricted imports with suggested alternatives */ +const RESTRICTED_IMPORTS = [ + { + name: 'lodash', + importNames: ['set', 'setWith'], + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash.set', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash.setwith', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/set', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/setWith', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/fp', + importNames: ['set', 'setWith', 'assoc', 'assocPath'], + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/fp/set', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/fp/setWith', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/fp/assoc', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash/fp/assocPath', + message: 'Please use @elastic/safer-lodash-set instead', + }, + { + name: 'lodash', + importNames: ['template'], + message: 'lodash.template is unsafe, and not compatible with our content security policy.', + }, + { + name: 'lodash.template', + message: 'lodash.template is unsafe, and not compatible with our content security policy.', + }, + { + name: 'lodash/template', + message: 'lodash.template is unsafe, and not compatible with our content security policy.', + }, + { + name: 'lodash/fp', + importNames: ['template'], + message: 'lodash.template is unsafe, and not compatible with our content security policy.', + }, + { + name: 'lodash/fp/template', + message: 'lodash.template is unsafe, and not compatible with our content security policy.', + }, + { + name: 'react-use', + message: 'Please use react-use/lib/{method} instead.', + }, +]; + module.exports = { root: true, @@ -668,81 +740,7 @@ module.exports = { 'no-restricted-imports': [ 2, { - paths: [ - { - name: 'lodash', - importNames: ['set', 'setWith'], - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash.set', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash.setwith', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/set', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/setWith', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/fp', - importNames: ['set', 'setWith', 'assoc', 'assocPath'], - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/fp/set', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/fp/setWith', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/fp/assoc', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash/fp/assocPath', - message: 'Please use @elastic/safer-lodash-set instead', - }, - { - name: 'lodash', - importNames: ['template'], - message: - 'lodash.template is unsafe, and not compatible with our content security policy.', - }, - { - name: 'lodash.template', - message: - 'lodash.template is unsafe, and not compatible with our content security policy.', - }, - { - name: 'lodash/template', - message: - 'lodash.template is unsafe, and not compatible with our content security policy.', - }, - { - name: 'lodash/fp', - importNames: ['template'], - message: - 'lodash.template is unsafe, and not compatible with our content security policy.', - }, - { - name: 'lodash/fp/template', - message: - 'lodash.template is unsafe, and not compatible with our content security policy.', - }, - { - name: 'react-use', - message: 'Please use react-use/lib/{method} instead.', - }, - ], + paths: RESTRICTED_IMPORTS, }, ], 'no-restricted-modules': [ @@ -835,6 +833,23 @@ module.exports = { ], }, }, + { + files: ['**/common/**/*.{js,mjs,ts,tsx}', '**/public/**/*.{js,mjs,ts,tsx}'], + rules: { + 'no-restricted-imports': [ + 2, + { + paths: [ + ...RESTRICTED_IMPORTS, + { + name: 'semver', + message: 'Please use "semver/*/{function}" instead', + }, + ], + }, + ], + }, + }, /** * APM and Observability overrides @@ -1582,8 +1597,8 @@ module.exports = { plugins: ['react', '@typescript-eslint'], files: ['x-pack/plugins/osquery/**/*.{js,mjs,ts,tsx}'], rules: { - // 'arrow-body-style': ['error', 'as-needed'], - // 'prefer-arrow-callback': 'error', + 'arrow-body-style': ['error', 'as-needed'], + 'prefer-arrow-callback': 'error', 'no-unused-vars': 'off', 'react/prop-types': 'off', '@typescript-eslint/explicit-module-boundary-types': 'off', diff --git a/package.json b/package.json index 3254077fd5083..47ed5e110b000 100644 --- a/package.json +++ b/package.json @@ -335,7 +335,7 @@ "react-moment-proptypes": "^1.7.0", "react-monaco-editor": "^0.41.2", "react-popper-tooltip": "^2.10.1", - "react-query": "^3.21.1", + "react-query": "^3.27.0", "react-redux": "^7.2.0", "react-resizable": "^1.7.5", "react-resize-detector": "^4.2.0", diff --git a/packages/elastic-apm-generator/src/lib/apm_error.ts b/packages/elastic-apm-generator/src/lib/apm_error.ts new file mode 100644 index 0000000000000..5a48093a26db2 --- /dev/null +++ b/packages/elastic-apm-generator/src/lib/apm_error.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { Fields } from './entity'; +import { Serializable } from './serializable'; +import { generateLongId, generateShortId } from './utils/generate_id'; + +export class ApmError extends Serializable { + constructor(fields: Fields) { + super({ + ...fields, + 'processor.event': 'error', + 'processor.name': 'error', + 'error.id': generateShortId(), + }); + } + + serialize() { + const [data] = super.serialize(); + data['error.grouping_key'] = generateLongId( + this.fields['error.grouping_name'] || this.fields['error.exception']?.[0]?.message + ); + return [data]; + } +} diff --git a/packages/elastic-apm-generator/src/lib/base_span.ts b/packages/elastic-apm-generator/src/lib/base_span.ts index 6288c16d339b6..f762bf730a717 100644 --- a/packages/elastic-apm-generator/src/lib/base_span.ts +++ b/packages/elastic-apm-generator/src/lib/base_span.ts @@ -10,7 +10,7 @@ import { Fields } from './entity'; import { Serializable } from './serializable'; import { Span } from './span'; import { Transaction } from './transaction'; -import { generateTraceId } from './utils/generate_id'; +import { generateLongId } from './utils/generate_id'; export class BaseSpan extends Serializable { private readonly _children: BaseSpan[] = []; @@ -19,7 +19,7 @@ export class BaseSpan extends Serializable { super({ ...fields, 'event.outcome': 'unknown', - 'trace.id': generateTraceId(), + 'trace.id': generateLongId(), 'processor.name': 'transaction', }); } diff --git a/packages/elastic-apm-generator/src/lib/entity.ts b/packages/elastic-apm-generator/src/lib/entity.ts index 2a4beee652cf7..bf8fc10efd3a7 100644 --- a/packages/elastic-apm-generator/src/lib/entity.ts +++ b/packages/elastic-apm-generator/src/lib/entity.ts @@ -6,6 +6,19 @@ * Side Public License, v 1. */ +export type ApplicationMetricFields = Partial<{ + 'system.process.memory.size': number; + 'system.memory.actual.free': number; + 'system.memory.total': number; + 'system.cpu.total.norm.pct': number; + 'system.process.memory.rss.bytes': number; + 'system.process.cpu.total.norm.pct': number; +}>; + +export interface Exception { + message: string; +} + export type Fields = Partial<{ '@timestamp': number; 'agent.name': string; @@ -14,6 +27,10 @@ export type Fields = Partial<{ 'ecs.version': string; 'event.outcome': string; 'event.ingested': number; + 'error.id': string; + 'error.exception': Exception[]; + 'error.grouping_name': string; + 'error.grouping_key': string; 'host.name': string; 'metricset.name': string; 'observer.version': string; @@ -46,7 +63,8 @@ export type Fields = Partial<{ 'span.destination.service.response_time.count': number; 'span.self_time.count': number; 'span.self_time.sum.us': number; -}>; +}> & + ApplicationMetricFields; export class Entity { constructor(public readonly fields: Fields) { diff --git a/packages/elastic-apm-generator/src/lib/instance.ts b/packages/elastic-apm-generator/src/lib/instance.ts index 4218a9e23f4b4..3570f497c9055 100644 --- a/packages/elastic-apm-generator/src/lib/instance.ts +++ b/packages/elastic-apm-generator/src/lib/instance.ts @@ -6,7 +6,9 @@ * Side Public License, v 1. */ -import { Entity } from './entity'; +import { ApmError } from './apm_error'; +import { ApplicationMetricFields, Entity } from './entity'; +import { Metricset } from './metricset'; import { Span } from './span'; import { Transaction } from './transaction'; @@ -27,4 +29,20 @@ export class Instance extends Entity { 'span.subtype': spanSubtype, }); } + + error(message: string, type?: string, groupingName?: string) { + return new ApmError({ + ...this.fields, + 'error.exception': [{ message, ...(type ? { type } : {}) }], + 'error.grouping_name': groupingName || message, + }); + } + + appMetrics(metrics: ApplicationMetricFields) { + return new Metricset({ + ...this.fields, + 'metricset.name': 'app', + ...metrics, + }); + } } diff --git a/packages/elastic-apm-generator/src/lib/metricset.ts b/packages/elastic-apm-generator/src/lib/metricset.ts index f7abec6fde958..c1ebbea313123 100644 --- a/packages/elastic-apm-generator/src/lib/metricset.ts +++ b/packages/elastic-apm-generator/src/lib/metricset.ts @@ -6,12 +6,15 @@ * Side Public License, v 1. */ +import { Fields } from './entity'; import { Serializable } from './serializable'; -export class Metricset extends Serializable {} - -export function metricset(name: string) { - return new Metricset({ - 'metricset.name': name, - }); +export class Metricset extends Serializable { + constructor(fields: Fields) { + super({ + 'processor.event': 'metric', + 'processor.name': 'metric', + ...fields, + }); + } } diff --git a/packages/elastic-apm-generator/src/lib/output/to_elasticsearch_output.ts b/packages/elastic-apm-generator/src/lib/output/to_elasticsearch_output.ts index b4cae1b41b9a6..d90ce8e01f83d 100644 --- a/packages/elastic-apm-generator/src/lib/output/to_elasticsearch_output.ts +++ b/packages/elastic-apm-generator/src/lib/output/to_elasticsearch_output.ts @@ -25,7 +25,8 @@ export function toElasticsearchOutput(events: Fields[], versionOverride?: string const document = {}; // eslint-disable-next-line guard-for-in for (const key in values) { - set(document, key, values[key as keyof typeof values]); + const val = values[key as keyof typeof values]; + set(document, key, val); } return { _index: `apm-${versionOverride || values['observer.version']}-${values['processor.event']}`, diff --git a/packages/elastic-apm-generator/src/lib/span.ts b/packages/elastic-apm-generator/src/lib/span.ts index 36f7f44816d01..3c8d90f56b78e 100644 --- a/packages/elastic-apm-generator/src/lib/span.ts +++ b/packages/elastic-apm-generator/src/lib/span.ts @@ -8,14 +8,14 @@ import { BaseSpan } from './base_span'; import { Fields } from './entity'; -import { generateEventId } from './utils/generate_id'; +import { generateShortId } from './utils/generate_id'; export class Span extends BaseSpan { constructor(fields: Fields) { super({ ...fields, 'processor.event': 'span', - 'span.id': generateEventId(), + 'span.id': generateShortId(), }); } diff --git a/packages/elastic-apm-generator/src/lib/transaction.ts b/packages/elastic-apm-generator/src/lib/transaction.ts index f615f46710996..3a8d32e1843f8 100644 --- a/packages/elastic-apm-generator/src/lib/transaction.ts +++ b/packages/elastic-apm-generator/src/lib/transaction.ts @@ -6,22 +6,48 @@ * Side Public License, v 1. */ +import { ApmError } from './apm_error'; import { BaseSpan } from './base_span'; import { Fields } from './entity'; -import { generateEventId } from './utils/generate_id'; +import { generateShortId } from './utils/generate_id'; export class Transaction extends BaseSpan { private _sampled: boolean = true; + private readonly _errors: ApmError[] = []; constructor(fields: Fields) { super({ ...fields, 'processor.event': 'transaction', - 'transaction.id': generateEventId(), + 'transaction.id': generateShortId(), 'transaction.sampled': true, }); } + parent(span: BaseSpan) { + super.parent(span); + + this._errors.forEach((error) => { + error.fields['trace.id'] = this.fields['trace.id']; + error.fields['transaction.id'] = this.fields['transaction.id']; + error.fields['transaction.type'] = this.fields['transaction.type']; + }); + + return this; + } + + errors(...errors: ApmError[]) { + errors.forEach((error) => { + error.fields['trace.id'] = this.fields['trace.id']; + error.fields['transaction.id'] = this.fields['transaction.id']; + error.fields['transaction.type'] = this.fields['transaction.type']; + }); + + this._errors.push(...errors); + + return this; + } + duration(duration: number) { this.fields['transaction.duration.us'] = duration * 1000; return this; @@ -35,11 +61,13 @@ export class Transaction extends BaseSpan { serialize() { const [transaction, ...spans] = super.serialize(); + const errors = this._errors.flatMap((error) => error.serialize()); + const events = [transaction]; if (this._sampled) { events.push(...spans); } - return events; + return events.concat(errors); } } diff --git a/packages/elastic-apm-generator/src/lib/utils/generate_id.ts b/packages/elastic-apm-generator/src/lib/utils/generate_id.ts index 6c8b33fc19077..cc372a56209aa 100644 --- a/packages/elastic-apm-generator/src/lib/utils/generate_id.ts +++ b/packages/elastic-apm-generator/src/lib/utils/generate_id.ts @@ -12,14 +12,14 @@ let seq = 0; const namespace = 'f38d5b83-8eee-4f5b-9aa6-2107e15a71e3'; -function generateId() { - return uuidv5(String(seq++), namespace).replace(/-/g, ''); +function generateId(seed?: string) { + return uuidv5(seed ?? String(seq++), namespace).replace(/-/g, ''); } -export function generateEventId() { - return generateId().substr(0, 16); +export function generateShortId(seed?: string) { + return generateId(seed).substr(0, 16); } -export function generateTraceId() { - return generateId().substr(0, 32); +export function generateLongId(seed?: string) { + return generateId(seed).substr(0, 32); } diff --git a/packages/elastic-apm-generator/src/scripts/examples/01_simple_trace.ts b/packages/elastic-apm-generator/src/scripts/examples/01_simple_trace.ts index 7aae2986919c8..f6aad154532c2 100644 --- a/packages/elastic-apm-generator/src/scripts/examples/01_simple_trace.ts +++ b/packages/elastic-apm-generator/src/scripts/examples/01_simple_trace.ts @@ -14,11 +14,11 @@ export function simpleTrace(from: number, to: number) { const range = timerange(from, to); - const transactionName = '100rpm (80% success) failed 1000ms'; + const transactionName = '240rpm/60% 1000ms'; const successfulTraceEvents = range - .interval('30s') - .rate(40) + .interval('1s') + .rate(3) .flatMap((timestamp) => instance .transaction(transactionName) @@ -38,21 +38,39 @@ export function simpleTrace(from: number, to: number) { ); const failedTraceEvents = range - .interval('30s') - .rate(10) + .interval('1s') + .rate(1) .flatMap((timestamp) => instance .transaction(transactionName) .timestamp(timestamp) .duration(1000) .failure() + .errors( + instance.error('[ResponseError] index_not_found_exception').timestamp(timestamp + 50) + ) .serialize() ); + const metricsets = range + .interval('30s') + .rate(1) + .flatMap((timestamp) => + instance + .appMetrics({ + 'system.memory.actual.free': 800, + 'system.memory.total': 1000, + 'system.cpu.total.norm.pct': 0.6, + 'system.process.cpu.total.norm.pct': 0.7, + }) + .timestamp(timestamp) + .serialize() + ); const events = successfulTraceEvents.concat(failedTraceEvents); return [ ...events, + ...metricsets, ...getTransactionMetrics(events), ...getSpanDestinationMetrics(events), ...getBreakdownMetrics(events), diff --git a/packages/elastic-apm-generator/src/test/scenarios/05_transactions_with_errors.test.ts b/packages/elastic-apm-generator/src/test/scenarios/05_transactions_with_errors.test.ts new file mode 100644 index 0000000000000..289fdfa6cf565 --- /dev/null +++ b/packages/elastic-apm-generator/src/test/scenarios/05_transactions_with_errors.test.ts @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import { pick } from 'lodash'; +import { service } from '../../index'; +import { Instance } from '../../lib/instance'; + +describe('transactions with errors', () => { + let instance: Instance; + const timestamp = new Date('2021-01-01T00:00:00.000Z').getTime(); + + beforeEach(() => { + instance = service('opbeans-java', 'production', 'java').instance('instance'); + }); + it('generates error events', () => { + const events = instance + .transaction('GET /api') + .timestamp(timestamp) + .errors(instance.error('test error').timestamp(timestamp)) + .serialize(); + + const errorEvents = events.filter((event) => event['processor.event'] === 'error'); + + expect(errorEvents.length).toEqual(1); + + expect( + pick(errorEvents[0], 'processor.event', 'processor.name', 'error.exception', '@timestamp') + ).toEqual({ + 'processor.event': 'error', + 'processor.name': 'error', + '@timestamp': timestamp, + 'error.exception': [{ message: 'test error' }], + }); + }); + + it('sets the transaction and trace id', () => { + const [transaction, error] = instance + .transaction('GET /api') + .timestamp(timestamp) + .errors(instance.error('test error').timestamp(timestamp)) + .serialize(); + + const keys = ['transaction.id', 'trace.id', 'transaction.type']; + + expect(pick(error, keys)).toEqual({ + 'transaction.id': transaction['transaction.id'], + 'trace.id': transaction['trace.id'], + 'transaction.type': 'request', + }); + }); + + it('sets the error grouping key', () => { + const [, error] = instance + .transaction('GET /api') + .timestamp(timestamp) + .errors(instance.error('test error').timestamp(timestamp)) + .serialize(); + + expect(error['error.grouping_name']).toEqual('test error'); + expect(error['error.grouping_key']).toMatchInlineSnapshot(`"8b96fa10a7f85a5d960198627bf50840"`); + }); +}); diff --git a/packages/elastic-apm-generator/src/test/scenarios/06_application_metrics.test.ts b/packages/elastic-apm-generator/src/test/scenarios/06_application_metrics.test.ts new file mode 100644 index 0000000000000..59ca8f0edbe88 --- /dev/null +++ b/packages/elastic-apm-generator/src/test/scenarios/06_application_metrics.test.ts @@ -0,0 +1,64 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import { pick } from 'lodash'; +import { service } from '../../index'; +import { Instance } from '../../lib/instance'; + +describe('application metrics', () => { + let instance: Instance; + const timestamp = new Date('2021-01-01T00:00:00.000Z').getTime(); + + beforeEach(() => { + instance = service('opbeans-java', 'production', 'java').instance('instance'); + }); + it('generates application metricsets', () => { + const events = instance + .appMetrics({ + 'system.memory.actual.free': 80, + 'system.memory.total': 100, + }) + .timestamp(timestamp) + .serialize(); + + const appMetrics = events.filter((event) => event['processor.event'] === 'metric'); + + expect(appMetrics.length).toEqual(1); + + expect( + pick( + appMetrics[0], + '@timestamp', + 'agent.name', + 'container.id', + 'metricset.name', + 'processor.event', + 'processor.name', + 'service.environment', + 'service.name', + 'service.node.name', + 'system.memory.actual.free', + 'system.memory.total' + ) + ).toEqual({ + '@timestamp': timestamp, + 'metricset.name': 'app', + 'processor.event': 'metric', + 'processor.name': 'metric', + 'system.memory.actual.free': 80, + 'system.memory.total': 100, + ...pick( + instance.fields, + 'agent.name', + 'container.id', + 'service.environment', + 'service.name', + 'service.node.name' + ), + }); + }); +}); diff --git a/packages/kbn-optimizer/limits.yml b/packages/kbn-optimizer/limits.yml index acce34d2673e1..d1491ba63e6e6 100644 --- a/packages/kbn-optimizer/limits.yml +++ b/packages/kbn-optimizer/limits.yml @@ -8,7 +8,7 @@ pageLoadAssetSize: console: 46091 core: 435325 crossClusterReplication: 65408 - dashboard: 374194 + dashboard: 186763 dashboardEnhanced: 65646 devTools: 38637 discover: 99999 @@ -99,7 +99,7 @@ pageLoadAssetSize: expressionMetricVis: 23121 visTypeMetric: 23332 bfetch: 22837 - kibanaUtils: 97808 + kibanaUtils: 79713 data: 491273 dataViews: 41532 expressions: 140958 diff --git a/src/core/server/saved_objects/migrationsv2/integration_tests/type_registrations.test.ts b/src/core/server/saved_objects/migrationsv2/integration_tests/type_registrations.test.ts index ce4c8078e0c95..7597657e7706c 100644 --- a/src/core/server/saved_objects/migrationsv2/integration_tests/type_registrations.test.ts +++ b/src/core/server/saved_objects/migrationsv2/integration_tests/type_registrations.test.ts @@ -70,6 +70,7 @@ const previouslyRegisteredTypes = [ 'ml-module', 'ml-telemetry', 'monitoring-telemetry', + 'osquery-pack', 'osquery-saved-query', 'osquery-usage-metric', 'osquery-manager-usage-metric', diff --git a/src/core/server/saved_objects/service/lib/aggregations/aggs_types/bucket_aggs.ts b/src/core/server/saved_objects/service/lib/aggregations/aggs_types/bucket_aggs.ts index cf27505e8f073..f85576aa64451 100644 --- a/src/core/server/saved_objects/service/lib/aggregations/aggs_types/bucket_aggs.ts +++ b/src/core/server/saved_objects/service/lib/aggregations/aggs_types/bucket_aggs.ts @@ -16,6 +16,7 @@ import { sortOrderSchema } from './common_schemas'; * - filter * - histogram * - nested + * - reverse_nested * - terms * * Not implemented: @@ -37,7 +38,6 @@ import { sortOrderSchema } from './common_schemas'; * - parent * - range * - rare_terms - * - reverse_nested * - sampler * - significant_terms * - significant_text @@ -76,6 +76,9 @@ export const bucketAggsSchemas: Record = { nested: s.object({ path: s.string(), }), + reverse_nested: s.object({ + path: s.maybe(s.string()), + }), terms: s.object({ field: s.maybe(s.string()), collect_mode: s.maybe(s.string()), diff --git a/src/plugins/dashboard/common/saved_dashboard_references.ts b/src/plugins/dashboard/common/saved_dashboard_references.ts index 95c141b5d4e7b..4b3a379068c48 100644 --- a/src/plugins/dashboard/common/saved_dashboard_references.ts +++ b/src/plugins/dashboard/common/saved_dashboard_references.ts @@ -5,7 +5,7 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -import Semver from 'semver'; +import semverGt from 'semver/functions/gt'; import { SavedObjectAttributes, SavedObjectReference } from '../../../core/types'; import { DashboardContainerStateWithType, DashboardPanelState } from './types'; import { EmbeddablePersistableStateService } from '../../embeddable/common/types'; @@ -23,7 +23,7 @@ export interface SavedObjectAttributesAndReferences { } const isPre730Panel = (panel: Record): boolean => { - return 'version' in panel ? Semver.gt('7.3.0', panel.version) : true; + return 'version' in panel ? semverGt('7.3.0', panel.version) : true; }; function dashboardAttributesToState(attributes: SavedObjectAttributes): { diff --git a/src/plugins/kibana_utils/common/persistable_state/migrate_to_latest.ts b/src/plugins/kibana_utils/common/persistable_state/migrate_to_latest.ts index 9481e333819bd..98d1f6da2918f 100644 --- a/src/plugins/kibana_utils/common/persistable_state/migrate_to_latest.ts +++ b/src/plugins/kibana_utils/common/persistable_state/migrate_to_latest.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { compare } from 'semver'; +import compare from 'semver/functions/compare'; import { SerializableRecord } from '@kbn/utility-types'; import { VersionedState, MigrateFunctionsObject } from './types'; diff --git a/x-pack/plugins/apm/scripts/upload-telemetry-data/index.ts b/x-pack/plugins/apm/scripts/upload-telemetry-data/index.ts index c900123c6cee9..6397c79ce4ffb 100644 --- a/x-pack/plugins/apm/scripts/upload-telemetry-data/index.ts +++ b/x-pack/plugins/apm/scripts/upload-telemetry-data/index.ts @@ -17,8 +17,7 @@ import { argv } from 'yargs'; import { Logger } from 'kibana/server'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { CollectTelemetryParams } from '../../server/lib/apm_telemetry/collect_data_telemetry'; -// eslint-disable-next-line @kbn/eslint/no-restricted-paths -import { unwrapEsResponse } from '../../../observability/server/utils/unwrap_es_response'; +import { unwrapEsResponse } from '../../../observability/common/utils/unwrap_es_response'; import { downloadTelemetryTemplate } from '../shared/download-telemetry-template'; import { mergeApmTelemetryMapping } from '../../common/apm_telemetry'; import { generateSampleDocuments } from './generate-sample-documents'; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps.tsx index 42746229e5ace..03b0cc52c53f8 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps.tsx @@ -9,7 +9,9 @@ import React, { useCallback, useMemo } from 'react'; import { EuiText, EuiButton, EuiSpacer } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; import { i18n } from '@kbn/i18n'; -import semver from 'semver'; +import semverMajor from 'semver/functions/major'; +import semverMinor from 'semver/functions/minor'; +import semverPatch from 'semver/functions/patch'; import type { AgentPolicy } from '../../types'; import { useKibanaVersion } from '../../hooks'; @@ -21,9 +23,7 @@ export const DownloadStep = () => { const kibanaVersion = useKibanaVersion(); const kibanaVersionURLString = useMemo( () => - `${semver.major(kibanaVersion)}-${semver.minor(kibanaVersion)}-${semver.patch( - kibanaVersion - )}`, + `${semverMajor(kibanaVersion)}-${semverMinor(kibanaVersion)}-${semverPatch(kibanaVersion)}`, [kibanaVersion] ); return { diff --git a/x-pack/plugins/fleet/server/plugin.ts b/x-pack/plugins/fleet/server/plugin.ts index 697ea0fa30d69..aaee24b39685a 100644 --- a/x-pack/plugins/fleet/server/plugin.ts +++ b/x-pack/plugins/fleet/server/plugin.ts @@ -79,7 +79,7 @@ import { getAgentById, } from './services/agents'; import { registerFleetUsageCollector } from './collectors/register'; -import { getInstallation } from './services/epm/packages'; +import { getInstallation, ensureInstalledPackage } from './services/epm/packages'; import { makeRouterEnforcingSuperuser } from './routes/security'; import { startFleetServerSetup } from './services/fleet_server'; import { FleetArtifactsClient } from './services/artifacts'; @@ -306,6 +306,7 @@ export class FleetPlugin esIndexPatternService: new ESIndexPatternSavedObjectService(), packageService: { getInstallation, + ensureInstalledPackage, }, agentService: { getAgent: getAgentById, diff --git a/x-pack/plugins/fleet/server/services/index.ts b/x-pack/plugins/fleet/server/services/index.ts index ecef04af6b11e..0ec8a1452beb1 100644 --- a/x-pack/plugins/fleet/server/services/index.ts +++ b/x-pack/plugins/fleet/server/services/index.ts @@ -15,7 +15,7 @@ import type { GetAgentStatusResponse } from '../../common'; import type { getAgentById, getAgentsByKuery } from './agents'; import type { agentPolicyService } from './agent_policy'; import * as settingsService from './settings'; -import type { getInstallation } from './epm/packages'; +import type { getInstallation, ensureInstalledPackage } from './epm/packages'; export { ESIndexPatternSavedObjectService } from './es_index_pattern'; export { getRegistryUrl } from './epm/registry/registry_url'; @@ -37,6 +37,7 @@ export interface ESIndexPatternService { export interface PackageService { getInstallation: typeof getInstallation; + ensureInstalledPackage: typeof ensureInstalledPackage; } /** diff --git a/x-pack/plugins/index_management/__jest__/client_integration/helpers/setup_environment.tsx b/x-pack/plugins/index_management/__jest__/client_integration/helpers/setup_environment.tsx index 9f8199215df5b..1682431900a84 100644 --- a/x-pack/plugins/index_management/__jest__/client_integration/helpers/setup_environment.tsx +++ b/x-pack/plugins/index_management/__jest__/client_integration/helpers/setup_environment.tsx @@ -9,7 +9,7 @@ import React from 'react'; import axios from 'axios'; import axiosXhrAdapter from 'axios/lib/adapters/xhr'; import { merge } from 'lodash'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { notificationServiceMock, diff --git a/x-pack/plugins/index_management/public/application/app_context.tsx b/x-pack/plugins/index_management/public/application/app_context.tsx index f562ab9d15a8b..5cd0864a4df21 100644 --- a/x-pack/plugins/index_management/public/application/app_context.tsx +++ b/x-pack/plugins/index_management/public/application/app_context.tsx @@ -7,7 +7,7 @@ import React, { createContext, useContext } from 'react'; import { ScopedHistory } from 'kibana/public'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { ManagementAppMountParams } from 'src/plugins/management/public'; import { UsageCollectionSetup } from 'src/plugins/usage_collection/public'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/__jest__/client_integration/helpers/setup_environment.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/__jest__/client_integration/helpers/setup_environment.tsx index 5e3ae3c1544ae..d80712dfa0fea 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/__jest__/client_integration/helpers/setup_environment.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/__jest__/client_integration/helpers/setup_environment.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; /* eslint-disable-next-line @kbn/eslint/no-restricted-paths */ import '../../../../../../../../../../src/plugins/es_ui_shared/public/components/code_editor/jest_mock'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/edit_field/edit_field.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/edit_field/edit_field.tsx index a751dc3fa72a5..aa6a5e7981cbc 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/edit_field/edit_field.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/edit_field/edit_field.tsx @@ -19,7 +19,7 @@ import { EuiSpacer, EuiCallOut, } from '@elastic/eui'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { documentationService } from '../../../../../../services/documentation'; import { Form, FormHook, FormDataProvider } from '../../../../shared_imports'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/boolean_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/boolean_type.tsx index ad7f7e6d93c41..0ec89de1daf19 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/boolean_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/boolean_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { i18n } from '@kbn/i18n'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/date_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/date_type.tsx index ea71e7fcce5d2..db68b14e62ee8 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/date_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/date_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { i18n } from '@kbn/i18n'; import { NormalizedField, Field as FieldType } from '../../../../types'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/flattened_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/flattened_type.tsx index 0f58c75ca9cb7..aadc64392db51 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/flattened_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/flattened_type.tsx @@ -7,7 +7,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { NormalizedField, Field as FieldType } from '../../../../types'; import { UseField, Field } from '../../../../shared_imports'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/index.ts b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/index.ts index f62a19e55a835..9f1bb05a5b646 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/index.ts +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/index.ts @@ -6,7 +6,7 @@ */ import { ComponentType } from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { MainType, SubType, DataType, NormalizedField, NormalizedFields } from '../../../../types'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/ip_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/ip_type.tsx index 3ea56805829d5..82ca1cd02d2e1 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/ip_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/ip_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { NormalizedField, Field as FieldType } from '../../../../types'; import { getFieldConfig } from '../../../../lib'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/keyword_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/keyword_type.tsx index 9d820c1b07636..543a2d3520b72 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/keyword_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/keyword_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { i18n } from '@kbn/i18n'; import { documentationService } from '../../../../../../services/documentation'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/numeric_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/numeric_type.tsx index 7035a730f15f4..764db2744f43f 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/numeric_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/numeric_type.tsx @@ -7,7 +7,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { NormalizedField, Field as FieldType, ComboBoxOption } from '../../../../types'; import { getFieldConfig } from '../../../../lib'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/range_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/range_type.tsx index 9b8dae490d819..b9fb4950c9a19 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/range_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/range_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { NormalizedField, diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/text_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/text_type.tsx index 6857e20dc1ec4..329c896e52528 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/text_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/text_type.tsx @@ -8,7 +8,7 @@ import React from 'react'; import { EuiSpacer, EuiDualRange, EuiFormRow, EuiCallOut } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { documentationService } from '../../../../../../services/documentation'; import { NormalizedField, Field as FieldType } from '../../../../types'; diff --git a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/token_count_type.tsx b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/token_count_type.tsx index 3c0e8a28f3090..cc7816d55cec9 100644 --- a/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/token_count_type.tsx +++ b/x-pack/plugins/index_management/public/application/components/mappings_editor/components/document_fields/fields/field_types/token_count_type.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { i18n } from '@kbn/i18n'; import { documentationService } from '../../../../../../services/documentation'; diff --git a/x-pack/plugins/index_management/public/application/index.tsx b/x-pack/plugins/index_management/public/application/index.tsx index fc64dad0ae7ba..b7a4bd2135147 100644 --- a/x-pack/plugins/index_management/public/application/index.tsx +++ b/x-pack/plugins/index_management/public/application/index.tsx @@ -8,7 +8,7 @@ import React from 'react'; import { Provider } from 'react-redux'; import { render, unmountComponentAtNode } from 'react-dom'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { CoreStart, CoreSetup } from '../../../../../src/core/public'; diff --git a/x-pack/plugins/index_management/public/application/lib/indices.ts b/x-pack/plugins/index_management/public/application/lib/indices.ts index fc93aa6f54448..6d4bbc992a21c 100644 --- a/x-pack/plugins/index_management/public/application/lib/indices.ts +++ b/x-pack/plugins/index_management/public/application/lib/indices.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { MAJOR_VERSION } from '../../../common'; import { Index } from '../../../common'; diff --git a/x-pack/plugins/index_management/public/application/mount_management_section.ts b/x-pack/plugins/index_management/public/application/mount_management_section.ts index 71e0f80365430..48508695bfc98 100644 --- a/x-pack/plugins/index_management/public/application/mount_management_section.ts +++ b/x-pack/plugins/index_management/public/application/mount_management_section.ts @@ -6,7 +6,7 @@ */ import { i18n } from '@kbn/i18n'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { CoreSetup } from 'src/core/public'; import { ManagementAppMountParams } from 'src/plugins/management/public'; import { UsageCollectionSetup } from 'src/plugins/usage_collection/public'; diff --git a/x-pack/plugins/index_management/public/application/store/selectors/indices_filter.test.ts b/x-pack/plugins/index_management/public/application/store/selectors/indices_filter.test.ts index b32f2736a9684..bdb531e41abb2 100644 --- a/x-pack/plugins/index_management/public/application/store/selectors/indices_filter.test.ts +++ b/x-pack/plugins/index_management/public/application/store/selectors/indices_filter.test.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { MAJOR_VERSION } from '../../../../common'; import { ExtensionsService } from '../../../services'; diff --git a/x-pack/plugins/index_management/public/plugin.ts b/x-pack/plugins/index_management/public/plugin.ts index b7e810b15dbf9..4e123b6f474f8 100644 --- a/x-pack/plugins/index_management/public/plugin.ts +++ b/x-pack/plugins/index_management/public/plugin.ts @@ -6,7 +6,7 @@ */ import { i18n } from '@kbn/i18n'; -import { SemVer } from 'semver'; +import SemVer from 'semver/classes/semver'; import { CoreSetup, PluginInitializerContext } from '../../../../src/core/public'; import { setExtensionsService } from './application/store/selectors/extension_service'; diff --git a/x-pack/plugins/infra/common/alerting/metrics/types.ts b/x-pack/plugins/infra/common/alerting/metrics/types.ts index 2e8ad1de3413c..9e8935ddb9968 100644 --- a/x-pack/plugins/infra/common/alerting/metrics/types.ts +++ b/x-pack/plugins/infra/common/alerting/metrics/types.ts @@ -5,7 +5,10 @@ * 2.0. */ import * as rt from 'io-ts'; +import { Unit } from '@elastic/datemath'; import { ANOMALY_THRESHOLD } from '../../infra_ml'; +import { InventoryItemType, SnapshotMetricType } from '../../inventory_models/types'; +import { SnapshotCustomMetricInput } from '../../http_api'; // TODO: Have threshold and inventory alerts import these types from this file instead of from their // local directories @@ -54,3 +57,25 @@ export interface MetricAnomalyParams { threshold: Exclude; influencerFilter: rt.TypeOf | undefined; } + +// Types for the executor + +export interface InventoryMetricConditions { + metric: SnapshotMetricType; + timeSize: number; + timeUnit: Unit; + sourceId?: string; + threshold: number[]; + comparator: Comparator; + customMetric?: SnapshotCustomMetricInput; + warningThreshold?: number[]; + warningComparator?: Comparator; +} + +export interface InventoryMetricThresholdParams { + criteria: InventoryMetricConditions[]; + filterQuery?: string; + nodeType: InventoryItemType; + sourceId?: string; + alertOnNoData?: boolean; +} diff --git a/x-pack/plugins/infra/public/alerting/inventory/rule_data_formatters.ts b/x-pack/plugins/infra/public/alerting/inventory/rule_data_formatters.ts index 30e0de9402191..ee27f1ff09925 100644 --- a/x-pack/plugins/infra/public/alerting/inventory/rule_data_formatters.ts +++ b/x-pack/plugins/infra/public/alerting/inventory/rule_data_formatters.ts @@ -5,15 +5,48 @@ * 2.0. */ -import { ALERT_REASON } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_RULE_PARAMS, TIMESTAMP } from '@kbn/rule-data-utils'; +import { encode } from 'rison-node'; +import { stringify } from 'query-string'; import { ObservabilityRuleTypeFormatter } from '../../../../observability/public'; +import { InventoryMetricThresholdParams } from '../../../common/alerting/metrics'; export const formatReason: ObservabilityRuleTypeFormatter = ({ fields }) => { const reason = fields[ALERT_REASON] ?? '-'; - const link = '/app/metrics/inventory'; // TODO https://github.com/elastic/kibana/issues/106497 + const ruleParams = parseRuleParams(fields[ALERT_RULE_PARAMS]); + + let link = '/app/metrics/link-to/inventory?'; + + if (ruleParams) { + const linkToParams: Record = { + nodeType: ruleParams.nodeType, + timestamp: Date.parse(fields[TIMESTAMP]), + customMetric: '', + }; + + // We always pick the first criteria metric for the URL + const criteria = ruleParams.criteria[0]; + if (criteria.customMetric && criteria.customMetric.id !== 'alert-custom-metric') { + const customMetric = encode(criteria.customMetric); + linkToParams.customMetric = customMetric; + linkToParams.metric = customMetric; + } else { + linkToParams.metric = encode({ type: criteria.metric }); + } + + link += stringify(linkToParams); + } return { reason, link, }; }; + +function parseRuleParams(params?: string): InventoryMetricThresholdParams | undefined { + try { + return typeof params === 'string' ? JSON.parse(params) : undefined; + } catch (_) { + return; + } +} diff --git a/x-pack/plugins/infra/public/pages/link_to/link_to_metrics.tsx b/x-pack/plugins/infra/public/pages/link_to/link_to_metrics.tsx index 8304e1cdb7262..05a099441b699 100644 --- a/x-pack/plugins/infra/public/pages/link_to/link_to_metrics.tsx +++ b/x-pack/plugins/infra/public/pages/link_to/link_to_metrics.tsx @@ -10,6 +10,7 @@ import { match as RouteMatch, Redirect, Route, Switch } from 'react-router-dom'; import { RedirectToNodeDetail } from './redirect_to_node_detail'; import { RedirectToHostDetailViaIP } from './redirect_to_host_detail_via_ip'; +import { RedirectToInventory } from './redirect_to_inventory'; import { inventoryModels } from '../../../common/inventory_models'; interface LinkToPageProps { @@ -29,6 +30,7 @@ export const LinkToMetricsPage: React.FC = (props) => { path={`${props.match.url}/host-detail-via-ip/:hostIp`} component={RedirectToHostDetailViaIP} /> + ); diff --git a/x-pack/plugins/infra/public/pages/link_to/redirect_to_inventory.tsx b/x-pack/plugins/infra/public/pages/link_to/redirect_to_inventory.tsx new file mode 100644 index 0000000000000..37ddbacf72488 --- /dev/null +++ b/x-pack/plugins/infra/public/pages/link_to/redirect_to_inventory.tsx @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { parse } from 'query-string'; +import { Redirect, RouteComponentProps } from 'react-router-dom'; + +// FIXME what would be the right way to build this query string? +const QUERY_STRING_TEMPLATE = + "?waffleFilter=(expression:'',kind:kuery)&waffleTime=(currentTime:{timestamp},isAutoReloading:!f)&waffleOptions=(accountId:'',autoBounds:!t,boundsOverride:(max:1,min:0),customMetrics:!({customMetric}),customOptions:!(),groupBy:!(),legend:(palette:cool,reverseColors:!f,steps:10),metric:{metric},nodeType:{nodeType},region:'',sort:(by:name,direction:desc),timelineOpen:!f,view:map)"; + +export const RedirectToInventory: React.FC = ({ location }) => { + const parsedQueryString = parseQueryString(location.search); + + const inventoryQueryString = QUERY_STRING_TEMPLATE.replace( + /{(\w+)}/g, + (_, key) => parsedQueryString[key] || '' + ); + + return ; +}; + +function parseQueryString(search: string): Record { + if (search.length === 0) { + return {}; + } + + const obj = parse(search.substring(1)); + + // Force all values into string. If they are empty don't create the keys + for (const key in obj) { + if (Object.hasOwnProperty.call(obj, key)) { + if (!obj[key]) { + delete obj[key]; + } + if (Array.isArray(obj.key)) { + obj[key] = obj[key]![0]; + } + } + } + + return obj as Record; +} diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts index 72d9ea9e39def..5cd093c6f1472 100644 --- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts +++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts @@ -11,7 +11,7 @@ import { ALERT_REASON, ALERT_RULE_PARAMS } from '@kbn/rule-data-utils'; import moment from 'moment'; import { getCustomMetricLabel } from '../../../../common/formatters/get_custom_metric_label'; import { toMetricOpt } from '../../../../common/snapshot_metric_i18n'; -import { AlertStates, InventoryMetricConditions } from './types'; +import { AlertStates } from './types'; import { ActionGroupIdsOf, ActionGroup, @@ -20,10 +20,11 @@ import { RecoveredActionGroup, } from '../../../../../alerting/common'; import { AlertInstance, AlertTypeState } from '../../../../../alerting/server'; -import { InventoryItemType, SnapshotMetricType } from '../../../../common/inventory_models/types'; +import { SnapshotMetricType } from '../../../../common/inventory_models/types'; import { InfraBackendLibs } from '../../infra_types'; import { METRIC_FORMATTERS } from '../../../../common/formatters/snapshot_metric_formats'; import { createFormatter } from '../../../../common/formatters'; +import { InventoryMetricThresholdParams } from '../../../../common/alerting/metrics'; import { buildErrorAlertReason, buildFiredAlertReason, @@ -33,19 +34,10 @@ import { } from '../common/messages'; import { evaluateCondition } from './evaluate_condition'; -interface InventoryMetricThresholdParams { - criteria: InventoryMetricConditions[]; - filterQuery: string | undefined; - nodeType: InventoryItemType; - sourceId?: string; - alertOnNoData?: boolean; -} - type InventoryMetricThresholdAllowedActionGroups = ActionGroupIdsOf< typeof FIRED_ACTIONS | typeof WARNING_ACTIONS >; -export type InventoryMetricThresholdAlertTypeParams = Record; export type InventoryMetricThresholdAlertTypeState = AlertTypeState; // no specific state used export type InventoryMetricThresholdAlertInstanceState = AlertInstanceState; // no specific state used export type InventoryMetricThresholdAlertInstanceContext = AlertInstanceContext; // no specific instance context used @@ -64,14 +56,13 @@ type InventoryMetricThresholdAlertInstanceFactory = ( export const createInventoryMetricThresholdExecutor = (libs: InfraBackendLibs) => libs.metricsRules.createLifecycleRuleExecutor< - InventoryMetricThresholdAlertTypeParams, + InventoryMetricThresholdParams & Record, InventoryMetricThresholdAlertTypeState, InventoryMetricThresholdAlertInstanceState, InventoryMetricThresholdAlertInstanceContext, InventoryMetricThresholdAllowedActionGroups >(async ({ services, params }) => { - const { criteria, filterQuery, sourceId, nodeType, alertOnNoData } = - params as InventoryMetricThresholdParams; + const { criteria, filterQuery, sourceId, nodeType, alertOnNoData } = params; if (criteria.length === 0) throw new Error('Cannot execute an alert with 0 conditions'); const { alertWithLifecycle, savedObjectsClient } = services; const alertInstanceFactory: InventoryMetricThresholdAlertInstanceFactory = (id, reason) => diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_alert_type.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_alert_type.ts index 5d516f3591419..77c85967e64f6 100644 --- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_alert_type.ts +++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_alert_type.ts @@ -5,7 +5,8 @@ * 2.0. */ -import { schema } from '@kbn/config-schema'; +import { schema, Type } from '@kbn/config-schema'; +import { Unit } from '@elastic/datemath'; import { i18n } from '@kbn/i18n'; import { PluginSetupContract } from '../../../../../alerting/server'; import { @@ -26,21 +27,32 @@ import { metricActionVariableDescription, thresholdActionVariableDescription, } from '../common/messages'; +import { + SnapshotMetricTypeKeys, + SnapshotMetricType, + InventoryItemType, +} from '../../../../common/inventory_models/types'; +import { + SNAPSHOT_CUSTOM_AGGREGATIONS, + SnapshotCustomAggregation, +} from '../../../../common/http_api/snapshot_api'; const condition = schema.object({ threshold: schema.arrayOf(schema.number()), - comparator: oneOfLiterals(Object.values(Comparator)), - timeUnit: schema.string(), + comparator: oneOfLiterals(Object.values(Comparator)) as Type, + timeUnit: schema.string() as Type, timeSize: schema.number(), - metric: schema.string(), + metric: oneOfLiterals(Object.keys(SnapshotMetricTypeKeys)) as Type, warningThreshold: schema.maybe(schema.arrayOf(schema.number())), - warningComparator: schema.maybe(oneOfLiterals(Object.values(Comparator))), + warningComparator: schema.maybe(oneOfLiterals(Object.values(Comparator))) as Type< + Comparator | undefined + >, customMetric: schema.maybe( schema.object({ type: schema.literal('custom'), id: schema.string(), field: schema.string(), - aggregation: schema.string(), + aggregation: oneOfLiterals(SNAPSHOT_CUSTOM_AGGREGATIONS) as Type, label: schema.maybe(schema.string()), }) ), @@ -59,7 +71,7 @@ export async function registerMetricInventoryThresholdAlertType( params: schema.object( { criteria: schema.arrayOf(condition), - nodeType: schema.string(), + nodeType: schema.string() as Type, filterQuery: schema.maybe( schema.string({ validate: validateIsStringElasticsearchJSONFilter }) ), diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/types.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/types.ts index 120fa47c079ab..829f34d42ee03 100644 --- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/types.ts +++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/types.ts @@ -8,9 +8,9 @@ import { Unit } from '@elastic/datemath'; import { SnapshotCustomMetricInput } from '../../../../common/http_api/snapshot_api'; import { SnapshotMetricType } from '../../../../common/inventory_models/types'; -import { Comparator, AlertStates } from '../common/types'; +import { Comparator, AlertStates, Aggregators } from '../common/types'; -export { Comparator, AlertStates }; +export { Comparator, AlertStates, Aggregators }; export const METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.inventory.threshold'; diff --git a/x-pack/plugins/observability/server/utils/get_inspect_response.ts b/x-pack/plugins/observability/common/utils/get_inspect_response.ts similarity index 79% rename from x-pack/plugins/observability/server/utils/get_inspect_response.ts rename to x-pack/plugins/observability/common/utils/get_inspect_response.ts index a6792e0cac5fd..55d84b622dc2c 100644 --- a/x-pack/plugins/observability/server/utils/get_inspect_response.ts +++ b/x-pack/plugins/observability/common/utils/get_inspect_response.ts @@ -8,8 +8,8 @@ import { i18n } from '@kbn/i18n'; import type { KibanaRequest } from 'kibana/server'; import type { RequestStatistics, RequestStatus } from '../../../../../src/plugins/inspector'; -import { WrappedElasticsearchClientError } from '../index'; import { InspectResponse } from '../../typings/common'; +import { WrappedElasticsearchClientError } from './unwrap_es_response'; /** * Get statistics to show on inspector tab. @@ -29,19 +29,26 @@ function getStats({ kibanaRequest: KibanaRequest; }) { const stats: RequestStatistics = { - kibanaApiQueryParameters: { - label: i18n.translate('xpack.observability.inspector.stats.kibanaApiQueryParametersLabel', { - defaultMessage: 'Kibana API query parameters', - }), - description: i18n.translate( - 'xpack.observability.inspector.stats.kibanaApiQueryParametersDescription', - { - defaultMessage: - 'The query parameters used in the Kibana API request that initiated the Elasticsearch request.', + ...(kibanaRequest.query + ? { + kibanaApiQueryParameters: { + label: i18n.translate( + 'xpack.observability.inspector.stats.kibanaApiQueryParametersLabel', + { + defaultMessage: 'Kibana API query parameters', + } + ), + description: i18n.translate( + 'xpack.observability.inspector.stats.kibanaApiQueryParametersDescription', + { + defaultMessage: + 'The query parameters used in the Kibana API request that initiated the Elasticsearch request.', + } + ), + value: JSON.stringify(kibanaRequest.query, null, 2), + }, } - ), - value: JSON.stringify(kibanaRequest.query, null, 2), - }, + : {}), kibanaApiRoute: { label: i18n.translate('xpack.observability.inspector.stats.kibanaApiRouteLabel', { defaultMessage: 'Kibana API route', @@ -93,11 +100,17 @@ function getStats({ } if (esResponse?.hits?.total !== undefined) { - const total = esResponse.hits.total as { - relation: string; - value: number; - }; - const hitsTotalValue = total.relation === 'eq' ? `${total.value}` : `> ${total.value}`; + let hitsTotalValue; + + if (typeof esResponse.hits.total === 'number') { + hitsTotalValue = esResponse.hits.total; + } else { + const total = esResponse.hits.total as { + relation: string; + value: number; + }; + hitsTotalValue = total.relation === 'eq' ? `${total.value}` : `> ${total.value}`; + } stats.hitsTotal = { label: i18n.translate('xpack.observability.inspector.stats.hitsTotalLabel', { diff --git a/x-pack/plugins/observability/server/utils/unwrap_es_response.ts b/x-pack/plugins/observability/common/utils/unwrap_es_response.ts similarity index 100% rename from x-pack/plugins/observability/server/utils/unwrap_es_response.ts rename to x-pack/plugins/observability/common/utils/unwrap_es_response.ts diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts index 8c659db559d68..e84f79f88298c 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/series_editor/use_filter_values.ts @@ -12,7 +12,10 @@ import { useAppIndexPatternContext } from '../hooks/use_app_index_pattern'; import { ESFilter } from '../../../../../../../../src/core/types/elasticsearch'; import { PersistableFilter } from '../../../../../../lens/common'; -export function useFilterValues({ field, series, baseFilters }: FilterProps, query?: string) { +export function useFilterValues( + { field, series, baseFilters, label }: FilterProps, + query?: string +) { const { indexPatterns } = useAppIndexPatternContext(series.dataType); const queryFilters: ESFilter[] = []; @@ -28,6 +31,7 @@ export function useFilterValues({ field, series, baseFilters }: FilterProps, que return useValuesList({ query, + label, sourceField: field, time: series.time, keepHistory: true, diff --git a/x-pack/plugins/observability/public/components/shared/field_value_suggestions/index.tsx b/x-pack/plugins/observability/public/components/shared/field_value_suggestions/index.tsx index 1c5da15dd33df..ccb2ea2932f5d 100644 --- a/x-pack/plugins/observability/public/components/shared/field_value_suggestions/index.tsx +++ b/x-pack/plugins/observability/public/components/shared/field_value_suggestions/index.tsx @@ -33,6 +33,7 @@ export function FieldValueSuggestions({ required, allowExclusions = true, cardinalityField, + inspector, asCombobox = true, onChange: onSelectionChange, }: FieldValueSuggestionsProps) { @@ -44,7 +45,9 @@ export function FieldValueSuggestions({ sourceField, filters, time, + inspector, cardinalityField, + label, keepHistory: true, }); diff --git a/x-pack/plugins/observability/public/components/shared/field_value_suggestions/types.ts b/x-pack/plugins/observability/public/components/shared/field_value_suggestions/types.ts index b6de2bafdd852..6f6d520a83154 100644 --- a/x-pack/plugins/observability/public/components/shared/field_value_suggestions/types.ts +++ b/x-pack/plugins/observability/public/components/shared/field_value_suggestions/types.ts @@ -8,6 +8,7 @@ import { PopoverAnchorPosition } from '@elastic/eui'; import { Dispatch, SetStateAction } from 'react'; import { ESFilter } from 'src/core/types/elasticsearch'; +import { IInspectorInfo } from '../../../../../../../src/plugins/data/common'; interface CommonProps { selectedValue?: string[]; @@ -37,6 +38,7 @@ export type FieldValueSuggestionsProps = CommonProps & { onChange: (val?: string[], excludedValue?: string[]) => void; filters: ESFilter[]; time?: { from: string; to: string }; + inspector?: IInspectorInfo; }; export type FieldValueSelectionProps = CommonProps & { diff --git a/x-pack/plugins/observability/public/context/inspector/inspector_context.tsx b/x-pack/plugins/observability/public/context/inspector/inspector_context.tsx index 1d9bd95fa08fa..56498fcaecd5c 100644 --- a/x-pack/plugins/observability/public/context/inspector/inspector_context.tsx +++ b/x-pack/plugins/observability/public/context/inspector/inspector_context.tsx @@ -23,6 +23,13 @@ const value: InspectorContextValue = { export const InspectorContext = createContext(value); +export type AddInspectorRequest = ( + result: FetcherResult<{ + mainStatisticsData?: { _inspect?: InspectResponse }; + _inspect?: InspectResponse; + }> +) => void; + export function InspectorContextProvider({ children }: { children: ReactNode }) { const history = useHistory(); const { inspectorAdapters } = value; diff --git a/x-pack/plugins/observability/public/hooks/use_es_search.ts b/x-pack/plugins/observability/public/hooks/use_es_search.ts index 70ffdbba22c58..bf96cf2c1f2c5 100644 --- a/x-pack/plugins/observability/public/hooks/use_es_search.ts +++ b/x-pack/plugins/observability/public/hooks/use_es_search.ts @@ -9,27 +9,61 @@ import { estypes } from '@elastic/elasticsearch'; import { DataPublicPluginStart } from '../../../../../src/plugins/data/public'; import { ESSearchResponse } from '../../../../../src/core/types/elasticsearch'; import { useKibana } from '../../../../../src/plugins/kibana_react/public'; -import { isCompleteResponse } from '../../../../../src/plugins/data/common'; -import { useFetcher } from './use_fetcher'; +import { IInspectorInfo, isCompleteResponse } from '../../../../../src/plugins/data/common'; +import { FETCH_STATUS, useFetcher } from './use_fetcher'; +import { useInspectorContext } from '../context/inspector/use_inspector_context'; +import { getInspectResponse } from '../../common/utils/get_inspect_response'; export const useEsSearch = ( params: TParams, - fnDeps: any[] + fnDeps: any[], + options: { inspector?: IInspectorInfo; name: string } ) => { const { services: { data }, } = useKibana<{ data: DataPublicPluginStart }>(); + const { name } = options ?? {}; + + const { addInspectorRequest } = useInspectorContext(); + const { data: response = {}, loading } = useFetcher(() => { if (params.index) { + const startTime = Date.now(); return new Promise((resolve) => { const search$ = data.search - .search({ - params, - }) + .search( + { + params, + }, + {} + ) .subscribe({ next: (result) => { if (isCompleteResponse(result)) { + if (addInspectorRequest) { + addInspectorRequest({ + data: { + _inspect: [ + getInspectResponse({ + startTime, + esRequestParams: params, + esResponse: result.rawResponse, + esError: null, + esRequestStatus: 1, + operationName: name, + kibanaRequest: { + route: { + path: '/internal/bsearch', + method: 'POST', + }, + } as any, + }), + ], + }, + status: FETCH_STATUS.SUCCESS, + }); + } // Final result resolve(result); search$.unsubscribe(); diff --git a/x-pack/plugins/observability/public/hooks/use_values_list.ts b/x-pack/plugins/observability/public/hooks/use_values_list.ts index 7f52fff55e706..e2268f7b85244 100644 --- a/x-pack/plugins/observability/public/hooks/use_values_list.ts +++ b/x-pack/plugins/observability/public/hooks/use_values_list.ts @@ -10,16 +10,19 @@ import { useEffect, useState } from 'react'; import useDebounce from 'react-use/lib/useDebounce'; import { ESFilter } from '../../../../../src/core/types/elasticsearch'; import { createEsParams, useEsSearch } from './use_es_search'; +import { IInspectorInfo } from '../../../../../src/plugins/data/common'; import { TRANSACTION_URL } from '../components/shared/exploratory_view/configurations/constants/elasticsearch_fieldnames'; export interface Props { sourceField: string; + label: string; query?: string; indexPatternTitle?: string; filters?: ESFilter[]; time?: { from: string; to: string }; keepHistory?: boolean; cardinalityField?: string; + inspector?: IInspectorInfo; } export interface ListItem { @@ -60,6 +63,7 @@ export const useValuesList = ({ query = '', filters, time, + label, keepHistory, cardinalityField, }: Props): { values: ListItem[]; loading?: boolean } => { @@ -131,7 +135,8 @@ export const useValuesList = ({ }, }, }), - [debouncedQuery, from, to, JSON.stringify(filters), indexPatternTitle, sourceField] + [debouncedQuery, from, to, JSON.stringify(filters), indexPatternTitle, sourceField], + { name: `get${label.replace(/\s/g, '')}ValuesList` } ); useEffect(() => { diff --git a/x-pack/plugins/observability/public/index.ts b/x-pack/plugins/observability/public/index.ts index 22ad95b96f41f..2dd380c3b7683 100644 --- a/x-pack/plugins/observability/public/index.ts +++ b/x-pack/plugins/observability/public/index.ts @@ -83,5 +83,8 @@ export type { export { createObservabilityRuleTypeRegistryMock } from './rules/observability_rule_type_registry_mock'; export type { ExploratoryEmbeddableProps } from './components/shared/exploratory_view/embeddable/embeddable'; -export { InspectorContextProvider } from './context/inspector/inspector_context'; +export { + InspectorContextProvider, + AddInspectorRequest, +} from './context/inspector/inspector_context'; export { useInspectorContext } from './context/inspector/use_inspector_context'; diff --git a/x-pack/plugins/observability/server/index.ts b/x-pack/plugins/observability/server/index.ts index 1e811e0a5278c..77595d1187093 100644 --- a/x-pack/plugins/observability/server/index.ts +++ b/x-pack/plugins/observability/server/index.ts @@ -13,9 +13,12 @@ import { PluginConfigDescriptor, PluginInitializerContext } from 'src/core/serve import { ObservabilityPlugin, ObservabilityPluginSetup } from './plugin'; import { createOrUpdateIndex, Mappings } from './utils/create_or_update_index'; import { ScopedAnnotationsClient } from './lib/annotations/bootstrap_annotations'; -import { unwrapEsResponse, WrappedElasticsearchClientError } from './utils/unwrap_es_response'; +import { + unwrapEsResponse, + WrappedElasticsearchClientError, +} from '../common/utils/unwrap_es_response'; export { rangeQuery, kqlQuery } from './utils/queries'; -export { getInspectResponse } from './utils/get_inspect_response'; +export { getInspectResponse } from '../common/utils/get_inspect_response'; export * from './types'; diff --git a/x-pack/plugins/observability/server/lib/annotations/create_annotations_client.ts b/x-pack/plugins/observability/server/lib/annotations/create_annotations_client.ts index 39a594dcc86ca..98e8908cd60a5 100644 --- a/x-pack/plugins/observability/server/lib/annotations/create_annotations_client.ts +++ b/x-pack/plugins/observability/server/lib/annotations/create_annotations_client.ts @@ -17,7 +17,7 @@ import { } from '../../../common/annotations'; import { createOrUpdateIndex } from '../../utils/create_or_update_index'; import { mappings } from './mappings'; -import { unwrapEsResponse } from '../../utils/unwrap_es_response'; +import { unwrapEsResponse } from '../../../common/utils/unwrap_es_response'; type CreateParams = t.TypeOf; type DeleteParams = t.TypeOf; diff --git a/x-pack/plugins/osquery/common/exact_check.test.ts b/x-pack/plugins/osquery/common/exact_check.test.ts deleted file mode 100644 index d4a4ad4ce76ce..0000000000000 --- a/x-pack/plugins/osquery/common/exact_check.test.ts +++ /dev/null @@ -1,177 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { left, right, Either } from 'fp-ts/lib/Either'; -import { pipe } from 'fp-ts/lib/pipeable'; - -import { exactCheck, findDifferencesRecursive } from './exact_check'; -import { foldLeftRight, getPaths } from './test_utils'; - -describe('exact_check', () => { - test('it returns an error if given extra object properties', () => { - const someType = t.exact( - t.type({ - a: t.string, - }) - ); - const payload = { a: 'test', b: 'test' }; - const decoded = someType.decode(payload); - const checked = exactCheck(payload, decoded); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual(['invalid keys "b"']); - expect(message.schema).toEqual({}); - }); - - test('it returns an error if the data type is not as expected', () => { - type UnsafeCastForTest = Either< - t.Errors, - { - a: number; - } - >; - - const someType = t.exact( - t.type({ - a: t.string, - }) - ); - - const payload = { a: 1 }; - const decoded = someType.decode(payload); - const checked = exactCheck(payload, decoded as UnsafeCastForTest); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual(['Invalid value "1" supplied to "a"']); - expect(message.schema).toEqual({}); - }); - - test('it does NOT return an error if given normal object properties', () => { - const someType = t.exact( - t.type({ - a: t.string, - }) - ); - const payload = { a: 'test' }; - const decoded = someType.decode(payload); - const checked = exactCheck(payload, decoded); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual([]); - expect(message.schema).toEqual(payload); - }); - - test('it will return an existing error and not validate', () => { - const payload = { a: 'test' }; - const validationError: t.ValidationError = { - value: 'Some existing error', - context: [], - message: 'some error', - }; - const error: t.Errors = [validationError]; - const leftValue = left(error); - const checked = exactCheck(payload, leftValue); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual(['some error']); - expect(message.schema).toEqual({}); - }); - - test('it will work with a regular "right" payload without any decoding', () => { - const payload = { a: 'test' }; - const rightValue = right(payload); - const checked = exactCheck(payload, rightValue); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual([]); - expect(message.schema).toEqual({ a: 'test' }); - }); - - test('it will work with decoding a null payload when the schema expects a null', () => { - const someType = t.union([ - t.exact( - t.type({ - a: t.string, - }) - ), - t.null, - ]); - const payload = null; - const decoded = someType.decode(payload); - const checked = exactCheck(payload, decoded); - const message = pipe(checked, foldLeftRight); - expect(getPaths(left(message.errors))).toEqual([]); - expect(message.schema).toEqual(null); - }); - - test('it should find no differences recursively with two empty objects', () => { - const difference = findDifferencesRecursive({}, {}); - expect(difference).toEqual([]); - }); - - test('it should find a single difference with two objects with different keys', () => { - const difference = findDifferencesRecursive({ a: 1 }, { b: 1 }); - expect(difference).toEqual(['a']); - }); - - test('it should find a two differences with two objects with multiple different keys', () => { - const difference = findDifferencesRecursive({ a: 1, c: 1 }, { b: 1 }); - expect(difference).toEqual(['a', 'c']); - }); - - test('it should find no differences with two objects with the same keys', () => { - const difference = findDifferencesRecursive({ a: 1, b: 1 }, { a: 1, b: 1 }); - expect(difference).toEqual([]); - }); - - test('it should find a difference with two deep objects with different same keys', () => { - const difference = findDifferencesRecursive({ a: 1, b: { c: 1 } }, { a: 1, b: { d: 1 } }); - expect(difference).toEqual(['c']); - }); - - test('it should find a difference within an array', () => { - const difference = findDifferencesRecursive({ a: 1, b: [{ c: 1 }] }, { a: 1, b: [{ a: 1 }] }); - expect(difference).toEqual(['c']); - }); - - test('it should find a no difference when using arrays that are identical', () => { - const difference = findDifferencesRecursive({ a: 1, b: [{ c: 1 }] }, { a: 1, b: [{ c: 1 }] }); - expect(difference).toEqual([]); - }); - - test('it should find differences when one has an array and the other does not', () => { - const difference = findDifferencesRecursive({ a: 1, b: [{ c: 1 }] }, { a: 1 }); - expect(difference).toEqual(['b', '[{"c":1}]']); - }); - - test('it should find differences when one has an deep object and the other does not', () => { - const difference = findDifferencesRecursive({ a: 1, b: { c: 1 } }, { a: 1 }); - expect(difference).toEqual(['b', '{"c":1}']); - }); - - test('it should find differences when one has a deep object with multiple levels and the other does not', () => { - const difference = findDifferencesRecursive({ a: 1, b: { c: { d: 1 } } }, { a: 1 }); - expect(difference).toEqual(['b', '{"c":{"d":1}}']); - }); - - test('it tests two deep objects as the same with no key differences', () => { - const difference = findDifferencesRecursive( - { a: 1, b: { c: { d: 1 } } }, - { a: 1, b: { c: { d: 1 } } } - ); - expect(difference).toEqual([]); - }); - - test('it tests two deep objects with just one deep key difference', () => { - const difference = findDifferencesRecursive( - { a: 1, b: { c: { d: 1 } } }, - { a: 1, b: { c: { e: 1 } } } - ); - expect(difference).toEqual(['d']); - }); - - test('it should not find any differences when the original and decoded are both null', () => { - const difference = findDifferencesRecursive(null, null); - expect(difference).toEqual([]); - }); -}); diff --git a/x-pack/plugins/osquery/common/exact_check.ts b/x-pack/plugins/osquery/common/exact_check.ts deleted file mode 100644 index 5334989ea085b..0000000000000 --- a/x-pack/plugins/osquery/common/exact_check.ts +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { left, Either, fold, right } from 'fp-ts/lib/Either'; -import { pipe } from 'fp-ts/lib/pipeable'; -import { isObject, get } from 'lodash/fp'; - -/** - * Given an original object and a decoded object this will return an error - * if and only if the original object has additional keys that the decoded - * object does not have. If the original decoded already has an error, then - * this will return the error as is and not continue. - * - * NOTE: You MUST use t.exact(...) for this to operate correctly as your schema - * needs to remove additional keys before the compare - * - * You might not need this in the future if the below issue is solved: - * https://github.com/gcanti/io-ts/issues/322 - * - * @param original The original to check if it has additional keys - * @param decoded The decoded either which has either an existing error or the - * decoded object which could have additional keys stripped from it. - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/exact_check/index.ts - */ -export const exactCheck = ( - original: unknown, - decoded: Either -): Either => { - const onLeft = (errors: t.Errors): Either => left(errors); - const onRight = (decodedValue: T): Either => { - const differences = findDifferencesRecursive(original, decodedValue); - if (differences.length !== 0) { - const validationError: t.ValidationError = { - value: differences, - context: [], - message: `invalid keys "${differences.join(',')}"`, - }; - const error: t.Errors = [validationError]; - return left(error); - } else { - return right(decodedValue); - } - }; - return pipe(decoded, fold(onLeft, onRight)); -}; - -export const findDifferencesRecursive = (original: unknown, decodedValue: T): string[] => { - if (decodedValue === null && original === null) { - // both the decodedValue and the original are null which indicates that they are equal - // so do not report differences - return []; - } else if (decodedValue == null) { - try { - // It is null and painful when the original contains an object or an array - // the the decoded value does not have. - return [JSON.stringify(original)]; - } catch (err) { - return ['circular reference']; - } - } else if (typeof original !== 'object' || original == null) { - // We are not an object or null so do not report differences - return []; - } else { - const decodedKeys = Object.keys(decodedValue); - const differences = Object.keys(original).flatMap((originalKey) => { - const foundKey = decodedKeys.some((key) => key === originalKey); - const topLevelKey = foundKey ? [] : [originalKey]; - // I use lodash to cheat and get an any (not going to lie ;-)) - const valueObjectOrArrayOriginal = get(originalKey, original); - const valueObjectOrArrayDecoded = get(originalKey, decodedValue); - if (isObject(valueObjectOrArrayOriginal)) { - return [ - ...topLevelKey, - ...findDifferencesRecursive(valueObjectOrArrayOriginal, valueObjectOrArrayDecoded), - ]; - } else if (Array.isArray(valueObjectOrArrayOriginal)) { - return [ - ...topLevelKey, - ...valueObjectOrArrayOriginal.flatMap((arrayElement, index) => - findDifferencesRecursive(arrayElement, get(index, valueObjectOrArrayDecoded)) - ), - ]; - } else { - return topLevelKey; - } - }); - return differences; - } -}; diff --git a/x-pack/plugins/osquery/common/format_errors.test.ts b/x-pack/plugins/osquery/common/format_errors.test.ts deleted file mode 100644 index 9d920de4653c4..0000000000000 --- a/x-pack/plugins/osquery/common/format_errors.test.ts +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { formatErrors } from './format_errors'; - -describe('utils', () => { - test('returns an empty error message string if there are no errors', () => { - const errors: t.Errors = []; - const output = formatErrors(errors); - expect(output).toEqual([]); - }); - - test('returns a single error message if given one', () => { - const validationError: t.ValidationError = { - value: 'Some existing error', - context: [], - message: 'some error', - }; - const errors: t.Errors = [validationError]; - const output = formatErrors(errors); - expect(output).toEqual(['some error']); - }); - - test('returns a two error messages if given two', () => { - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context: [], - message: 'some error 1', - }; - const validationError2: t.ValidationError = { - value: 'Some existing error 2', - context: [], - message: 'some error 2', - }; - const errors: t.Errors = [validationError1, validationError2]; - const output = formatErrors(errors); - expect(output).toEqual(['some error 1', 'some error 2']); - }); - - test('it filters out duplicate error messages', () => { - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context: [], - message: 'some error 1', - }; - const validationError2: t.ValidationError = { - value: 'Some existing error 1', - context: [], - message: 'some error 1', - }; - const errors: t.Errors = [validationError1, validationError2]; - const output = formatErrors(errors); - expect(output).toEqual(['some error 1']); - }); - - test('will use message before context if it is set', () => { - const context: t.Context = [{ key: 'some string key' }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - message: 'I should be used first', - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual(['I should be used first']); - }); - - test('will use context entry of a single string', () => { - const context: t.Context = [{ key: 'some string key' }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual(['Invalid value "Some existing error 1" supplied to "some string key"']); - }); - - test('will use two context entries of two strings', () => { - const context: t.Context = [ - { key: 'some string key 1' }, - { key: 'some string key 2' }, - ] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual([ - 'Invalid value "Some existing error 1" supplied to "some string key 1,some string key 2"', - ]); - }); - - test('will filter out and not use any strings of numbers', () => { - const context: t.Context = [{ key: '5' }, { key: 'some string key 2' }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual([ - 'Invalid value "Some existing error 1" supplied to "some string key 2"', - ]); - }); - - test('will filter out and not use null', () => { - const context: t.Context = [ - { key: null }, - { key: 'some string key 2' }, - ] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual([ - 'Invalid value "Some existing error 1" supplied to "some string key 2"', - ]); - }); - - test('will filter out and not use empty strings', () => { - const context: t.Context = [{ key: '' }, { key: 'some string key 2' }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual([ - 'Invalid value "Some existing error 1" supplied to "some string key 2"', - ]); - }); - - test('will use a name context if it cannot find a keyContext', () => { - const context: t.Context = [ - { key: '' }, - { key: '', type: { name: 'someName' } }, - ] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual(['Invalid value "Some existing error 1" supplied to "someName"']); - }); - - test('will return an empty string if name does not exist but type does', () => { - const context: t.Context = [{ key: '' }, { key: '', type: {} }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: 'Some existing error 1', - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual(['Invalid value "Some existing error 1" supplied to ""']); - }); - - test('will stringify an error value', () => { - const context: t.Context = [{ key: '' }, { key: 'some string key 2' }] as unknown as t.Context; - const validationError1: t.ValidationError = { - value: { foo: 'some error' }, - context, - }; - const errors: t.Errors = [validationError1]; - const output = formatErrors(errors); - expect(output).toEqual([ - 'Invalid value "{"foo":"some error"}" supplied to "some string key 2"', - ]); - }); -}); diff --git a/x-pack/plugins/osquery/common/format_errors.ts b/x-pack/plugins/osquery/common/format_errors.ts deleted file mode 100644 index 16925699b0fcf..0000000000000 --- a/x-pack/plugins/osquery/common/format_errors.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { isObject } from 'lodash/fp'; - -/** - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/format_errors/index.ts - */ -export const formatErrors = (errors: t.Errors): string[] => { - const err = errors.map((error) => { - if (error.message != null) { - return error.message; - } else { - const keyContext = error.context - .filter( - (entry) => entry.key != null && !Number.isInteger(+entry.key) && entry.key.trim() !== '' - ) - .map((entry) => entry.key) - .join(','); - - const nameContext = error.context.find((entry) => entry.type?.name?.length > 0); - const suppliedValue = - keyContext !== '' ? keyContext : nameContext != null ? nameContext.type.name : ''; - const value = isObject(error.value) ? JSON.stringify(error.value) : error.value; - return `Invalid value "${value}" supplied to "${suppliedValue}"`; - } - }); - - return [...new Set(err)]; -}; diff --git a/x-pack/plugins/osquery/common/index.ts b/x-pack/plugins/osquery/common/index.ts index 6f1a8c55ad191..bec9e75f07ef4 100644 --- a/x-pack/plugins/osquery/common/index.ts +++ b/x-pack/plugins/osquery/common/index.ts @@ -5,10 +5,7 @@ * 2.0. */ -// TODO: https://github.com/elastic/kibana/issues/110906 -/* eslint-disable @kbn/eslint/no_export_all */ - -export * from './constants'; +export { DEFAULT_DARK_MODE, OSQUERY_INTEGRATION_NAME, BASE_PATH } from './constants'; export const PLUGIN_ID = 'osquery'; export const PLUGIN_NAME = 'Osquery'; diff --git a/x-pack/plugins/osquery/common/schemas/common/schemas.ts b/x-pack/plugins/osquery/common/schemas/common/schemas.ts index 1e52080debb9a..2ffb6c5feae54 100644 --- a/x-pack/plugins/osquery/common/schemas/common/schemas.ts +++ b/x-pack/plugins/osquery/common/schemas/common/schemas.ts @@ -39,11 +39,26 @@ export const queryOrUndefined = t.union([query, t.undefined]); export type QueryOrUndefined = t.TypeOf; export const version = t.string; -export type Version = t.TypeOf; +export type Version = t.TypeOf; export const versionOrUndefined = t.union([version, t.undefined]); export type VersionOrUndefined = t.TypeOf; export const interval = t.string; -export type Interval = t.TypeOf; +export type Interval = t.TypeOf; export const intervalOrUndefined = t.union([interval, t.undefined]); export type IntervalOrUndefined = t.TypeOf; + +export const savedQueryId = t.string; +export type SavedQueryId = t.TypeOf; +export const savedQueryIdOrUndefined = t.union([savedQueryId, t.undefined]); +export type SavedQueryIdOrUndefined = t.TypeOf; + +export const ecsMapping = t.record( + t.string, + t.type({ + field: t.string, + }) +); +export type ECSMapping = t.TypeOf; +export const ecsMappingOrUndefined = t.union([ecsMapping, t.undefined]); +export type ECSMappingOrUndefined = t.TypeOf; diff --git a/x-pack/plugins/osquery/common/schemas/routes/action/create_action_request_body_schema.ts b/x-pack/plugins/osquery/common/schemas/routes/action/create_action_request_body_schema.ts index bcbd528c4e749..a85471a95a137 100644 --- a/x-pack/plugins/osquery/common/schemas/routes/action/create_action_request_body_schema.ts +++ b/x-pack/plugins/osquery/common/schemas/routes/action/create_action_request_body_schema.ts @@ -7,11 +7,18 @@ import * as t from 'io-ts'; -import { query, agentSelection } from '../../common/schemas'; +import { + query, + agentSelection, + ecsMappingOrUndefined, + savedQueryIdOrUndefined, +} from '../../common/schemas'; export const createActionRequestBodySchema = t.type({ agentSelection, query, + saved_query_id: savedQueryIdOrUndefined, + ecs_mapping: ecsMappingOrUndefined, }); export type CreateActionRequestBodySchema = t.OutputOf; diff --git a/x-pack/plugins/osquery/common/schemas/routes/saved_query/create_saved_query_request_schema.ts b/x-pack/plugins/osquery/common/schemas/routes/saved_query/create_saved_query_request_schema.ts index 5aa08d9afde4f..7cc803f5584c2 100644 --- a/x-pack/plugins/osquery/common/schemas/routes/saved_query/create_saved_query_request_schema.ts +++ b/x-pack/plugins/osquery/common/schemas/routes/saved_query/create_saved_query_request_schema.ts @@ -9,22 +9,24 @@ import * as t from 'io-ts'; import { id, - description, + descriptionOrUndefined, Description, - platform, + platformOrUndefined, query, - version, + versionOrUndefined, interval, + ecsMappingOrUndefined, } from '../../common/schemas'; import { RequiredKeepUndefined } from '../../../types'; export const createSavedQueryRequestSchema = t.type({ id, - description, - platform, + description: descriptionOrUndefined, + platform: platformOrUndefined, query, - version, + version: versionOrUndefined, interval, + ecs_mapping: ecsMappingOrUndefined, }); export type CreateSavedQueryRequestSchema = t.OutputOf; diff --git a/x-pack/plugins/osquery/common/schemas/types/default_uuid.test.ts b/x-pack/plugins/osquery/common/schemas/types/default_uuid.test.ts index 24c5986d5ef20..b206b4133a811 100644 --- a/x-pack/plugins/osquery/common/schemas/types/default_uuid.test.ts +++ b/x-pack/plugins/osquery/common/schemas/types/default_uuid.test.ts @@ -8,8 +8,7 @@ import { DefaultUuid } from './default_uuid'; import { pipe } from 'fp-ts/lib/pipeable'; import { left } from 'fp-ts/lib/Either'; - -import { foldLeftRight, getPaths } from '../../test_utils'; +import { foldLeftRight, getPaths } from '@kbn/securitysolution-io-ts-utils'; describe('default_uuid', () => { test('it should validate a regular string', () => { diff --git a/x-pack/plugins/osquery/common/schemas/types/non_empty_string.test.ts b/x-pack/plugins/osquery/common/schemas/types/non_empty_string.test.ts index e379bcd5b8ea7..85919dcc27ee1 100644 --- a/x-pack/plugins/osquery/common/schemas/types/non_empty_string.test.ts +++ b/x-pack/plugins/osquery/common/schemas/types/non_empty_string.test.ts @@ -8,8 +8,7 @@ import { NonEmptyString } from './non_empty_string'; import { pipe } from 'fp-ts/lib/pipeable'; import { left } from 'fp-ts/lib/Either'; - -import { foldLeftRight, getPaths } from '../../test_utils'; +import { foldLeftRight, getPaths } from '@kbn/securitysolution-io-ts-utils'; describe('non_empty_string', () => { test('it should validate a regular string', () => { diff --git a/x-pack/plugins/osquery/common/test_utils.ts b/x-pack/plugins/osquery/common/test_utils.ts deleted file mode 100644 index dcf6a2747c3de..0000000000000 --- a/x-pack/plugins/osquery/common/test_utils.ts +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { fold } from 'fp-ts/lib/Either'; -import { pipe } from 'fp-ts/lib/pipeable'; - -import { formatErrors } from './format_errors'; - -interface Message { - errors: t.Errors; - schema: T | {}; -} - -/** - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/test_utils/index.ts - */ -const onLeft = (errors: t.Errors): Message => { - return { errors, schema: {} }; -}; - -/** - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/test_utils/index.ts - */ -const onRight = (schema: T): Message => { - return { - errors: [], - schema, - }; -}; - -/** - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/test_utils/index.ts - */ -export const foldLeftRight = fold(onLeft, onRight); - -/** - * Convenience utility to keep the error message handling within tests to be - * very concise. - * @param validation The validation to get the errors from - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/test_utils/index.ts - */ -export const getPaths = (validation: t.Validation): string[] => { - return pipe( - validation, - fold( - (errors) => formatErrors(errors), - () => ['no errors'] - ) - ); -}; - -/** - * Convenience utility to remove text appended to links by EUI - * @deprecated Use packages/kbn-securitysolution-io-ts-utils/src/test_utils/index.ts - */ -export const removeExternalLinkText = (str: string): string => - str.replace(/\(opens in a new tab or window\)/g, ''); diff --git a/x-pack/plugins/osquery/cypress/support/index.ts b/x-pack/plugins/osquery/cypress/support/index.ts index 72618c943f4d2..4fc65f2eac6d0 100644 --- a/x-pack/plugins/osquery/cypress/support/index.ts +++ b/x-pack/plugins/osquery/cypress/support/index.ts @@ -25,6 +25,4 @@ import './commands'; // Alternatively you can use CommonJS syntax: // require('./commands') -Cypress.on('uncaught:exception', () => { - return false; -}); +Cypress.on('uncaught:exception', () => false); diff --git a/x-pack/plugins/osquery/public/actions/actions_table.tsx b/x-pack/plugins/osquery/public/actions/actions_table.tsx index 045c1f67b070d..6f19979345ddf 100644 --- a/x-pack/plugins/osquery/public/actions/actions_table.tsx +++ b/x-pack/plugins/osquery/public/actions/actions_table.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { isArray } from 'lodash'; +import { isArray, pickBy } from 'lodash'; import { i18n } from '@kbn/i18n'; import { EuiBasicTable, EuiButtonIcon, EuiCodeBlock, formatDate } from '@elastic/eui'; import React, { useState, useCallback, useMemo } from 'react'; @@ -72,9 +72,12 @@ const ActionsTableComponent = () => { const handlePlayClick = useCallback( (item) => push('/live_queries/new', { - form: { - query: item._source?.data?.query, - }, + form: pickBy({ + agentIds: item.fields.agents, + query: item._source.data.query, + ecs_mapping: item._source.data.ecs_mapping, + savedQueryId: item._source.data.saved_query_id, + }), }), [push] ); diff --git a/x-pack/plugins/osquery/public/actions/use_action_details.ts b/x-pack/plugins/osquery/public/actions/use_action_details.ts index 445912b27bc93..dfa23247045ef 100644 --- a/x-pack/plugins/osquery/public/actions/use_action_details.ts +++ b/x-pack/plugins/osquery/public/actions/use_action_details.ts @@ -16,15 +16,11 @@ import { ActionDetailsStrategyResponse, } from '../../common/search_strategy'; import { ESTermQuery } from '../../common/typed_json'; - -import { getInspectResponse, InspectResponse } from './helpers'; import { useErrorToast } from '../common/hooks/use_error_toast'; export interface ActionDetailsArgs { actionDetails: Record; id: string; - inspect: InspectResponse; - isInspected: boolean; } interface UseActionDetails { @@ -53,10 +49,9 @@ export const useActionDetails = ({ actionId, filterQuery, skip = false }: UseAct ) .toPromise(); - return { - ...responseData, - inspect: getInspectResponse(responseData, {} as InspectResponse), - }; + if (!responseData.actionDetails) throw new Error(); + + return responseData; }, { enabled: !skip, @@ -67,6 +62,7 @@ export const useActionDetails = ({ actionId, filterQuery, skip = false }: UseAct defaultMessage: 'Error while fetching action details', }), }), + retryDelay: 1000, } ); }; diff --git a/x-pack/plugins/osquery/public/agent_policies/use_agent_policies.ts b/x-pack/plugins/osquery/public/agent_policies/use_agent_policies.ts index 74061915d3b86..ea5e5a768f0af 100644 --- a/x-pack/plugins/osquery/public/agent_policies/use_agent_policies.ts +++ b/x-pack/plugins/osquery/public/agent_policies/use_agent_policies.ts @@ -5,31 +5,38 @@ * 2.0. */ +import { mapKeys } from 'lodash'; import { useQuery } from 'react-query'; import { i18n } from '@kbn/i18n'; import { useKibana } from '../common/lib/kibana'; -import { GetAgentPoliciesResponse, GetAgentPoliciesResponseItem } from '../../../fleet/common'; +import { GetAgentPoliciesResponseItem } from '../../../fleet/common'; import { useErrorToast } from '../common/hooks/use_error_toast'; export const useAgentPolicies = () => { const { http } = useKibana().services; const setErrorToast = useErrorToast(); - return useQuery( - ['agentPolicies'], - () => http.get('/internal/osquery/fleet_wrapper/agent_policies/'), + return useQuery< + GetAgentPoliciesResponseItem[], + unknown, { - initialData: { items: [], total: 0, page: 1, perPage: 100 }, - keepPreviousData: true, - select: (response) => response.items, - onSuccess: () => setErrorToast(), - onError: (error) => - setErrorToast(error as Error, { - title: i18n.translate('xpack.osquery.agent_policies.fetchError', { - defaultMessage: 'Error while fetching agent policies', - }), - }), + agentPoliciesById: Record; + agentPolicies: GetAgentPoliciesResponseItem[]; } - ); + >(['agentPolicies'], () => http.get('/internal/osquery/fleet_wrapper/agent_policies'), { + initialData: [], + keepPreviousData: true, + select: (response) => ({ + agentPoliciesById: mapKeys(response, 'id'), + agentPolicies: response, + }), + onSuccess: () => setErrorToast(), + onError: (error) => + setErrorToast(error as Error, { + title: i18n.translate('xpack.osquery.agent_policies.fetchError', { + defaultMessage: 'Error while fetching agent policies', + }), + }), + }); }; diff --git a/x-pack/plugins/osquery/public/agents/agent_grouper.ts b/x-pack/plugins/osquery/public/agents/agent_grouper.ts index bc4b4129d3b2b..8d234ec8cf905 100644 --- a/x-pack/plugins/osquery/public/agents/agent_grouper.ts +++ b/x-pack/plugins/osquery/public/agents/agent_grouper.ts @@ -16,15 +16,13 @@ import { AGENT_GROUP_KEY, Group, GroupOption, GroupedAgent } from './types'; const getColor = generateColorPicker(); -const generateGroup = (label: string, groupType: AGENT_GROUP_KEY) => { - return { - label, - groupType, - color: getColor(groupType), - size: 0, - data: [] as T[], - }; -}; +const generateGroup = (label: string, groupType: AGENT_GROUP_KEY) => ({ + label, + groupType, + color: getColor(groupType), + size: 0, + data: [] as T[], +}); export const generateAgentOption = ( label: string, diff --git a/x-pack/plugins/osquery/public/agents/agents_table.tsx b/x-pack/plugins/osquery/public/agents/agents_table.tsx index f9363a4d0f120..c99d5a0454f82 100644 --- a/x-pack/plugins/osquery/public/agents/agents_table.tsx +++ b/x-pack/plugins/osquery/public/agents/agents_table.tsx @@ -26,6 +26,7 @@ import { generateSelectedAgentsMessage, ALL_AGENTS_LABEL, AGENT_POLICY_LABEL, + AGENT_SELECTION_LABEL, } from './translations'; import { @@ -65,15 +66,16 @@ const AgentsTableComponent: React.FC = ({ agentSelection, onCh loading: groupsLoading, totalCount: totalNumAgents, groups, + isFetched: groupsFetched, } = useAgentGroups(osqueryPolicyData); const grouper = useMemo(() => new AgentGrouper(), []); - const { isLoading: agentsLoading, data: agents } = useAllAgents( - osqueryPolicyData, - debouncedSearchValue, - { - perPage, - } - ); + const { + isLoading: agentsLoading, + data: agents, + isFetched: agentsFetched, + } = useAllAgents(osqueryPolicyData, debouncedSearchValue, { + perPage, + }); // option related const [options, setOptions] = useState([]); @@ -97,7 +99,24 @@ const AgentsTableComponent: React.FC = ({ agentSelection, onCh if (policyOptions) { const defaultOptions = policyOptions.options?.filter((option) => - agentSelection.policiesSelected.includes(option.label) + // @ts-expect-error update types + agentSelection.policiesSelected.includes(option.key) + ); + + if (defaultOptions?.length) { + setSelectedOptions(defaultOptions); + defaultValueInitialized.current = true; + } + } + } + + if (agentSelection.agents.length) { + const agentOptions = find(['label', AGENT_SELECTION_LABEL], options); + + if (agentOptions) { + const defaultOptions = agentOptions.options?.filter((option) => + // @ts-expect-error update types + agentSelection.agents.includes(option.key) ); if (defaultOptions?.length) { @@ -110,15 +129,26 @@ const AgentsTableComponent: React.FC = ({ agentSelection, onCh }, [agentSelection, options, selectedOptions]); useEffect(() => { - // update the groups when groups or agents have changed - grouper.setTotalAgents(totalNumAgents); - grouper.updateGroup(AGENT_GROUP_KEY.Platform, groups.platforms); - grouper.updateGroup(AGENT_GROUP_KEY.Policy, groups.policies); - // @ts-expect-error update types - grouper.updateGroup(AGENT_GROUP_KEY.Agent, agents); - const newOptions = grouper.generateOptions(); - setOptions(newOptions); - }, [groups.platforms, groups.policies, totalNumAgents, groupsLoading, agents, grouper]); + if (agentsFetched && groupsFetched) { + // update the groups when groups or agents have changed + grouper.setTotalAgents(totalNumAgents); + grouper.updateGroup(AGENT_GROUP_KEY.Platform, groups.platforms); + grouper.updateGroup(AGENT_GROUP_KEY.Policy, groups.policies); + // @ts-expect-error update types + grouper.updateGroup(AGENT_GROUP_KEY.Agent, agents); + const newOptions = grouper.generateOptions(); + setOptions(newOptions); + } + }, [ + groups.platforms, + groups.policies, + totalNumAgents, + groupsLoading, + agents, + agentsFetched, + groupsFetched, + grouper, + ]); const onSelection = useCallback( (selection: GroupOption[]) => { diff --git a/x-pack/plugins/osquery/public/agents/helpers.ts b/x-pack/plugins/osquery/public/agents/helpers.ts index df966a01f1de1..1b9ac9cedcee2 100644 --- a/x-pack/plugins/osquery/public/agents/helpers.ts +++ b/x-pack/plugins/osquery/public/agents/helpers.ts @@ -87,9 +87,10 @@ export const getNumAgentsInGrouping = (selectedGroups: SelectedGroups) => { return sum; }; -export const generateAgentCheck = (selectedGroups: SelectedGroups) => { - return ({ groups }: AgentOptionValue) => { - return Object.keys(groups) +export const generateAgentCheck = + (selectedGroups: SelectedGroups) => + ({ groups }: AgentOptionValue) => + Object.keys(groups) .map((group) => { const selectedGroup = selectedGroups[group]; const agentGroup = groups[group]; @@ -97,8 +98,6 @@ export const generateAgentCheck = (selectedGroups: SelectedGroups) => { return selectedGroup[agentGroup]; }) .every((a) => !a); - }; -}; export const generateAgentSelection = (selection: GroupOption[]) => { const newAgentSelection: AgentSelection = { diff --git a/x-pack/plugins/osquery/public/agents/use_agent_groups.ts b/x-pack/plugins/osquery/public/agents/use_agent_groups.ts index bfa224a23135b..4163861166acf 100644 --- a/x-pack/plugins/osquery/public/agents/use_agent_groups.ts +++ b/x-pack/plugins/osquery/public/agents/use_agent_groups.ts @@ -35,7 +35,7 @@ export const useAgentGroups = ({ osqueryPolicies, osqueryPoliciesLoading }: UseA const [loading, setLoading] = useState(true); const [overlap, setOverlap] = useState(() => ({})); const [totalCount, setTotalCount] = useState(0); - useQuery( + const { isFetched } = useQuery( ['agentGroups'], async () => { const responseData = await data.search @@ -110,6 +110,7 @@ export const useAgentGroups = ({ osqueryPolicies, osqueryPoliciesLoading }: UseA ); return { + isFetched, loading, totalCount, groups: { diff --git a/x-pack/plugins/osquery/public/common/hooks/use_breadcrumbs.tsx b/x-pack/plugins/osquery/public/common/hooks/use_breadcrumbs.tsx index 7b52b330d0148..92660943b1170 100644 --- a/x-pack/plugins/osquery/public/common/hooks/use_breadcrumbs.tsx +++ b/x-pack/plugins/osquery/public/common/hooks/use_breadcrumbs.tsx @@ -101,54 +101,54 @@ const breadcrumbGetters: { text: savedQueryName, }, ], - scheduled_query_groups: () => [ + packs: () => [ BASE_BREADCRUMB, { - text: i18n.translate('xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle', { - defaultMessage: 'Scheduled query groups', + text: i18n.translate('xpack.osquery.breadcrumbs.packsPageTitle', { + defaultMessage: 'Packs', }), }, ], - scheduled_query_group_add: () => [ + pack_add: () => [ BASE_BREADCRUMB, { - href: pagePathGetters.scheduled_query_groups(), - text: i18n.translate('xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle', { - defaultMessage: 'Scheduled query groups', + href: pagePathGetters.packs(), + text: i18n.translate('xpack.osquery.breadcrumbs.packsPageTitle', { + defaultMessage: 'Packs', }), }, { - text: i18n.translate('xpack.osquery.breadcrumbs.addScheduledQueryGroupsPageTitle', { + text: i18n.translate('xpack.osquery.breadcrumbs.addpacksPageTitle', { defaultMessage: 'Add', }), }, ], - scheduled_query_group_details: ({ scheduledQueryGroupName }) => [ + pack_details: ({ packName }) => [ BASE_BREADCRUMB, { - href: pagePathGetters.scheduled_query_groups(), - text: i18n.translate('xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle', { - defaultMessage: 'Scheduled query groups', + href: pagePathGetters.packs(), + text: i18n.translate('xpack.osquery.breadcrumbs.packsPageTitle', { + defaultMessage: 'Packs', }), }, { - text: scheduledQueryGroupName, + text: packName, }, ], - scheduled_query_group_edit: ({ scheduledQueryGroupName, scheduledQueryGroupId }) => [ + pack_edit: ({ packName, packId }) => [ BASE_BREADCRUMB, { - href: pagePathGetters.scheduled_query_groups(), - text: i18n.translate('xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle', { - defaultMessage: 'Scheduled query groups', + href: pagePathGetters.packs(), + text: i18n.translate('xpack.osquery.breadcrumbs.packsPageTitle', { + defaultMessage: 'Packs', }), }, { - href: pagePathGetters.scheduled_query_group_details({ scheduledQueryGroupId }), - text: scheduledQueryGroupName, + href: pagePathGetters.pack_details({ packId }), + text: packName, }, { - text: i18n.translate('xpack.osquery.breadcrumbs.editScheduledQueryGroupsPageTitle', { + text: i18n.translate('xpack.osquery.breadcrumbs.editpacksPageTitle', { defaultMessage: 'Edit', }), }, diff --git a/x-pack/plugins/osquery/public/common/index.ts b/x-pack/plugins/osquery/public/common/index.ts index 520c2d2da6d39..377d7af6d8164 100644 --- a/x-pack/plugins/osquery/public/common/index.ts +++ b/x-pack/plugins/osquery/public/common/index.ts @@ -5,7 +5,4 @@ * 2.0. */ -// TODO: https://github.com/elastic/kibana/issues/110906 -/* eslint-disable @kbn/eslint/no_export_all */ - -export * from './helpers'; +export { createFilter } from './helpers'; diff --git a/x-pack/plugins/osquery/public/common/page_paths.ts b/x-pack/plugins/osquery/public/common/page_paths.ts index b1971f9d6ee41..ac3949ab7c412 100644 --- a/x-pack/plugins/osquery/public/common/page_paths.ts +++ b/x-pack/plugins/osquery/public/common/page_paths.ts @@ -10,16 +10,12 @@ export type StaticPage = | 'overview' | 'live_queries' | 'live_query_new' - | 'scheduled_query_groups' - | 'scheduled_query_group_add' + | 'packs' + | 'pack_add' | 'saved_queries' | 'saved_query_new'; -export type DynamicPage = - | 'live_query_details' - | 'scheduled_query_group_details' - | 'scheduled_query_group_edit' - | 'saved_query_edit'; +export type DynamicPage = 'live_query_details' | 'pack_details' | 'pack_edit' | 'saved_query_edit'; export type Page = StaticPage | DynamicPage; @@ -34,10 +30,10 @@ export const PAGE_ROUTING_PATHS = { live_queries: '/live_queries', live_query_new: '/live_queries/new', live_query_details: '/live_queries/:liveQueryId', - scheduled_query_groups: '/scheduled_query_groups', - scheduled_query_group_add: '/scheduled_query_groups/add', - scheduled_query_group_details: '/scheduled_query_groups/:scheduledQueryGroupId', - scheduled_query_group_edit: '/scheduled_query_groups/:scheduledQueryGroupId/edit', + packs: '/packs', + pack_add: '/packs/add', + pack_details: '/packs/:packId', + pack_edit: '/packs/:packId/edit', }; export const pagePathGetters: { @@ -53,10 +49,8 @@ export const pagePathGetters: { saved_queries: () => '/saved_queries', saved_query_new: () => '/saved_queries/new', saved_query_edit: ({ savedQueryId }) => `/saved_queries/${savedQueryId}`, - scheduled_query_groups: () => '/scheduled_query_groups', - scheduled_query_group_add: () => '/scheduled_query_groups/add', - scheduled_query_group_details: ({ scheduledQueryGroupId }) => - `/scheduled_query_groups/${scheduledQueryGroupId}`, - scheduled_query_group_edit: ({ scheduledQueryGroupId }) => - `/scheduled_query_groups/${scheduledQueryGroupId}/edit`, + packs: () => '/packs', + pack_add: () => '/packs/add', + pack_details: ({ packId }) => `/packs/${packId}`, + pack_edit: ({ packId }) => `/packs/${packId}/edit`, }; diff --git a/x-pack/plugins/osquery/public/common/schemas/ecs/v1.11.0.json b/x-pack/plugins/osquery/public/common/schemas/ecs/v1.11.0.json deleted file mode 100644 index 406999901961d..0000000000000 --- a/x-pack/plugins/osquery/public/common/schemas/ecs/v1.11.0.json +++ /dev/null @@ -1 +0,0 @@ -[{"field":"labels","type":"object","description":"Custom key/value pairs."},{"field":"message","type":"text","description":"Log message optimized for viewing in a log viewer."},{"field":"tags","type":"keyword","description":"List of keywords used to tag each event."},{"field":"agent.build.original","type":"keyword","description":"Extended build information for the agent."},{"field":"client.address","type":"keyword","description":"Client network address."},{"field":"client.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"client.as.organization.name","type":"keyword","description":"Organization name."},{"field":"client.as.organization.name.text","type":"text","description":"Organization name."},{"field":"client.bytes","type":"long","description":"Bytes sent from the client to the server."},{"field":"client.domain","type":"keyword","description":"Client domain."},{"field":"client.geo.city_name","type":"keyword","description":"City name."},{"field":"client.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"client.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"client.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"client.geo.country_name","type":"keyword","description":"Country name."},{"field":"client.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"client.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"client.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"client.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"client.geo.region_name","type":"keyword","description":"Region name."},{"field":"client.geo.timezone","type":"keyword","description":"Time zone."},{"field":"client.ip","type":"ip","description":"IP address of the client."},{"field":"client.mac","type":"keyword","description":"MAC address of the client."},{"field":"client.nat.ip","type":"ip","description":"Client NAT ip address"},{"field":"client.nat.port","type":"long","description":"Client NAT port"},{"field":"client.packets","type":"long","description":"Packets sent from the client to the server."},{"field":"client.port","type":"long","description":"Port of the client."},{"field":"client.registered_domain","type":"keyword","description":"The highest registered client domain, stripped of the subdomain."},{"field":"client.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"client.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"client.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"client.user.email","type":"keyword","description":"User email address."},{"field":"client.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"client.user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"client.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"client.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"client.user.group.name","type":"keyword","description":"Name of the group."},{"field":"client.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"client.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"client.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"client.user.name.text","type":"text","description":"Short name or login of the user."},{"field":"client.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"cloud.account.id","type":"keyword","description":"The cloud account or organization id."},{"field":"cloud.account.name","type":"keyword","description":"The cloud account name."},{"field":"cloud.availability_zone","type":"keyword","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.instance.id","type":"keyword","description":"Instance ID of the host machine."},{"field":"cloud.instance.name","type":"keyword","description":"Instance name of the host machine."},{"field":"cloud.machine.type","type":"keyword","description":"Machine type of the host machine."},{"field":"cloud.project.id","type":"keyword","description":"The cloud project id."},{"field":"cloud.project.name","type":"keyword","description":"The cloud project name."},{"field":"cloud.provider","type":"keyword","description":"Name of the cloud provider."},{"field":"cloud.region","type":"keyword","description":"Region in which this host, resource, or service is located."},{"field":"cloud.service.name","type":"keyword","description":"The cloud service name."},{"field":"container.id","type":"keyword","description":"Unique container id."},{"field":"container.image.name","type":"keyword","description":"Name of the image the container was built on."},{"field":"container.image.tag","type":"keyword","description":"Container image tags."},{"field":"container.labels","type":"object","description":"Image labels."},{"field":"container.name","type":"keyword","description":"Container name."},{"field":"container.runtime","type":"keyword","description":"Runtime managing this container."},{"field":"data_stream.dataset","type":"constant_keyword","description":"The field can contain anything that makes sense to signify the source of the data."},{"field":"data_stream.namespace","type":"constant_keyword","description":"A user defined namespace. Namespaces are useful to allow grouping of data."},{"field":"data_stream.type","type":"constant_keyword","description":"An overarching type for the data stream."},{"field":"destination.address","type":"keyword","description":"Destination network address."},{"field":"destination.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"destination.as.organization.name","type":"keyword","description":"Organization name."},{"field":"destination.as.organization.name.text","type":"text","description":"Organization name."},{"field":"destination.bytes","type":"long","description":"Bytes sent from the destination to the source."},{"field":"destination.domain","type":"keyword","description":"Destination domain."},{"field":"destination.geo.city_name","type":"keyword","description":"City name."},{"field":"destination.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"destination.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"destination.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"destination.geo.country_name","type":"keyword","description":"Country name."},{"field":"destination.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"destination.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"destination.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"destination.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"destination.geo.region_name","type":"keyword","description":"Region name."},{"field":"destination.geo.timezone","type":"keyword","description":"Time zone."},{"field":"destination.ip","type":"ip","description":"IP address of the destination."},{"field":"destination.mac","type":"keyword","description":"MAC address of the destination."},{"field":"destination.nat.ip","type":"ip","description":"Destination NAT ip"},{"field":"destination.nat.port","type":"long","description":"Destination NAT Port"},{"field":"destination.packets","type":"long","description":"Packets sent from the destination to the source."},{"field":"destination.port","type":"long","description":"Port of the destination."},{"field":"destination.registered_domain","type":"keyword","description":"The highest registered destination domain, stripped of the subdomain."},{"field":"destination.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"destination.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"destination.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"destination.user.email","type":"keyword","description":"User email address."},{"field":"destination.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"destination.user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"destination.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"destination.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"destination.user.group.name","type":"keyword","description":"Name of the group."},{"field":"destination.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"destination.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"destination.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"destination.user.name.text","type":"text","description":"Short name or login of the user."},{"field":"destination.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"dll.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"dll.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"dll.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"dll.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"dll.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"dll.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"dll.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"dll.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"dll.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"dll.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"dll.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"dll.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"dll.name","type":"keyword","description":"Name of the library."},{"field":"dll.path","type":"keyword","description":"Full file path of the library."},{"field":"dll.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"dll.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"dll.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"dll.pe.file_version","type":"keyword","description":"Process name."},{"field":"dll.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"dll.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"dll.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"dns.answers","type":"object","description":"Array of DNS answers."},{"field":"dns.answers.class","type":"keyword","description":"The class of DNS data contained in this resource record."},{"field":"dns.answers.data","type":"keyword","description":"The data describing the resource."},{"field":"dns.answers.name","type":"keyword","description":"The domain name to which this resource record pertains."},{"field":"dns.answers.ttl","type":"long","description":"The time interval in seconds that this resource record may be cached before it should be discarded."},{"field":"dns.answers.type","type":"keyword","description":"The type of data contained in this resource record."},{"field":"dns.header_flags","type":"keyword","description":"Array of DNS header flags."},{"field":"dns.id","type":"keyword","description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response."},{"field":"dns.op_code","type":"keyword","description":"The DNS operation code that specifies the kind of query in the message."},{"field":"dns.question.class","type":"keyword","description":"The class of records being queried."},{"field":"dns.question.name","type":"keyword","description":"The name being queried."},{"field":"dns.question.registered_domain","type":"keyword","description":"The highest registered domain, stripped of the subdomain."},{"field":"dns.question.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"dns.question.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"dns.question.type","type":"keyword","description":"The type of record being queried."},{"field":"dns.resolved_ip","type":"ip","description":"Array containing all IPs seen in answers.data"},{"field":"dns.response_code","type":"keyword","description":"The DNS response code."},{"field":"dns.type","type":"keyword","description":"The type of DNS event captured, query or answer."},{"field":"error.code","type":"keyword","description":"Error code describing the error."},{"field":"error.id","type":"keyword","description":"Unique identifier for the error."},{"field":"error.message","type":"text","description":"Error message."},{"field":"error.stack_trace","type":"keyword","description":"The stack trace of this error in plain text."},{"field":"error.stack_trace.text","type":"text","description":"The stack trace of this error in plain text."},{"field":"error.type","type":"keyword","description":"The type of the error, for example the class name of the exception."},{"field":"event.action","type":"keyword","description":"The action captured by the event."},{"field":"event.category","type":"keyword","description":"Event category. The second categorization field in the hierarchy."},{"field":"event.code","type":"keyword","description":"Identification code for this event."},{"field":"event.created","type":"date","description":"Time when the event was first read by an agent or by your pipeline."},{"field":"event.dataset","type":"keyword","description":"Name of the dataset."},{"field":"event.duration","type":"long","description":"Duration of the event in nanoseconds."},{"field":"event.end","type":"date","description":"event.end contains the date when the event ended or when the activity was last observed."},{"field":"event.hash","type":"keyword","description":"Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity."},{"field":"event.id","type":"keyword","description":"Unique ID to describe the event."},{"field":"event.kind","type":"keyword","description":"The kind of the event. The highest categorization field in the hierarchy."},{"field":"event.original","type":"keyword","description":"Raw text message of entire event."},{"field":"event.outcome","type":"keyword","description":"The outcome of the event. The lowest level categorization field in the hierarchy."},{"field":"event.provider","type":"keyword","description":"Source of the event."},{"field":"event.reason","type":"keyword","description":"Reason why this event happened, according to the source"},{"field":"event.reference","type":"keyword","description":"Event reference URL"},{"field":"event.risk_score","type":"float","description":"Risk score or priority of the event (e.g. security solutions). Use your system's original value here."},{"field":"event.risk_score_norm","type":"float","description":"Normalized risk score or priority of the event (0-100)."},{"field":"event.sequence","type":"long","description":"Sequence number of the event."},{"field":"event.severity","type":"long","description":"Numeric severity of the event."},{"field":"event.start","type":"date","description":"event.start contains the date when the event started or when the activity was first observed."},{"field":"event.timezone","type":"keyword","description":"Event time zone."},{"field":"event.type","type":"keyword","description":"Event type. The third categorization field in the hierarchy."},{"field":"event.url","type":"keyword","description":"Event investigation URL"},{"field":"file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"file.created","type":"date","description":"File creation time."},{"field":"file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"file.group","type":"keyword","description":"Primary group name of the file."},{"field":"file.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"file.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"file.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"file.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"file.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"file.owner","type":"keyword","description":"File owner's username."},{"field":"file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"file.path.text","type":"text","description":"Full path to the file, including the file name."},{"field":"file.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"file.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"file.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"file.pe.file_version","type":"keyword","description":"Process name."},{"field":"file.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"file.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"file.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"file.size","type":"long","description":"File size in bytes."},{"field":"file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"file.target_path.text","type":"text","description":"Target path for symlinks."},{"field":"file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"file.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"file.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"file.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"file.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"file.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"file.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"file.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"file.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"file.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"file.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"file.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"file.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"file.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"file.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"file.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"file.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"file.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"file.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"file.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"file.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"file.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"file.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"group.name","type":"keyword","description":"Name of the group."},{"field":"host.cpu.usage","type":"scaled_float","description":"Percent CPU used, between 0 and 1."},{"field":"host.disk.read.bytes","type":"long","description":"The number of bytes read by all disks."},{"field":"host.disk.write.bytes","type":"long","description":"The number of bytes written on all disks."},{"field":"host.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"host.geo.city_name","type":"keyword","description":"City name."},{"field":"host.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"host.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"host.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"host.geo.country_name","type":"keyword","description":"Country name."},{"field":"host.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"host.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"host.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"host.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"host.geo.region_name","type":"keyword","description":"Region name."},{"field":"host.geo.timezone","type":"keyword","description":"Time zone."},{"field":"host.name","type":"keyword","description":"Name of the host."},{"field":"host.network.egress.bytes","type":"long","description":"The number of bytes sent on all network interfaces."},{"field":"host.network.egress.packets","type":"long","description":"The number of packets sent on all network interfaces."},{"field":"host.network.ingress.bytes","type":"long","description":"The number of bytes received on all network interfaces."},{"field":"host.network.ingress.packets","type":"long","description":"The number of packets received on all network interfaces."},{"field":"host.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"host.os.full.text","type":"text","description":"Operating system name, including the version or code name."},{"field":"host.os.name.text","type":"text","description":"Operating system name, without the version."},{"field":"host.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"host.type","type":"keyword","description":"Type of host."},{"field":"host.uptime","type":"long","description":"Seconds the host has been up."},{"field":"host.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"host.user.email","type":"keyword","description":"User email address."},{"field":"host.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"host.user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"host.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"host.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"host.user.group.name","type":"keyword","description":"Name of the group."},{"field":"host.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"host.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"host.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"host.user.name.text","type":"text","description":"Short name or login of the user."},{"field":"host.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"http.request.body.bytes","type":"long","description":"Size in bytes of the request body."},{"field":"http.request.body.content","type":"keyword","description":"The full HTTP request body."},{"field":"http.request.body.content.text","type":"text","description":"The full HTTP request body."},{"field":"http.request.bytes","type":"long","description":"Total size in bytes of the request (body and headers)."},{"field":"http.request.id","type":"keyword","description":"HTTP request ID."},{"field":"http.request.method","type":"keyword","description":"HTTP request method."},{"field":"http.request.mime_type","type":"keyword","description":"Mime type of the body of the request."},{"field":"http.request.referrer","type":"keyword","description":"Referrer for this HTTP request."},{"field":"http.response.body.bytes","type":"long","description":"Size in bytes of the response body."},{"field":"http.response.body.content","type":"keyword","description":"The full HTTP response body."},{"field":"http.response.body.content.text","type":"text","description":"The full HTTP response body."},{"field":"http.response.bytes","type":"long","description":"Total size in bytes of the response (body and headers)."},{"field":"http.response.mime_type","type":"keyword","description":"Mime type of the body of the response."},{"field":"http.response.status_code","type":"long","description":"HTTP response status code."},{"field":"http.version","type":"keyword","description":"HTTP version."},{"field":"log.file.path","type":"keyword","description":"Full path to the log file this event came from."},{"field":"log.level","type":"keyword","description":"Log level of the log event."},{"field":"log.logger","type":"keyword","description":"Name of the logger."},{"field":"log.origin.file.line","type":"integer","description":"The line number of the file which originated the log event."},{"field":"log.origin.file.name","type":"keyword","description":"The code file which originated the log event."},{"field":"log.origin.function","type":"keyword","description":"The function which originated the log event."},{"field":"log.original","type":"keyword","description":"Deprecated original log message with light interpretation only (encoding, newlines)."},{"field":"log.syslog","type":"object","description":"Syslog metadata"},{"field":"log.syslog.facility.code","type":"long","description":"Syslog numeric facility of the event."},{"field":"log.syslog.facility.name","type":"keyword","description":"Syslog text-based facility of the event."},{"field":"log.syslog.priority","type":"long","description":"Syslog priority of the event."},{"field":"log.syslog.severity.code","type":"long","description":"Syslog numeric severity of the event."},{"field":"log.syslog.severity.name","type":"keyword","description":"Syslog text-based severity of the event."},{"field":"network.application","type":"keyword","description":"Application level protocol name."},{"field":"network.bytes","type":"long","description":"Total bytes transferred in both directions."},{"field":"network.community_id","type":"keyword","description":"A hash of source and destination IPs and ports."},{"field":"network.direction","type":"keyword","description":"Direction of the network traffic."},{"field":"network.forwarded_ip","type":"ip","description":"Host IP address when the source IP address is the proxy."},{"field":"network.iana_number","type":"keyword","description":"IANA Protocol Number."},{"field":"network.inner","type":"object","description":"Inner VLAN tag information"},{"field":"network.inner.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"network.inner.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"network.name","type":"keyword","description":"Name given by operators to sections of their network."},{"field":"network.packets","type":"long","description":"Total packets transferred in both directions."},{"field":"network.protocol","type":"keyword","description":"L7 Network protocol name."},{"field":"network.transport","type":"keyword","description":"Protocol Name corresponding to the field `iana_number`."},{"field":"network.type","type":"keyword","description":"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"},{"field":"network.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"network.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress","type":"object","description":"Object field for egress information"},{"field":"observer.egress.interface.alias","type":"keyword","description":"Interface alias"},{"field":"observer.egress.interface.id","type":"keyword","description":"Interface ID"},{"field":"observer.egress.interface.name","type":"keyword","description":"Interface name"},{"field":"observer.egress.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"observer.egress.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress.zone","type":"keyword","description":"Observer Egress zone"},{"field":"observer.geo.city_name","type":"keyword","description":"City name."},{"field":"observer.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"observer.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"observer.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"observer.geo.country_name","type":"keyword","description":"Country name."},{"field":"observer.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"observer.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"observer.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"observer.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"observer.geo.region_name","type":"keyword","description":"Region name."},{"field":"observer.geo.timezone","type":"keyword","description":"Time zone."},{"field":"observer.hostname","type":"keyword","description":"Hostname of the observer."},{"field":"observer.ingress","type":"object","description":"Object field for ingress information"},{"field":"observer.ingress.interface.alias","type":"keyword","description":"Interface alias"},{"field":"observer.ingress.interface.id","type":"keyword","description":"Interface ID"},{"field":"observer.ingress.interface.name","type":"keyword","description":"Interface name"},{"field":"observer.ingress.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"observer.ingress.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.ingress.zone","type":"keyword","description":"Observer ingress zone"},{"field":"observer.ip","type":"ip","description":"IP addresses of the observer."},{"field":"observer.mac","type":"keyword","description":"MAC addresses of the observer."},{"field":"observer.name","type":"keyword","description":"Custom name of the observer."},{"field":"observer.os.family","type":"keyword","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"observer.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"observer.os.full.text","type":"text","description":"Operating system name, including the version or code name."},{"field":"observer.os.kernel","type":"keyword","description":"Operating system kernel version as a raw string."},{"field":"observer.os.name","type":"keyword","description":"Operating system name, without the version."},{"field":"observer.os.name.text","type":"text","description":"Operating system name, without the version."},{"field":"observer.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"observer.os.type","type":"keyword","description":"Which commercial OS family (one of: linux, macos, unix or windows)."},{"field":"observer.os.version","type":"keyword","description":"Operating system version as a raw string."},{"field":"observer.product","type":"keyword","description":"The product name of the observer."},{"field":"observer.serial_number","type":"keyword","description":"Observer serial number."},{"field":"observer.type","type":"keyword","description":"The type of the observer the data is coming from."},{"field":"observer.vendor","type":"keyword","description":"Vendor name of the observer."},{"field":"observer.version","type":"keyword","description":"Observer version."},{"field":"orchestrator.api_version","type":"keyword","description":"API version being used to carry out the action"},{"field":"orchestrator.cluster.name","type":"keyword","description":"Name of the cluster."},{"field":"orchestrator.cluster.url","type":"keyword","description":"URL of the API used to manage the cluster."},{"field":"orchestrator.cluster.version","type":"keyword","description":"The version of the cluster."},{"field":"orchestrator.namespace","type":"keyword","description":"Namespace in which the action is taking place."},{"field":"orchestrator.organization","type":"keyword","description":"Organization affected by the event (for multi-tenant orchestrator setups)."},{"field":"orchestrator.resource.name","type":"keyword","description":"Name of the resource being acted upon."},{"field":"orchestrator.resource.type","type":"keyword","description":"Type of resource being acted upon."},{"field":"orchestrator.type","type":"keyword","description":"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."},{"field":"organization.id","type":"keyword","description":"Unique identifier for the organization."},{"field":"organization.name","type":"keyword","description":"Organization name."},{"field":"organization.name.text","type":"text","description":"Organization name."},{"field":"package.architecture","type":"keyword","description":"Package architecture."},{"field":"package.build_version","type":"keyword","description":"Build version information"},{"field":"package.checksum","type":"keyword","description":"Checksum of the installed package for verification."},{"field":"package.description","type":"keyword","description":"Description of the package."},{"field":"package.install_scope","type":"keyword","description":"Indicating how the package was installed, e.g. user-local, global."},{"field":"package.installed","type":"date","description":"Time when package was installed."},{"field":"package.license","type":"keyword","description":"Package license"},{"field":"package.name","type":"keyword","description":"Package name"},{"field":"package.path","type":"keyword","description":"Path where the package is installed."},{"field":"package.reference","type":"keyword","description":"Package home page or reference URL"},{"field":"package.size","type":"long","description":"Package size in bytes."},{"field":"package.type","type":"keyword","description":"Package type"},{"field":"package.version","type":"keyword","description":"Package version"},{"field":"process.args","type":"keyword","description":"Array of process arguments."},{"field":"process.args_count","type":"long","description":"Length of the process.args array."},{"field":"process.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"process.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"process.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"process.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"process.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"process.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"process.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.command_line","type":"keyword","description":"Full command line that started the process."},{"field":"process.command_line.text","type":"text","description":"Full command line that started the process."},{"field":"process.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"process.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"process.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"process.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"process.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"process.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"process.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"process.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"process.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"process.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"process.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"process.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"process.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"process.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"process.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"process.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"process.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"process.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"process.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"process.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"process.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"process.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"process.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"process.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"process.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"process.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"process.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"process.entity_id","type":"keyword","description":"Unique identifier for the process."},{"field":"process.executable","type":"keyword","description":"Absolute path to the process executable."},{"field":"process.executable.text","type":"text","description":"Absolute path to the process executable."},{"field":"process.exit_code","type":"long","description":"The exit code of the process."},{"field":"process.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"process.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"process.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"process.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"process.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"process.name","type":"keyword","description":"Process name."},{"field":"process.name.text","type":"text","description":"Process name."},{"field":"process.parent.args","type":"keyword","description":"Array of process arguments."},{"field":"process.parent.args_count","type":"long","description":"Length of the process.args array."},{"field":"process.parent.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"process.parent.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"process.parent.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"process.parent.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"process.parent.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"process.parent.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"process.parent.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.parent.command_line","type":"keyword","description":"Full command line that started the process."},{"field":"process.parent.command_line.text","type":"text","description":"Full command line that started the process."},{"field":"process.parent.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"process.parent.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"process.parent.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"process.parent.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"process.parent.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"process.parent.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.parent.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"process.parent.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"process.parent.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"process.parent.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"process.parent.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.parent.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"process.parent.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"process.parent.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"process.parent.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"process.parent.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"process.parent.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"process.parent.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"process.parent.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"process.parent.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"process.parent.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"process.parent.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"process.parent.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"process.parent.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"process.parent.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"process.parent.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"process.parent.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"process.parent.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"process.parent.entity_id","type":"keyword","description":"Unique identifier for the process."},{"field":"process.parent.executable","type":"keyword","description":"Absolute path to the process executable."},{"field":"process.parent.executable.text","type":"text","description":"Absolute path to the process executable."},{"field":"process.parent.exit_code","type":"long","description":"The exit code of the process."},{"field":"process.parent.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"process.parent.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"process.parent.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"process.parent.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"process.parent.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"process.parent.name","type":"keyword","description":"Process name."},{"field":"process.parent.name.text","type":"text","description":"Process name."},{"field":"process.parent.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"process.parent.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"process.parent.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"process.parent.pe.file_version","type":"keyword","description":"Process name."},{"field":"process.parent.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"process.parent.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"process.parent.pgid","type":"long","description":"Identifier of the group of processes the process belongs to."},{"field":"process.parent.pid","type":"long","description":"Process id."},{"field":"process.parent.ppid","type":"long","description":"Parent process' pid."},{"field":"process.parent.start","type":"date","description":"The time the process started."},{"field":"process.parent.thread.id","type":"long","description":"Thread ID."},{"field":"process.parent.thread.name","type":"keyword","description":"Thread name."},{"field":"process.parent.title","type":"keyword","description":"Process title."},{"field":"process.parent.title.text","type":"text","description":"Process title."},{"field":"process.parent.uptime","type":"long","description":"Seconds the process has been up."},{"field":"process.parent.working_directory","type":"keyword","description":"The working directory of the process."},{"field":"process.parent.working_directory.text","type":"text","description":"The working directory of the process."},{"field":"process.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"process.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"process.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"process.pe.file_version","type":"keyword","description":"Process name."},{"field":"process.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"process.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"process.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"process.pgid","type":"long","description":"Identifier of the group of processes the process belongs to."},{"field":"process.pid","type":"long","description":"Process id."},{"field":"process.ppid","type":"long","description":"Parent process' pid."},{"field":"process.start","type":"date","description":"The time the process started."},{"field":"process.thread.id","type":"long","description":"Thread ID."},{"field":"process.thread.name","type":"keyword","description":"Thread name."},{"field":"process.title","type":"keyword","description":"Process title."},{"field":"process.title.text","type":"text","description":"Process title."},{"field":"process.uptime","type":"long","description":"Seconds the process has been up."},{"field":"process.working_directory","type":"keyword","description":"The working directory of the process."},{"field":"process.working_directory.text","type":"text","description":"The working directory of the process."},{"field":"registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"registry.data.strings","type":"keyword","description":"List of strings representing what was written to the registry."},{"field":"registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"registry.value","type":"keyword","description":"Name of the value written."},{"field":"related.hash","type":"keyword","description":"All the hashes seen on your event."},{"field":"related.hosts","type":"keyword","description":"All the host identifiers seen on your event."},{"field":"related.ip","type":"ip","description":"All of the IPs seen on your event."},{"field":"related.user","type":"keyword","description":"All the user names or other user identifiers seen on the event."},{"field":"rule.author","type":"keyword","description":"Rule author"},{"field":"rule.category","type":"keyword","description":"Rule category"},{"field":"rule.description","type":"keyword","description":"Rule description"},{"field":"rule.id","type":"keyword","description":"Rule ID"},{"field":"rule.license","type":"keyword","description":"Rule license"},{"field":"rule.name","type":"keyword","description":"Rule name"},{"field":"rule.reference","type":"keyword","description":"Rule reference URL"},{"field":"rule.ruleset","type":"keyword","description":"Rule ruleset"},{"field":"rule.uuid","type":"keyword","description":"Rule UUID"},{"field":"rule.version","type":"keyword","description":"Rule version"},{"field":"server.address","type":"keyword","description":"Server network address."},{"field":"server.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"server.as.organization.name","type":"keyword","description":"Organization name."},{"field":"server.as.organization.name.text","type":"text","description":"Organization name."},{"field":"server.bytes","type":"long","description":"Bytes sent from the server to the client."},{"field":"server.domain","type":"keyword","description":"Server domain."},{"field":"server.geo.city_name","type":"keyword","description":"City name."},{"field":"server.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"server.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"server.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"server.geo.country_name","type":"keyword","description":"Country name."},{"field":"server.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"server.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"server.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"server.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"server.geo.region_name","type":"keyword","description":"Region name."},{"field":"server.geo.timezone","type":"keyword","description":"Time zone."},{"field":"server.ip","type":"ip","description":"IP address of the server."},{"field":"server.mac","type":"keyword","description":"MAC address of the server."},{"field":"server.nat.ip","type":"ip","description":"Server NAT ip"},{"field":"server.nat.port","type":"long","description":"Server NAT port"},{"field":"server.packets","type":"long","description":"Packets sent from the server to the client."},{"field":"server.port","type":"long","description":"Port of the server."},{"field":"server.registered_domain","type":"keyword","description":"The highest registered server domain, stripped of the subdomain."},{"field":"server.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"server.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"server.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"server.user.email","type":"keyword","description":"User email address."},{"field":"server.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"server.user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"server.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"server.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"server.user.group.name","type":"keyword","description":"Name of the group."},{"field":"server.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"server.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"server.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"server.user.name.text","type":"text","description":"Short name or login of the user."},{"field":"server.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"service.ephemeral_id","type":"keyword","description":"Ephemeral identifier of this service."},{"field":"service.id","type":"keyword","description":"Unique identifier of the running service."},{"field":"service.name","type":"keyword","description":"Name of the service."},{"field":"service.node.name","type":"keyword","description":"Name of the service node."},{"field":"service.state","type":"keyword","description":"Current state of the service."},{"field":"service.type","type":"keyword","description":"The type of the service."},{"field":"service.version","type":"keyword","description":"Version of the service."},{"field":"source.address","type":"keyword","description":"Source network address."},{"field":"source.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"source.as.organization.name","type":"keyword","description":"Organization name."},{"field":"source.as.organization.name.text","type":"text","description":"Organization name."},{"field":"source.bytes","type":"long","description":"Bytes sent from the source to the destination."},{"field":"source.domain","type":"keyword","description":"Source domain."},{"field":"source.geo.city_name","type":"keyword","description":"City name."},{"field":"source.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"source.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"source.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"source.geo.country_name","type":"keyword","description":"Country name."},{"field":"source.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"source.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"source.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"source.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"source.geo.region_name","type":"keyword","description":"Region name."},{"field":"source.geo.timezone","type":"keyword","description":"Time zone."},{"field":"source.ip","type":"ip","description":"IP address of the source."},{"field":"source.mac","type":"keyword","description":"MAC address of the source."},{"field":"source.nat.ip","type":"ip","description":"Source NAT ip"},{"field":"source.nat.port","type":"long","description":"Source NAT port"},{"field":"source.packets","type":"long","description":"Packets sent from the source to the destination."},{"field":"source.port","type":"long","description":"Port of the source."},{"field":"source.registered_domain","type":"keyword","description":"The highest registered source domain, stripped of the subdomain."},{"field":"source.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"source.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"source.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"source.user.email","type":"keyword","description":"User email address."},{"field":"source.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"source.user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"source.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"source.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"source.user.group.name","type":"keyword","description":"Name of the group."},{"field":"source.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"source.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"source.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"source.user.name.text","type":"text","description":"Short name or login of the user."},{"field":"source.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"span.id","type":"keyword","description":"Unique identifier of the span within the scope of its trace."},{"field":"threat.enrichments","type":"nested","description":"List of objects containing indicators enriching the event."},{"field":"threat.enrichments.indicator","type":"object","description":"Object containing indicators enriching the event."},{"field":"threat.enrichments.indicator.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"threat.enrichments.indicator.as.organization.name","type":"keyword","description":"Organization name."},{"field":"threat.enrichments.indicator.as.organization.name.text","type":"text","description":"Organization name."},{"field":"threat.enrichments.indicator.confidence","type":"keyword","description":"Indicator confidence rating"},{"field":"threat.enrichments.indicator.description","type":"keyword","description":"Indicator description"},{"field":"threat.enrichments.indicator.email.address","type":"keyword","description":"Indicator email address"},{"field":"threat.enrichments.indicator.file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"threat.enrichments.indicator.file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"threat.enrichments.indicator.file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"threat.enrichments.indicator.file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"threat.enrichments.indicator.file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"threat.enrichments.indicator.file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"threat.enrichments.indicator.file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.enrichments.indicator.file.created","type":"date","description":"File creation time."},{"field":"threat.enrichments.indicator.file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"threat.enrichments.indicator.file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"threat.enrichments.indicator.file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"threat.enrichments.indicator.file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"threat.enrichments.indicator.file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"threat.enrichments.indicator.file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"threat.enrichments.indicator.file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"threat.enrichments.indicator.file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.enrichments.indicator.file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"threat.enrichments.indicator.file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.enrichments.indicator.file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"threat.enrichments.indicator.file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"threat.enrichments.indicator.file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"threat.enrichments.indicator.file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"threat.enrichments.indicator.file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"threat.enrichments.indicator.file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"threat.enrichments.indicator.file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"threat.enrichments.indicator.file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"threat.enrichments.indicator.file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"threat.enrichments.indicator.file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"threat.enrichments.indicator.file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"threat.enrichments.indicator.file.group","type":"keyword","description":"Primary group name of the file."},{"field":"threat.enrichments.indicator.file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"threat.enrichments.indicator.file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.enrichments.indicator.file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"threat.enrichments.indicator.file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"threat.enrichments.indicator.file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"threat.enrichments.indicator.file.owner","type":"keyword","description":"File owner's username."},{"field":"threat.enrichments.indicator.file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.path.text","type":"text","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.size","type":"long","description":"File size in bytes."},{"field":"threat.enrichments.indicator.file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.target_path.text","type":"text","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"threat.enrichments.indicator.file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.enrichments.indicator.first_seen","type":"date","description":"Date/time indicator was first reported."},{"field":"threat.enrichments.indicator.geo.city_name","type":"keyword","description":"City name."},{"field":"threat.enrichments.indicator.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"threat.enrichments.indicator.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"threat.enrichments.indicator.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"threat.enrichments.indicator.geo.country_name","type":"keyword","description":"Country name."},{"field":"threat.enrichments.indicator.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"threat.enrichments.indicator.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"threat.enrichments.indicator.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"threat.enrichments.indicator.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"threat.enrichments.indicator.geo.region_name","type":"keyword","description":"Region name."},{"field":"threat.enrichments.indicator.geo.timezone","type":"keyword","description":"Time zone."},{"field":"threat.enrichments.indicator.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"threat.enrichments.indicator.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"threat.enrichments.indicator.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"threat.enrichments.indicator.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"threat.enrichments.indicator.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"threat.enrichments.indicator.ip","type":"ip","description":"Indicator IP address"},{"field":"threat.enrichments.indicator.last_seen","type":"date","description":"Date/time indicator was last reported."},{"field":"threat.enrichments.indicator.marking.tlp","type":"keyword","description":"Indicator TLP marking"},{"field":"threat.enrichments.indicator.modified_at","type":"date","description":"Date/time indicator was last updated."},{"field":"threat.enrichments.indicator.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"threat.enrichments.indicator.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.pe.file_version","type":"keyword","description":"Process name."},{"field":"threat.enrichments.indicator.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.port","type":"long","description":"Indicator port"},{"field":"threat.enrichments.indicator.provider","type":"keyword","description":"Indicator provider"},{"field":"threat.enrichments.indicator.reference","type":"keyword","description":"Indicator reference URL"},{"field":"threat.enrichments.indicator.registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"threat.enrichments.indicator.registry.data.strings","type":"keyword","description":"List of strings representing what was written to the registry."},{"field":"threat.enrichments.indicator.registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"threat.enrichments.indicator.registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"threat.enrichments.indicator.registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"threat.enrichments.indicator.registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"threat.enrichments.indicator.registry.value","type":"keyword","description":"Name of the value written."},{"field":"threat.enrichments.indicator.scanner_stats","type":"long","description":"Scanner statistics"},{"field":"threat.enrichments.indicator.sightings","type":"long","description":"Number of times indicator observed"},{"field":"threat.enrichments.indicator.type","type":"keyword","description":"Type of indicator"},{"field":"threat.enrichments.indicator.url.domain","type":"keyword","description":"Domain of the url."},{"field":"threat.enrichments.indicator.url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.enrichments.indicator.url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"threat.enrichments.indicator.url.full","type":"keyword","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.full.text","type":"text","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.original","type":"keyword","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.original.text","type":"text","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.password","type":"keyword","description":"Password of the request."},{"field":"threat.enrichments.indicator.url.path","type":"keyword","description":"Path of the request, such as \"/search\"."},{"field":"threat.enrichments.indicator.url.port","type":"long","description":"Port of the request, such as 443."},{"field":"threat.enrichments.indicator.url.query","type":"keyword","description":"Query string of the request."},{"field":"threat.enrichments.indicator.url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.enrichments.indicator.url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"threat.enrichments.indicator.url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"threat.enrichments.indicator.url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.enrichments.indicator.url.username","type":"keyword","description":"Username of the request."},{"field":"threat.enrichments.indicator.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.enrichments.indicator.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.enrichments.indicator.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.enrichments.matched.atomic","type":"keyword","description":"Matched indicator value"},{"field":"threat.enrichments.matched.field","type":"keyword","description":"Matched indicator field"},{"field":"threat.enrichments.matched.id","type":"keyword","description":"Matched indicator identifier"},{"field":"threat.enrichments.matched.index","type":"keyword","description":"Matched indicator index"},{"field":"threat.enrichments.matched.type","type":"keyword","description":"Type of indicator match"},{"field":"threat.framework","type":"keyword","description":"Threat classification framework."},{"field":"threat.group.alias","type":"keyword","description":"Alias of the group."},{"field":"threat.group.id","type":"keyword","description":"ID of the group."},{"field":"threat.group.name","type":"keyword","description":"Name of the group."},{"field":"threat.group.reference","type":"keyword","description":"Reference URL of the group."},{"field":"threat.indicator.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"threat.indicator.as.organization.name","type":"keyword","description":"Organization name."},{"field":"threat.indicator.as.organization.name.text","type":"text","description":"Organization name."},{"field":"threat.indicator.confidence","type":"keyword","description":"Indicator confidence rating"},{"field":"threat.indicator.description","type":"keyword","description":"Indicator description"},{"field":"threat.indicator.email.address","type":"keyword","description":"Indicator email address"},{"field":"threat.indicator.file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"threat.indicator.file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"threat.indicator.file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"threat.indicator.file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"threat.indicator.file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"threat.indicator.file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"threat.indicator.file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.indicator.file.created","type":"date","description":"File creation time."},{"field":"threat.indicator.file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"threat.indicator.file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"threat.indicator.file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"threat.indicator.file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"threat.indicator.file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"threat.indicator.file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"threat.indicator.file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"threat.indicator.file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"threat.indicator.file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"threat.indicator.file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.indicator.file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"threat.indicator.file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"threat.indicator.file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"threat.indicator.file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"threat.indicator.file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.indicator.file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"threat.indicator.file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"threat.indicator.file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"threat.indicator.file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"threat.indicator.file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"threat.indicator.file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"threat.indicator.file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"threat.indicator.file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"threat.indicator.file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"threat.indicator.file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"threat.indicator.file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"threat.indicator.file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"threat.indicator.file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"threat.indicator.file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"threat.indicator.file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"threat.indicator.file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"threat.indicator.file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"threat.indicator.file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"threat.indicator.file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"threat.indicator.file.group","type":"keyword","description":"Primary group name of the file."},{"field":"threat.indicator.file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"threat.indicator.file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.indicator.file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"threat.indicator.file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"threat.indicator.file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"threat.indicator.file.owner","type":"keyword","description":"File owner's username."},{"field":"threat.indicator.file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.path.text","type":"text","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.size","type":"long","description":"File size in bytes."},{"field":"threat.indicator.file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"threat.indicator.file.target_path.text","type":"text","description":"Target path for symlinks."},{"field":"threat.indicator.file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"threat.indicator.file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.indicator.first_seen","type":"date","description":"Date/time indicator was first reported."},{"field":"threat.indicator.geo.city_name","type":"keyword","description":"City name."},{"field":"threat.indicator.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"threat.indicator.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"threat.indicator.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"threat.indicator.geo.country_name","type":"keyword","description":"Country name."},{"field":"threat.indicator.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"threat.indicator.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"threat.indicator.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"threat.indicator.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"threat.indicator.geo.region_name","type":"keyword","description":"Region name."},{"field":"threat.indicator.geo.timezone","type":"keyword","description":"Time zone."},{"field":"threat.indicator.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"threat.indicator.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"threat.indicator.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"threat.indicator.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"threat.indicator.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"threat.indicator.ip","type":"ip","description":"Indicator IP address"},{"field":"threat.indicator.last_seen","type":"date","description":"Date/time indicator was last reported."},{"field":"threat.indicator.marking.tlp","type":"keyword","description":"Indicator TLP marking"},{"field":"threat.indicator.modified_at","type":"date","description":"Date/time indicator was last updated."},{"field":"threat.indicator.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"threat.indicator.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.indicator.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"threat.indicator.pe.file_version","type":"keyword","description":"Process name."},{"field":"threat.indicator.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"threat.indicator.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.indicator.port","type":"long","description":"Indicator port"},{"field":"threat.indicator.provider","type":"keyword","description":"Indicator provider"},{"field":"threat.indicator.reference","type":"keyword","description":"Indicator reference URL"},{"field":"threat.indicator.registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"threat.indicator.registry.data.strings","type":"keyword","description":"List of strings representing what was written to the registry."},{"field":"threat.indicator.registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"threat.indicator.registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"threat.indicator.registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"threat.indicator.registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"threat.indicator.registry.value","type":"keyword","description":"Name of the value written."},{"field":"threat.indicator.scanner_stats","type":"long","description":"Scanner statistics"},{"field":"threat.indicator.sightings","type":"long","description":"Number of times indicator observed"},{"field":"threat.indicator.type","type":"keyword","description":"Type of indicator"},{"field":"threat.indicator.url.domain","type":"keyword","description":"Domain of the url."},{"field":"threat.indicator.url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.indicator.url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"threat.indicator.url.full","type":"keyword","description":"Full unparsed URL."},{"field":"threat.indicator.url.full.text","type":"text","description":"Full unparsed URL."},{"field":"threat.indicator.url.original","type":"keyword","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.original.text","type":"text","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.password","type":"keyword","description":"Password of the request."},{"field":"threat.indicator.url.path","type":"keyword","description":"Path of the request, such as \"/search\"."},{"field":"threat.indicator.url.port","type":"long","description":"Port of the request, such as 443."},{"field":"threat.indicator.url.query","type":"keyword","description":"Query string of the request."},{"field":"threat.indicator.url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.indicator.url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"threat.indicator.url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"threat.indicator.url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.indicator.url.username","type":"keyword","description":"Username of the request."},{"field":"threat.indicator.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.indicator.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.indicator.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.indicator.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.indicator.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.indicator.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.software.id","type":"keyword","description":"ID of the software"},{"field":"threat.software.name","type":"keyword","description":"Name of the software."},{"field":"threat.software.platforms","type":"keyword","description":"Platforms of the software."},{"field":"threat.software.reference","type":"keyword","description":"Software reference URL."},{"field":"threat.software.type","type":"keyword","description":"Software type."},{"field":"threat.tactic.id","type":"keyword","description":"Threat tactic id."},{"field":"threat.tactic.name","type":"keyword","description":"Threat tactic."},{"field":"threat.tactic.reference","type":"keyword","description":"Threat tactic URL reference."},{"field":"threat.technique.id","type":"keyword","description":"Threat technique id."},{"field":"threat.technique.name","type":"keyword","description":"Threat technique name."},{"field":"threat.technique.name.text","type":"text","description":"Threat technique name."},{"field":"threat.technique.reference","type":"keyword","description":"Threat technique URL reference."},{"field":"threat.technique.subtechnique.id","type":"keyword","description":"Threat subtechnique id."},{"field":"threat.technique.subtechnique.name","type":"keyword","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.name.text","type":"text","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.reference","type":"keyword","description":"Threat subtechnique URL reference."},{"field":"tls.cipher","type":"keyword","description":"String indicating the cipher used during the current connection."},{"field":"tls.client.certificate","type":"keyword","description":"PEM-encoded stand-alone certificate offered by the client."},{"field":"tls.client.certificate_chain","type":"keyword","description":"Array of PEM-encoded certificates that make up the certificate chain offered by the client."},{"field":"tls.client.hash.md5","type":"keyword","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha1","type":"keyword","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha256","type":"keyword","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.issuer","type":"keyword","description":"Distinguished name of subject of the issuer of the x.509 certificate presented by the client."},{"field":"tls.client.ja3","type":"keyword","description":"A hash that identifies clients based on how they perform an SSL/TLS handshake."},{"field":"tls.client.not_after","type":"date","description":"Date/Time indicating when client certificate is no longer considered valid."},{"field":"tls.client.not_before","type":"date","description":"Date/Time indicating when client certificate is first considered valid."},{"field":"tls.client.server_name","type":"keyword","description":"Hostname the client is trying to connect to. Also called the SNI."},{"field":"tls.client.subject","type":"keyword","description":"Distinguished name of subject of the x.509 certificate presented by the client."},{"field":"tls.client.supported_ciphers","type":"keyword","description":"Array of ciphers offered by the client during the client hello."},{"field":"tls.client.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"tls.client.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"tls.client.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.client.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.client.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.client.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.client.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"tls.client.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"tls.client.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.client.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.client.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"tls.client.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"tls.client.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"tls.client.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"tls.client.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"tls.client.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.client.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.client.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"tls.client.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"tls.client.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"tls.curve","type":"keyword","description":"String indicating the curve used for the given cipher, when applicable."},{"field":"tls.established","type":"boolean","description":"Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."},{"field":"tls.next_protocol","type":"keyword","description":"String indicating the protocol being tunneled."},{"field":"tls.resumed","type":"boolean","description":"Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."},{"field":"tls.server.certificate","type":"keyword","description":"PEM-encoded stand-alone certificate offered by the server."},{"field":"tls.server.certificate_chain","type":"keyword","description":"Array of PEM-encoded certificates that make up the certificate chain offered by the server."},{"field":"tls.server.hash.md5","type":"keyword","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha1","type":"keyword","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha256","type":"keyword","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.issuer","type":"keyword","description":"Subject of the issuer of the x.509 certificate presented by the server."},{"field":"tls.server.ja3s","type":"keyword","description":"A hash that identifies servers based on how they perform an SSL/TLS handshake."},{"field":"tls.server.not_after","type":"date","description":"Timestamp indicating when server certificate is no longer considered valid."},{"field":"tls.server.not_before","type":"date","description":"Timestamp indicating when server certificate is first considered valid."},{"field":"tls.server.subject","type":"keyword","description":"Subject of the x.509 certificate presented by the server."},{"field":"tls.server.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"tls.server.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"tls.server.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.server.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.server.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.server.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.server.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"tls.server.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"tls.server.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.server.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.server.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"tls.server.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"tls.server.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"tls.server.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"tls.server.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"tls.server.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.server.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.server.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"tls.server.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"tls.server.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"tls.version","type":"keyword","description":"Numeric part of the version parsed from the original string."},{"field":"tls.version_protocol","type":"keyword","description":"Normalized lowercase protocol name parsed from original string."},{"field":"trace.id","type":"keyword","description":"Unique identifier of the trace."},{"field":"transaction.id","type":"keyword","description":"Unique identifier of the transaction within the scope of its trace."},{"field":"url.domain","type":"keyword","description":"Domain of the url."},{"field":"url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"url.full","type":"keyword","description":"Full unparsed URL."},{"field":"url.full.text","type":"text","description":"Full unparsed URL."},{"field":"url.original","type":"keyword","description":"Unmodified original url as seen in the event source."},{"field":"url.original.text","type":"text","description":"Unmodified original url as seen in the event source."},{"field":"url.password","type":"keyword","description":"Password of the request."},{"field":"url.path","type":"keyword","description":"Path of the request, such as \"/search\"."},{"field":"url.port","type":"long","description":"Port of the request, such as 443."},{"field":"url.query","type":"keyword","description":"Query string of the request."},{"field":"url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"url.username","type":"keyword","description":"Username of the request."},{"field":"user.changes.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.changes.email","type":"keyword","description":"User email address."},{"field":"user.changes.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.changes.full_name.text","type":"text","description":"User's full name, if available."},{"field":"user.changes.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.changes.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.changes.group.name","type":"keyword","description":"Name of the group."},{"field":"user.changes.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.changes.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.changes.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.changes.name.text","type":"text","description":"Short name or login of the user."},{"field":"user.changes.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.effective.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.effective.email","type":"keyword","description":"User email address."},{"field":"user.effective.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.effective.full_name.text","type":"text","description":"User's full name, if available."},{"field":"user.effective.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.effective.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.effective.group.name","type":"keyword","description":"Name of the group."},{"field":"user.effective.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.effective.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.effective.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.effective.name.text","type":"text","description":"Short name or login of the user."},{"field":"user.effective.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.email","type":"keyword","description":"User email address."},{"field":"user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.full_name.text","type":"text","description":"User's full name, if available."},{"field":"user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.group.name","type":"keyword","description":"Name of the group."},{"field":"user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.name.text","type":"text","description":"Short name or login of the user."},{"field":"user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.target.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.target.email","type":"keyword","description":"User email address."},{"field":"user.target.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.target.full_name.text","type":"text","description":"User's full name, if available."},{"field":"user.target.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.target.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.target.group.name","type":"keyword","description":"Name of the group."},{"field":"user.target.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.target.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.target.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.target.name.text","type":"text","description":"Short name or login of the user."},{"field":"user.target.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user_agent.device.name","type":"keyword","description":"Name of the device."},{"field":"user_agent.name","type":"keyword","description":"Name of the user agent."},{"field":"user_agent.original","type":"keyword","description":"Unparsed user_agent string."},{"field":"user_agent.original.text","type":"text","description":"Unparsed user_agent string."},{"field":"user_agent.os.family","type":"keyword","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"user_agent.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.full.text","type":"text","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.kernel","type":"keyword","description":"Operating system kernel version as a raw string."},{"field":"user_agent.os.name","type":"keyword","description":"Operating system name, without the version."},{"field":"user_agent.os.name.text","type":"text","description":"Operating system name, without the version."},{"field":"user_agent.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"user_agent.os.type","type":"keyword","description":"Which commercial OS family (one of: linux, macos, unix or windows)."},{"field":"user_agent.os.version","type":"keyword","description":"Operating system version as a raw string."},{"field":"user_agent.version","type":"keyword","description":"Version of the user agent."},{"field":"vulnerability.category","type":"keyword","description":"Category of a vulnerability."},{"field":"vulnerability.classification","type":"keyword","description":"Classification of the vulnerability."},{"field":"vulnerability.description","type":"keyword","description":"Description of the vulnerability."},{"field":"vulnerability.description.text","type":"text","description":"Description of the vulnerability."},{"field":"vulnerability.enumeration","type":"keyword","description":"Identifier of the vulnerability."},{"field":"vulnerability.id","type":"keyword","description":"ID of the vulnerability."},{"field":"vulnerability.reference","type":"keyword","description":"Reference of the vulnerability."},{"field":"vulnerability.report_id","type":"keyword","description":"Scan identification number."},{"field":"vulnerability.scanner.vendor","type":"keyword","description":"Name of the scanner vendor."},{"field":"vulnerability.score.base","type":"float","description":"Vulnerability Base score."},{"field":"vulnerability.score.environmental","type":"float","description":"Vulnerability Environmental score."},{"field":"vulnerability.score.temporal","type":"float","description":"Vulnerability Temporal score."},{"field":"vulnerability.score.version","type":"keyword","description":"CVSS version."},{"field":"vulnerability.severity","type":"keyword","description":"Severity of the vulnerability."}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/ecs/v1.12.1.json b/x-pack/plugins/osquery/public/common/schemas/ecs/v1.12.1.json new file mode 100644 index 0000000000000..2b4a3c8c92f2f --- /dev/null +++ b/x-pack/plugins/osquery/public/common/schemas/ecs/v1.12.1.json @@ -0,0 +1 @@ +[{"field":"labels","type":"object","description":"Custom key/value pairs."},{"field":"message","type":"match_only_text","description":"Log message optimized for viewing in a log viewer."},{"field":"tags","type":"keyword","description":"List of keywords used to tag each event."},{"field":"agent.build.original","type":"keyword","description":"Extended build information for the agent."},{"field":"client.address","type":"keyword","description":"Client network address."},{"field":"client.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"client.as.organization.name","type":"keyword","description":"Organization name."},{"field":"client.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"client.bytes","type":"long","description":"Bytes sent from the client to the server."},{"field":"client.domain","type":"keyword","description":"Client domain."},{"field":"client.geo.city_name","type":"keyword","description":"City name."},{"field":"client.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"client.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"client.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"client.geo.country_name","type":"keyword","description":"Country name."},{"field":"client.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"client.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"client.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"client.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"client.geo.region_name","type":"keyword","description":"Region name."},{"field":"client.geo.timezone","type":"keyword","description":"Time zone."},{"field":"client.ip","type":"ip","description":"IP address of the client."},{"field":"client.mac","type":"keyword","description":"MAC address of the client."},{"field":"client.nat.ip","type":"ip","description":"Client NAT ip address"},{"field":"client.nat.port","type":"long","description":"Client NAT port"},{"field":"client.packets","type":"long","description":"Packets sent from the client to the server."},{"field":"client.port","type":"long","description":"Port of the client."},{"field":"client.registered_domain","type":"keyword","description":"The highest registered client domain, stripped of the subdomain."},{"field":"client.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"client.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"client.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"client.user.email","type":"keyword","description":"User email address."},{"field":"client.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"client.user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"client.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"client.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"client.user.group.name","type":"keyword","description":"Name of the group."},{"field":"client.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"client.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"client.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"client.user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"client.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"cloud.account.id","type":"keyword","description":"The cloud account or organization id."},{"field":"cloud.account.name","type":"keyword","description":"The cloud account name."},{"field":"cloud.availability_zone","type":"keyword","description":"Availability zone in which this host, resource, or service is located."},{"field":"cloud.instance.id","type":"keyword","description":"Instance ID of the host machine."},{"field":"cloud.instance.name","type":"keyword","description":"Instance name of the host machine."},{"field":"cloud.machine.type","type":"keyword","description":"Machine type of the host machine."},{"field":"cloud.project.id","type":"keyword","description":"The cloud project id."},{"field":"cloud.project.name","type":"keyword","description":"The cloud project name."},{"field":"cloud.provider","type":"keyword","description":"Name of the cloud provider."},{"field":"cloud.region","type":"keyword","description":"Region in which this host, resource, or service is located."},{"field":"cloud.service.name","type":"keyword","description":"The cloud service name."},{"field":"container.id","type":"keyword","description":"Unique container id."},{"field":"container.image.name","type":"keyword","description":"Name of the image the container was built on."},{"field":"container.image.tag","type":"keyword","description":"Container image tags."},{"field":"container.labels","type":"object","description":"Image labels."},{"field":"container.name","type":"keyword","description":"Container name."},{"field":"container.runtime","type":"keyword","description":"Runtime managing this container."},{"field":"data_stream.dataset","type":"constant_keyword","description":"The field can contain anything that makes sense to signify the source of the data."},{"field":"data_stream.namespace","type":"constant_keyword","description":"A user defined namespace. Namespaces are useful to allow grouping of data."},{"field":"data_stream.type","type":"constant_keyword","description":"An overarching type for the data stream."},{"field":"destination.address","type":"keyword","description":"Destination network address."},{"field":"destination.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"destination.as.organization.name","type":"keyword","description":"Organization name."},{"field":"destination.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"destination.bytes","type":"long","description":"Bytes sent from the destination to the source."},{"field":"destination.domain","type":"keyword","description":"Destination domain."},{"field":"destination.geo.city_name","type":"keyword","description":"City name."},{"field":"destination.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"destination.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"destination.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"destination.geo.country_name","type":"keyword","description":"Country name."},{"field":"destination.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"destination.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"destination.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"destination.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"destination.geo.region_name","type":"keyword","description":"Region name."},{"field":"destination.geo.timezone","type":"keyword","description":"Time zone."},{"field":"destination.ip","type":"ip","description":"IP address of the destination."},{"field":"destination.mac","type":"keyword","description":"MAC address of the destination."},{"field":"destination.nat.ip","type":"ip","description":"Destination NAT ip"},{"field":"destination.nat.port","type":"long","description":"Destination NAT Port"},{"field":"destination.packets","type":"long","description":"Packets sent from the destination to the source."},{"field":"destination.port","type":"long","description":"Port of the destination."},{"field":"destination.registered_domain","type":"keyword","description":"The highest registered destination domain, stripped of the subdomain."},{"field":"destination.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"destination.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"destination.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"destination.user.email","type":"keyword","description":"User email address."},{"field":"destination.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"destination.user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"destination.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"destination.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"destination.user.group.name","type":"keyword","description":"Name of the group."},{"field":"destination.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"destination.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"destination.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"destination.user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"destination.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"dll.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"dll.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"dll.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"dll.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"dll.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"dll.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"dll.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"dll.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"dll.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"dll.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"dll.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"dll.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"dll.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"dll.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"dll.name","type":"keyword","description":"Name of the library."},{"field":"dll.path","type":"keyword","description":"Full file path of the library."},{"field":"dll.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"dll.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"dll.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"dll.pe.file_version","type":"keyword","description":"Process name."},{"field":"dll.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"dll.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"dll.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"dns.answers","type":"object","description":"Array of DNS answers."},{"field":"dns.answers.class","type":"keyword","description":"The class of DNS data contained in this resource record."},{"field":"dns.answers.data","type":"keyword","description":"The data describing the resource."},{"field":"dns.answers.name","type":"keyword","description":"The domain name to which this resource record pertains."},{"field":"dns.answers.ttl","type":"long","description":"The time interval in seconds that this resource record may be cached before it should be discarded."},{"field":"dns.answers.type","type":"keyword","description":"The type of data contained in this resource record."},{"field":"dns.header_flags","type":"keyword","description":"Array of DNS header flags."},{"field":"dns.id","type":"keyword","description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response."},{"field":"dns.op_code","type":"keyword","description":"The DNS operation code that specifies the kind of query in the message."},{"field":"dns.question.class","type":"keyword","description":"The class of records being queried."},{"field":"dns.question.name","type":"keyword","description":"The name being queried."},{"field":"dns.question.registered_domain","type":"keyword","description":"The highest registered domain, stripped of the subdomain."},{"field":"dns.question.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"dns.question.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"dns.question.type","type":"keyword","description":"The type of record being queried."},{"field":"dns.resolved_ip","type":"ip","description":"Array containing all IPs seen in answers.data"},{"field":"dns.response_code","type":"keyword","description":"The DNS response code."},{"field":"dns.type","type":"keyword","description":"The type of DNS event captured, query or answer."},{"field":"error.code","type":"keyword","description":"Error code describing the error."},{"field":"error.id","type":"keyword","description":"Unique identifier for the error."},{"field":"error.message","type":"match_only_text","description":"Error message."},{"field":"error.stack_trace","type":"wildcard","description":"The stack trace of this error in plain text."},{"field":"error.stack_trace.text","type":"match_only_text","description":"The stack trace of this error in plain text."},{"field":"error.type","type":"keyword","description":"The type of the error, for example the class name of the exception."},{"field":"event.action","type":"keyword","description":"The action captured by the event."},{"field":"event.category","type":"keyword","description":"Event category. The second categorization field in the hierarchy."},{"field":"event.code","type":"keyword","description":"Identification code for this event."},{"field":"event.created","type":"date","description":"Time when the event was first read by an agent or by your pipeline."},{"field":"event.dataset","type":"keyword","description":"Name of the dataset."},{"field":"event.duration","type":"long","description":"Duration of the event in nanoseconds."},{"field":"event.end","type":"date","description":"event.end contains the date when the event ended or when the activity was last observed."},{"field":"event.hash","type":"keyword","description":"Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity."},{"field":"event.id","type":"keyword","description":"Unique ID to describe the event."},{"field":"event.kind","type":"keyword","description":"The kind of the event. The highest categorization field in the hierarchy."},{"field":"event.original","type":"keyword","description":"Raw text message of entire event."},{"field":"event.outcome","type":"keyword","description":"The outcome of the event. The lowest level categorization field in the hierarchy."},{"field":"event.provider","type":"keyword","description":"Source of the event."},{"field":"event.reason","type":"keyword","description":"Reason why this event happened, according to the source"},{"field":"event.reference","type":"keyword","description":"Event reference URL"},{"field":"event.risk_score","type":"float","description":"Risk score or priority of the event (e.g. security solutions). Use your system's original value here."},{"field":"event.risk_score_norm","type":"float","description":"Normalized risk score or priority of the event (0-100)."},{"field":"event.sequence","type":"long","description":"Sequence number of the event."},{"field":"event.severity","type":"long","description":"Numeric severity of the event."},{"field":"event.start","type":"date","description":"event.start contains the date when the event started or when the activity was first observed."},{"field":"event.timezone","type":"keyword","description":"Event time zone."},{"field":"event.type","type":"keyword","description":"Event type. The third categorization field in the hierarchy."},{"field":"event.url","type":"keyword","description":"Event investigation URL"},{"field":"file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"file.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"file.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"file.created","type":"date","description":"File creation time."},{"field":"file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"file.fork_name","type":"keyword","description":"A fork is additional data associated with a filesystem object."},{"field":"file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"file.group","type":"keyword","description":"Primary group name of the file."},{"field":"file.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"file.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"file.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"file.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"file.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"file.owner","type":"keyword","description":"File owner's username."},{"field":"file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"file.path.text","type":"match_only_text","description":"Full path to the file, including the file name."},{"field":"file.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"file.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"file.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"file.pe.file_version","type":"keyword","description":"Process name."},{"field":"file.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"file.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"file.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"file.size","type":"long","description":"File size in bytes."},{"field":"file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"file.target_path.text","type":"match_only_text","description":"Target path for symlinks."},{"field":"file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"file.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"file.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"file.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"file.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"file.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"file.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"file.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"file.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"file.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"file.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"file.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"file.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"file.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"file.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"file.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"file.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"file.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"file.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"file.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"file.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"file.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"file.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"file.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"group.name","type":"keyword","description":"Name of the group."},{"field":"host.cpu.usage","type":"scaled_float","description":"Percent CPU used, between 0 and 1."},{"field":"host.disk.read.bytes","type":"long","description":"The number of bytes read by all disks."},{"field":"host.disk.write.bytes","type":"long","description":"The number of bytes written on all disks."},{"field":"host.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"host.geo.city_name","type":"keyword","description":"City name."},{"field":"host.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"host.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"host.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"host.geo.country_name","type":"keyword","description":"Country name."},{"field":"host.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"host.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"host.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"host.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"host.geo.region_name","type":"keyword","description":"Region name."},{"field":"host.geo.timezone","type":"keyword","description":"Time zone."},{"field":"host.name","type":"keyword","description":"Name of the host."},{"field":"host.network.egress.bytes","type":"long","description":"The number of bytes sent on all network interfaces."},{"field":"host.network.egress.packets","type":"long","description":"The number of packets sent on all network interfaces."},{"field":"host.network.ingress.bytes","type":"long","description":"The number of bytes received on all network interfaces."},{"field":"host.network.ingress.packets","type":"long","description":"The number of packets received on all network interfaces."},{"field":"host.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"host.os.full.text","type":"match_only_text","description":"Operating system name, including the version or code name."},{"field":"host.os.name.text","type":"match_only_text","description":"Operating system name, without the version."},{"field":"host.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"host.type","type":"keyword","description":"Type of host."},{"field":"host.uptime","type":"long","description":"Seconds the host has been up."},{"field":"host.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"host.user.email","type":"keyword","description":"User email address."},{"field":"host.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"host.user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"host.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"host.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"host.user.group.name","type":"keyword","description":"Name of the group."},{"field":"host.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"host.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"host.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"host.user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"host.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"http.request.body.bytes","type":"long","description":"Size in bytes of the request body."},{"field":"http.request.body.content","type":"wildcard","description":"The full HTTP request body."},{"field":"http.request.body.content.text","type":"match_only_text","description":"The full HTTP request body."},{"field":"http.request.bytes","type":"long","description":"Total size in bytes of the request (body and headers)."},{"field":"http.request.id","type":"keyword","description":"HTTP request ID."},{"field":"http.request.method","type":"keyword","description":"HTTP request method."},{"field":"http.request.mime_type","type":"keyword","description":"Mime type of the body of the request."},{"field":"http.request.referrer","type":"keyword","description":"Referrer for this HTTP request."},{"field":"http.response.body.bytes","type":"long","description":"Size in bytes of the response body."},{"field":"http.response.body.content","type":"wildcard","description":"The full HTTP response body."},{"field":"http.response.body.content.text","type":"match_only_text","description":"The full HTTP response body."},{"field":"http.response.bytes","type":"long","description":"Total size in bytes of the response (body and headers)."},{"field":"http.response.mime_type","type":"keyword","description":"Mime type of the body of the response."},{"field":"http.response.status_code","type":"long","description":"HTTP response status code."},{"field":"http.version","type":"keyword","description":"HTTP version."},{"field":"log.file.path","type":"keyword","description":"Full path to the log file this event came from."},{"field":"log.level","type":"keyword","description":"Log level of the log event."},{"field":"log.logger","type":"keyword","description":"Name of the logger."},{"field":"log.origin.file.line","type":"integer","description":"The line number of the file which originated the log event."},{"field":"log.origin.file.name","type":"keyword","description":"The code file which originated the log event."},{"field":"log.origin.function","type":"keyword","description":"The function which originated the log event."},{"field":"log.original","type":"keyword","description":"Deprecated original log message with light interpretation only (encoding, newlines)."},{"field":"log.syslog","type":"object","description":"Syslog metadata"},{"field":"log.syslog.facility.code","type":"long","description":"Syslog numeric facility of the event."},{"field":"log.syslog.facility.name","type":"keyword","description":"Syslog text-based facility of the event."},{"field":"log.syslog.priority","type":"long","description":"Syslog priority of the event."},{"field":"log.syslog.severity.code","type":"long","description":"Syslog numeric severity of the event."},{"field":"log.syslog.severity.name","type":"keyword","description":"Syslog text-based severity of the event."},{"field":"network.application","type":"keyword","description":"Application level protocol name."},{"field":"network.bytes","type":"long","description":"Total bytes transferred in both directions."},{"field":"network.community_id","type":"keyword","description":"A hash of source and destination IPs and ports."},{"field":"network.direction","type":"keyword","description":"Direction of the network traffic."},{"field":"network.forwarded_ip","type":"ip","description":"Host IP address when the source IP address is the proxy."},{"field":"network.iana_number","type":"keyword","description":"IANA Protocol Number."},{"field":"network.inner","type":"object","description":"Inner VLAN tag information"},{"field":"network.inner.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"network.inner.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"network.name","type":"keyword","description":"Name given by operators to sections of their network."},{"field":"network.packets","type":"long","description":"Total packets transferred in both directions."},{"field":"network.protocol","type":"keyword","description":"L7 Network protocol name."},{"field":"network.transport","type":"keyword","description":"Protocol Name corresponding to the field `iana_number`."},{"field":"network.type","type":"keyword","description":"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"},{"field":"network.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"network.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress","type":"object","description":"Object field for egress information"},{"field":"observer.egress.interface.alias","type":"keyword","description":"Interface alias"},{"field":"observer.egress.interface.id","type":"keyword","description":"Interface ID"},{"field":"observer.egress.interface.name","type":"keyword","description":"Interface name"},{"field":"observer.egress.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"observer.egress.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.egress.zone","type":"keyword","description":"Observer Egress zone"},{"field":"observer.geo.city_name","type":"keyword","description":"City name."},{"field":"observer.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"observer.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"observer.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"observer.geo.country_name","type":"keyword","description":"Country name."},{"field":"observer.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"observer.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"observer.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"observer.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"observer.geo.region_name","type":"keyword","description":"Region name."},{"field":"observer.geo.timezone","type":"keyword","description":"Time zone."},{"field":"observer.hostname","type":"keyword","description":"Hostname of the observer."},{"field":"observer.ingress","type":"object","description":"Object field for ingress information"},{"field":"observer.ingress.interface.alias","type":"keyword","description":"Interface alias"},{"field":"observer.ingress.interface.id","type":"keyword","description":"Interface ID"},{"field":"observer.ingress.interface.name","type":"keyword","description":"Interface name"},{"field":"observer.ingress.vlan.id","type":"keyword","description":"VLAN ID as reported by the observer."},{"field":"observer.ingress.vlan.name","type":"keyword","description":"Optional VLAN name as reported by the observer."},{"field":"observer.ingress.zone","type":"keyword","description":"Observer ingress zone"},{"field":"observer.ip","type":"ip","description":"IP addresses of the observer."},{"field":"observer.mac","type":"keyword","description":"MAC addresses of the observer."},{"field":"observer.name","type":"keyword","description":"Custom name of the observer."},{"field":"observer.os.family","type":"keyword","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"observer.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"observer.os.full.text","type":"match_only_text","description":"Operating system name, including the version or code name."},{"field":"observer.os.kernel","type":"keyword","description":"Operating system kernel version as a raw string."},{"field":"observer.os.name","type":"keyword","description":"Operating system name, without the version."},{"field":"observer.os.name.text","type":"match_only_text","description":"Operating system name, without the version."},{"field":"observer.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"observer.os.type","type":"keyword","description":"Which commercial OS family (one of: linux, macos, unix or windows)."},{"field":"observer.os.version","type":"keyword","description":"Operating system version as a raw string."},{"field":"observer.product","type":"keyword","description":"The product name of the observer."},{"field":"observer.serial_number","type":"keyword","description":"Observer serial number."},{"field":"observer.type","type":"keyword","description":"The type of the observer the data is coming from."},{"field":"observer.vendor","type":"keyword","description":"Vendor name of the observer."},{"field":"observer.version","type":"keyword","description":"Observer version."},{"field":"orchestrator.api_version","type":"keyword","description":"API version being used to carry out the action"},{"field":"orchestrator.cluster.name","type":"keyword","description":"Name of the cluster."},{"field":"orchestrator.cluster.url","type":"keyword","description":"URL of the API used to manage the cluster."},{"field":"orchestrator.cluster.version","type":"keyword","description":"The version of the cluster."},{"field":"orchestrator.namespace","type":"keyword","description":"Namespace in which the action is taking place."},{"field":"orchestrator.organization","type":"keyword","description":"Organization affected by the event (for multi-tenant orchestrator setups)."},{"field":"orchestrator.resource.name","type":"keyword","description":"Name of the resource being acted upon."},{"field":"orchestrator.resource.type","type":"keyword","description":"Type of resource being acted upon."},{"field":"orchestrator.type","type":"keyword","description":"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."},{"field":"organization.id","type":"keyword","description":"Unique identifier for the organization."},{"field":"organization.name","type":"keyword","description":"Organization name."},{"field":"organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"package.architecture","type":"keyword","description":"Package architecture."},{"field":"package.build_version","type":"keyword","description":"Build version information"},{"field":"package.checksum","type":"keyword","description":"Checksum of the installed package for verification."},{"field":"package.description","type":"keyword","description":"Description of the package."},{"field":"package.install_scope","type":"keyword","description":"Indicating how the package was installed, e.g. user-local, global."},{"field":"package.installed","type":"date","description":"Time when package was installed."},{"field":"package.license","type":"keyword","description":"Package license"},{"field":"package.name","type":"keyword","description":"Package name"},{"field":"package.path","type":"keyword","description":"Path where the package is installed."},{"field":"package.reference","type":"keyword","description":"Package home page or reference URL"},{"field":"package.size","type":"long","description":"Package size in bytes."},{"field":"package.type","type":"keyword","description":"Package type"},{"field":"package.version","type":"keyword","description":"Package version"},{"field":"process.args","type":"keyword","description":"Array of process arguments."},{"field":"process.args_count","type":"long","description":"Length of the process.args array."},{"field":"process.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"process.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"process.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"process.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"process.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"process.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"process.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"process.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"process.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.command_line","type":"wildcard","description":"Full command line that started the process."},{"field":"process.command_line.text","type":"match_only_text","description":"Full command line that started the process."},{"field":"process.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"process.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"process.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"process.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"process.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"process.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"process.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"process.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"process.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"process.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"process.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"process.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"process.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"process.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"process.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"process.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"process.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"process.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"process.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"process.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"process.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"process.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"process.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"process.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"process.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"process.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"process.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"process.end","type":"date","description":"The time the process ended."},{"field":"process.entity_id","type":"keyword","description":"Unique identifier for the process."},{"field":"process.executable","type":"keyword","description":"Absolute path to the process executable."},{"field":"process.executable.text","type":"match_only_text","description":"Absolute path to the process executable."},{"field":"process.exit_code","type":"long","description":"The exit code of the process."},{"field":"process.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"process.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"process.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"process.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"process.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"process.name","type":"keyword","description":"Process name."},{"field":"process.name.text","type":"match_only_text","description":"Process name."},{"field":"process.parent.args","type":"keyword","description":"Array of process arguments."},{"field":"process.parent.args_count","type":"long","description":"Length of the process.args array."},{"field":"process.parent.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"process.parent.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"process.parent.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"process.parent.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"process.parent.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"process.parent.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"process.parent.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"process.parent.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"process.parent.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"process.parent.command_line","type":"wildcard","description":"Full command line that started the process."},{"field":"process.parent.command_line.text","type":"match_only_text","description":"Full command line that started the process."},{"field":"process.parent.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"process.parent.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"process.parent.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"process.parent.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"process.parent.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"process.parent.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"process.parent.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"process.parent.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"process.parent.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"process.parent.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"process.parent.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"process.parent.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"process.parent.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"process.parent.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"process.parent.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"process.parent.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"process.parent.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"process.parent.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"process.parent.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"process.parent.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"process.parent.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"process.parent.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"process.parent.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"process.parent.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"process.parent.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"process.parent.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"process.parent.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"process.parent.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"process.parent.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"process.parent.end","type":"date","description":"The time the process ended."},{"field":"process.parent.entity_id","type":"keyword","description":"Unique identifier for the process."},{"field":"process.parent.executable","type":"keyword","description":"Absolute path to the process executable."},{"field":"process.parent.executable.text","type":"match_only_text","description":"Absolute path to the process executable."},{"field":"process.parent.exit_code","type":"long","description":"The exit code of the process."},{"field":"process.parent.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"process.parent.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"process.parent.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"process.parent.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"process.parent.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"process.parent.name","type":"keyword","description":"Process name."},{"field":"process.parent.name.text","type":"match_only_text","description":"Process name."},{"field":"process.parent.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"process.parent.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"process.parent.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"process.parent.pe.file_version","type":"keyword","description":"Process name."},{"field":"process.parent.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"process.parent.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"process.parent.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"process.parent.pgid","type":"long","description":"Identifier of the group of processes the process belongs to."},{"field":"process.parent.pid","type":"long","description":"Process id."},{"field":"process.parent.ppid","type":"long","description":"Parent process' pid."},{"field":"process.parent.start","type":"date","description":"The time the process started."},{"field":"process.parent.thread.id","type":"long","description":"Thread ID."},{"field":"process.parent.thread.name","type":"keyword","description":"Thread name."},{"field":"process.parent.title","type":"keyword","description":"Process title."},{"field":"process.parent.title.text","type":"match_only_text","description":"Process title."},{"field":"process.parent.uptime","type":"long","description":"Seconds the process has been up."},{"field":"process.parent.working_directory","type":"keyword","description":"The working directory of the process."},{"field":"process.parent.working_directory.text","type":"match_only_text","description":"The working directory of the process."},{"field":"process.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"process.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"process.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"process.pe.file_version","type":"keyword","description":"Process name."},{"field":"process.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"process.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"process.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"process.pgid","type":"long","description":"Identifier of the group of processes the process belongs to."},{"field":"process.pid","type":"long","description":"Process id."},{"field":"process.ppid","type":"long","description":"Parent process' pid."},{"field":"process.start","type":"date","description":"The time the process started."},{"field":"process.thread.id","type":"long","description":"Thread ID."},{"field":"process.thread.name","type":"keyword","description":"Thread name."},{"field":"process.title","type":"keyword","description":"Process title."},{"field":"process.title.text","type":"match_only_text","description":"Process title."},{"field":"process.uptime","type":"long","description":"Seconds the process has been up."},{"field":"process.working_directory","type":"keyword","description":"The working directory of the process."},{"field":"process.working_directory.text","type":"match_only_text","description":"The working directory of the process."},{"field":"registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"registry.data.strings","type":"wildcard","description":"List of strings representing what was written to the registry."},{"field":"registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"registry.value","type":"keyword","description":"Name of the value written."},{"field":"related.hash","type":"keyword","description":"All the hashes seen on your event."},{"field":"related.hosts","type":"keyword","description":"All the host identifiers seen on your event."},{"field":"related.ip","type":"ip","description":"All of the IPs seen on your event."},{"field":"related.user","type":"keyword","description":"All the user names or other user identifiers seen on the event."},{"field":"rule.author","type":"keyword","description":"Rule author"},{"field":"rule.category","type":"keyword","description":"Rule category"},{"field":"rule.description","type":"keyword","description":"Rule description"},{"field":"rule.id","type":"keyword","description":"Rule ID"},{"field":"rule.license","type":"keyword","description":"Rule license"},{"field":"rule.name","type":"keyword","description":"Rule name"},{"field":"rule.reference","type":"keyword","description":"Rule reference URL"},{"field":"rule.ruleset","type":"keyword","description":"Rule ruleset"},{"field":"rule.uuid","type":"keyword","description":"Rule UUID"},{"field":"rule.version","type":"keyword","description":"Rule version"},{"field":"server.address","type":"keyword","description":"Server network address."},{"field":"server.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"server.as.organization.name","type":"keyword","description":"Organization name."},{"field":"server.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"server.bytes","type":"long","description":"Bytes sent from the server to the client."},{"field":"server.domain","type":"keyword","description":"Server domain."},{"field":"server.geo.city_name","type":"keyword","description":"City name."},{"field":"server.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"server.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"server.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"server.geo.country_name","type":"keyword","description":"Country name."},{"field":"server.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"server.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"server.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"server.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"server.geo.region_name","type":"keyword","description":"Region name."},{"field":"server.geo.timezone","type":"keyword","description":"Time zone."},{"field":"server.ip","type":"ip","description":"IP address of the server."},{"field":"server.mac","type":"keyword","description":"MAC address of the server."},{"field":"server.nat.ip","type":"ip","description":"Server NAT ip"},{"field":"server.nat.port","type":"long","description":"Server NAT port"},{"field":"server.packets","type":"long","description":"Packets sent from the server to the client."},{"field":"server.port","type":"long","description":"Port of the server."},{"field":"server.registered_domain","type":"keyword","description":"The highest registered server domain, stripped of the subdomain."},{"field":"server.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"server.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"server.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"server.user.email","type":"keyword","description":"User email address."},{"field":"server.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"server.user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"server.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"server.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"server.user.group.name","type":"keyword","description":"Name of the group."},{"field":"server.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"server.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"server.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"server.user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"server.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"service.address","type":"keyword","description":"Address of this service."},{"field":"service.environment","type":"keyword","description":"Environment of the service."},{"field":"service.ephemeral_id","type":"keyword","description":"Ephemeral identifier of this service."},{"field":"service.id","type":"keyword","description":"Unique identifier of the running service."},{"field":"service.name","type":"keyword","description":"Name of the service."},{"field":"service.node.name","type":"keyword","description":"Name of the service node."},{"field":"service.state","type":"keyword","description":"Current state of the service."},{"field":"service.type","type":"keyword","description":"The type of the service."},{"field":"service.version","type":"keyword","description":"Version of the service."},{"field":"source.address","type":"keyword","description":"Source network address."},{"field":"source.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"source.as.organization.name","type":"keyword","description":"Organization name."},{"field":"source.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"source.bytes","type":"long","description":"Bytes sent from the source to the destination."},{"field":"source.domain","type":"keyword","description":"Source domain."},{"field":"source.geo.city_name","type":"keyword","description":"City name."},{"field":"source.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"source.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"source.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"source.geo.country_name","type":"keyword","description":"Country name."},{"field":"source.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"source.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"source.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"source.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"source.geo.region_name","type":"keyword","description":"Region name."},{"field":"source.geo.timezone","type":"keyword","description":"Time zone."},{"field":"source.ip","type":"ip","description":"IP address of the source."},{"field":"source.mac","type":"keyword","description":"MAC address of the source."},{"field":"source.nat.ip","type":"ip","description":"Source NAT ip"},{"field":"source.nat.port","type":"long","description":"Source NAT port"},{"field":"source.packets","type":"long","description":"Packets sent from the source to the destination."},{"field":"source.port","type":"long","description":"Port of the source."},{"field":"source.registered_domain","type":"keyword","description":"The highest registered source domain, stripped of the subdomain."},{"field":"source.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"source.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"source.user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"source.user.email","type":"keyword","description":"User email address."},{"field":"source.user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"source.user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"source.user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"source.user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"source.user.group.name","type":"keyword","description":"Name of the group."},{"field":"source.user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"source.user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"source.user.name","type":"keyword","description":"Short name or login of the user."},{"field":"source.user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"source.user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"span.id","type":"keyword","description":"Unique identifier of the span within the scope of its trace."},{"field":"threat.enrichments","type":"nested","description":"List of objects containing indicators enriching the event."},{"field":"threat.enrichments.indicator","type":"object","description":"Object containing indicators enriching the event."},{"field":"threat.enrichments.indicator.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"threat.enrichments.indicator.as.organization.name","type":"keyword","description":"Organization name."},{"field":"threat.enrichments.indicator.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"threat.enrichments.indicator.confidence","type":"keyword","description":"Indicator confidence rating"},{"field":"threat.enrichments.indicator.description","type":"keyword","description":"Indicator description"},{"field":"threat.enrichments.indicator.email.address","type":"keyword","description":"Indicator email address"},{"field":"threat.enrichments.indicator.file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"threat.enrichments.indicator.file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"threat.enrichments.indicator.file.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"threat.enrichments.indicator.file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"threat.enrichments.indicator.file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"threat.enrichments.indicator.file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"threat.enrichments.indicator.file.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"threat.enrichments.indicator.file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"threat.enrichments.indicator.file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.enrichments.indicator.file.created","type":"date","description":"File creation time."},{"field":"threat.enrichments.indicator.file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"threat.enrichments.indicator.file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"threat.enrichments.indicator.file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"threat.enrichments.indicator.file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"threat.enrichments.indicator.file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"threat.enrichments.indicator.file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"threat.enrichments.indicator.file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"threat.enrichments.indicator.file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.enrichments.indicator.file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"threat.enrichments.indicator.file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.enrichments.indicator.file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"threat.enrichments.indicator.file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"threat.enrichments.indicator.file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"threat.enrichments.indicator.file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"threat.enrichments.indicator.file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"threat.enrichments.indicator.file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"threat.enrichments.indicator.file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"threat.enrichments.indicator.file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"threat.enrichments.indicator.file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"threat.enrichments.indicator.file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"threat.enrichments.indicator.file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"threat.enrichments.indicator.file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"threat.enrichments.indicator.file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"threat.enrichments.indicator.file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"threat.enrichments.indicator.file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"threat.enrichments.indicator.file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"threat.enrichments.indicator.file.fork_name","type":"keyword","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.enrichments.indicator.file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"threat.enrichments.indicator.file.group","type":"keyword","description":"Primary group name of the file."},{"field":"threat.enrichments.indicator.file.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"threat.enrichments.indicator.file.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"threat.enrichments.indicator.file.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"threat.enrichments.indicator.file.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"threat.enrichments.indicator.file.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"threat.enrichments.indicator.file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"threat.enrichments.indicator.file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.enrichments.indicator.file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"threat.enrichments.indicator.file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"threat.enrichments.indicator.file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"threat.enrichments.indicator.file.owner","type":"keyword","description":"File owner's username."},{"field":"threat.enrichments.indicator.file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.path.text","type":"match_only_text","description":"Full path to the file, including the file name."},{"field":"threat.enrichments.indicator.file.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"threat.enrichments.indicator.file.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.file_version","type":"keyword","description":"Process name."},{"field":"threat.enrichments.indicator.file.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"threat.enrichments.indicator.file.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.enrichments.indicator.file.size","type":"long","description":"File size in bytes."},{"field":"threat.enrichments.indicator.file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.target_path.text","type":"match_only_text","description":"Target path for symlinks."},{"field":"threat.enrichments.indicator.file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"threat.enrichments.indicator.file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.enrichments.indicator.file.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.file.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.enrichments.indicator.file.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.file.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.file.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.file.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.file.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.file.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.file.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.file.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.file.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.enrichments.indicator.file.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.file.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.file.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.file.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.file.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.enrichments.indicator.first_seen","type":"date","description":"Date/time indicator was first reported."},{"field":"threat.enrichments.indicator.geo.city_name","type":"keyword","description":"City name."},{"field":"threat.enrichments.indicator.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"threat.enrichments.indicator.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"threat.enrichments.indicator.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"threat.enrichments.indicator.geo.country_name","type":"keyword","description":"Country name."},{"field":"threat.enrichments.indicator.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"threat.enrichments.indicator.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"threat.enrichments.indicator.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"threat.enrichments.indicator.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"threat.enrichments.indicator.geo.region_name","type":"keyword","description":"Region name."},{"field":"threat.enrichments.indicator.geo.timezone","type":"keyword","description":"Time zone."},{"field":"threat.enrichments.indicator.ip","type":"ip","description":"Indicator IP address"},{"field":"threat.enrichments.indicator.last_seen","type":"date","description":"Date/time indicator was last reported."},{"field":"threat.enrichments.indicator.marking.tlp","type":"keyword","description":"Indicator TLP marking"},{"field":"threat.enrichments.indicator.modified_at","type":"date","description":"Date/time indicator was last updated."},{"field":"threat.enrichments.indicator.port","type":"long","description":"Indicator port"},{"field":"threat.enrichments.indicator.provider","type":"keyword","description":"Indicator provider"},{"field":"threat.enrichments.indicator.reference","type":"keyword","description":"Indicator reference URL"},{"field":"threat.enrichments.indicator.registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"threat.enrichments.indicator.registry.data.strings","type":"wildcard","description":"List of strings representing what was written to the registry."},{"field":"threat.enrichments.indicator.registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"threat.enrichments.indicator.registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"threat.enrichments.indicator.registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"threat.enrichments.indicator.registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"threat.enrichments.indicator.registry.value","type":"keyword","description":"Name of the value written."},{"field":"threat.enrichments.indicator.scanner_stats","type":"long","description":"Scanner statistics"},{"field":"threat.enrichments.indicator.sightings","type":"long","description":"Number of times indicator observed"},{"field":"threat.enrichments.indicator.type","type":"keyword","description":"Type of indicator"},{"field":"threat.enrichments.indicator.url.domain","type":"keyword","description":"Domain of the url."},{"field":"threat.enrichments.indicator.url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.enrichments.indicator.url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"threat.enrichments.indicator.url.full","type":"wildcard","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.full.text","type":"match_only_text","description":"Full unparsed URL."},{"field":"threat.enrichments.indicator.url.original","type":"wildcard","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.original.text","type":"match_only_text","description":"Unmodified original url as seen in the event source."},{"field":"threat.enrichments.indicator.url.password","type":"keyword","description":"Password of the request."},{"field":"threat.enrichments.indicator.url.path","type":"wildcard","description":"Path of the request, such as \"/search\"."},{"field":"threat.enrichments.indicator.url.port","type":"long","description":"Port of the request, such as 443."},{"field":"threat.enrichments.indicator.url.query","type":"keyword","description":"Query string of the request."},{"field":"threat.enrichments.indicator.url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.enrichments.indicator.url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"threat.enrichments.indicator.url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"threat.enrichments.indicator.url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.enrichments.indicator.url.username","type":"keyword","description":"Username of the request."},{"field":"threat.enrichments.indicator.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.enrichments.indicator.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.enrichments.indicator.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.enrichments.indicator.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.enrichments.indicator.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.enrichments.indicator.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.enrichments.indicator.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.enrichments.indicator.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.enrichments.indicator.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.enrichments.indicator.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.enrichments.indicator.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.enrichments.indicator.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.enrichments.indicator.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.enrichments.indicator.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.enrichments.indicator.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.enrichments.indicator.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.enrichments.indicator.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.enrichments.indicator.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.enrichments.matched.atomic","type":"keyword","description":"Matched indicator value"},{"field":"threat.enrichments.matched.field","type":"keyword","description":"Matched indicator field"},{"field":"threat.enrichments.matched.id","type":"keyword","description":"Matched indicator identifier"},{"field":"threat.enrichments.matched.index","type":"keyword","description":"Matched indicator index"},{"field":"threat.enrichments.matched.type","type":"keyword","description":"Type of indicator match"},{"field":"threat.framework","type":"keyword","description":"Threat classification framework."},{"field":"threat.group.alias","type":"keyword","description":"Alias of the group."},{"field":"threat.group.id","type":"keyword","description":"ID of the group."},{"field":"threat.group.name","type":"keyword","description":"Name of the group."},{"field":"threat.group.reference","type":"keyword","description":"Reference URL of the group."},{"field":"threat.indicator.as.number","type":"long","description":"Unique number allocated to the autonomous system."},{"field":"threat.indicator.as.organization.name","type":"keyword","description":"Organization name."},{"field":"threat.indicator.as.organization.name.text","type":"match_only_text","description":"Organization name."},{"field":"threat.indicator.confidence","type":"keyword","description":"Indicator confidence rating"},{"field":"threat.indicator.description","type":"keyword","description":"Indicator description"},{"field":"threat.indicator.email.address","type":"keyword","description":"Indicator email address"},{"field":"threat.indicator.file.accessed","type":"date","description":"Last time the file was accessed."},{"field":"threat.indicator.file.attributes","type":"keyword","description":"Array of file attributes."},{"field":"threat.indicator.file.code_signature.digest_algorithm","type":"keyword","description":"Hashing algorithm used to sign the process."},{"field":"threat.indicator.file.code_signature.exists","type":"boolean","description":"Boolean to capture if a signature is present."},{"field":"threat.indicator.file.code_signature.signing_id","type":"keyword","description":"The identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.status","type":"keyword","description":"Additional information about the certificate status."},{"field":"threat.indicator.file.code_signature.subject_name","type":"keyword","description":"Subject name of the code signer"},{"field":"threat.indicator.file.code_signature.team_id","type":"keyword","description":"The team identifier used to sign the process."},{"field":"threat.indicator.file.code_signature.timestamp","type":"date","description":"When the signature was generated and signed."},{"field":"threat.indicator.file.code_signature.trusted","type":"boolean","description":"Stores the trust status of the certificate chain."},{"field":"threat.indicator.file.code_signature.valid","type":"boolean","description":"Boolean to capture if the digital signature is verified against the binary content."},{"field":"threat.indicator.file.created","type":"date","description":"File creation time."},{"field":"threat.indicator.file.ctime","type":"date","description":"Last time the file attributes or metadata changed."},{"field":"threat.indicator.file.device","type":"keyword","description":"Device that is the source of the file."},{"field":"threat.indicator.file.directory","type":"keyword","description":"Directory where the file is located."},{"field":"threat.indicator.file.drive_letter","type":"keyword","description":"Drive letter where the file is located."},{"field":"threat.indicator.file.elf.architecture","type":"keyword","description":"Machine architecture of the ELF file."},{"field":"threat.indicator.file.elf.byte_order","type":"keyword","description":"Byte sequence of ELF file."},{"field":"threat.indicator.file.elf.cpu_type","type":"keyword","description":"CPU type of the ELF file."},{"field":"threat.indicator.file.elf.creation_date","type":"date","description":"Build or compile date."},{"field":"threat.indicator.file.elf.exports","type":"flattened","description":"List of exported element names and types."},{"field":"threat.indicator.file.elf.header.abi_version","type":"keyword","description":"Version of the ELF Application Binary Interface (ABI)."},{"field":"threat.indicator.file.elf.header.class","type":"keyword","description":"Header class of the ELF file."},{"field":"threat.indicator.file.elf.header.data","type":"keyword","description":"Data table of the ELF header."},{"field":"threat.indicator.file.elf.header.entrypoint","type":"long","description":"Header entrypoint of the ELF file."},{"field":"threat.indicator.file.elf.header.object_version","type":"keyword","description":"0x1\" for original ELF files."},{"field":"threat.indicator.file.elf.header.os_abi","type":"keyword","description":"Application Binary Interface (ABI) of the Linux OS."},{"field":"threat.indicator.file.elf.header.type","type":"keyword","description":"Header type of the ELF file."},{"field":"threat.indicator.file.elf.header.version","type":"keyword","description":"Version of the ELF header."},{"field":"threat.indicator.file.elf.imports","type":"flattened","description":"List of imported element names and types."},{"field":"threat.indicator.file.elf.sections","type":"nested","description":"Section information of the ELF file."},{"field":"threat.indicator.file.elf.sections.chi2","type":"long","description":"Chi-square probability distribution of the section."},{"field":"threat.indicator.file.elf.sections.entropy","type":"long","description":"Shannon entropy calculation from the section."},{"field":"threat.indicator.file.elf.sections.flags","type":"keyword","description":"ELF Section List flags."},{"field":"threat.indicator.file.elf.sections.name","type":"keyword","description":"ELF Section List name."},{"field":"threat.indicator.file.elf.sections.physical_offset","type":"keyword","description":"ELF Section List offset."},{"field":"threat.indicator.file.elf.sections.physical_size","type":"long","description":"ELF Section List physical size."},{"field":"threat.indicator.file.elf.sections.type","type":"keyword","description":"ELF Section List type."},{"field":"threat.indicator.file.elf.sections.virtual_address","type":"long","description":"ELF Section List virtual address."},{"field":"threat.indicator.file.elf.sections.virtual_size","type":"long","description":"ELF Section List virtual size."},{"field":"threat.indicator.file.elf.segments","type":"nested","description":"ELF object segment list."},{"field":"threat.indicator.file.elf.segments.sections","type":"keyword","description":"ELF object segment sections."},{"field":"threat.indicator.file.elf.segments.type","type":"keyword","description":"ELF object segment type."},{"field":"threat.indicator.file.elf.shared_libraries","type":"keyword","description":"List of shared libraries used by this ELF object."},{"field":"threat.indicator.file.elf.telfhash","type":"keyword","description":"telfhash hash for ELF file."},{"field":"threat.indicator.file.extension","type":"keyword","description":"File extension, excluding the leading dot."},{"field":"threat.indicator.file.fork_name","type":"keyword","description":"A fork is additional data associated with a filesystem object."},{"field":"threat.indicator.file.gid","type":"keyword","description":"Primary group ID (GID) of the file."},{"field":"threat.indicator.file.group","type":"keyword","description":"Primary group name of the file."},{"field":"threat.indicator.file.hash.md5","type":"keyword","description":"MD5 hash."},{"field":"threat.indicator.file.hash.sha1","type":"keyword","description":"SHA1 hash."},{"field":"threat.indicator.file.hash.sha256","type":"keyword","description":"SHA256 hash."},{"field":"threat.indicator.file.hash.sha512","type":"keyword","description":"SHA512 hash."},{"field":"threat.indicator.file.hash.ssdeep","type":"keyword","description":"SSDEEP hash."},{"field":"threat.indicator.file.inode","type":"keyword","description":"Inode representing the file in the filesystem."},{"field":"threat.indicator.file.mime_type","type":"keyword","description":"Media type of file, document, or arrangement of bytes."},{"field":"threat.indicator.file.mode","type":"keyword","description":"Mode of the file in octal representation."},{"field":"threat.indicator.file.mtime","type":"date","description":"Last time the file content was modified."},{"field":"threat.indicator.file.name","type":"keyword","description":"Name of the file including the extension, without the directory."},{"field":"threat.indicator.file.owner","type":"keyword","description":"File owner's username."},{"field":"threat.indicator.file.path","type":"keyword","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.path.text","type":"match_only_text","description":"Full path to the file, including the file name."},{"field":"threat.indicator.file.pe.architecture","type":"keyword","description":"CPU architecture target for the file."},{"field":"threat.indicator.file.pe.company","type":"keyword","description":"Internal company name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.description","type":"keyword","description":"Internal description of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.file_version","type":"keyword","description":"Process name."},{"field":"threat.indicator.file.pe.imphash","type":"keyword","description":"A hash of the imports in a PE file."},{"field":"threat.indicator.file.pe.original_file_name","type":"keyword","description":"Internal name of the file, provided at compile-time."},{"field":"threat.indicator.file.pe.product","type":"keyword","description":"Internal product name of the file, provided at compile-time."},{"field":"threat.indicator.file.size","type":"long","description":"File size in bytes."},{"field":"threat.indicator.file.target_path","type":"keyword","description":"Target path for symlinks."},{"field":"threat.indicator.file.target_path.text","type":"match_only_text","description":"Target path for symlinks."},{"field":"threat.indicator.file.type","type":"keyword","description":"File type (file, dir, or symlink)."},{"field":"threat.indicator.file.uid","type":"keyword","description":"The user ID (UID) or security identifier (SID) of the file owner."},{"field":"threat.indicator.file.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.file.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.indicator.file.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.file.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.file.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.file.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.file.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.file.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.indicator.file.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.file.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.file.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.indicator.file.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.indicator.file.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.file.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.file.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.indicator.file.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.file.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.file.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.indicator.first_seen","type":"date","description":"Date/time indicator was first reported."},{"field":"threat.indicator.geo.city_name","type":"keyword","description":"City name."},{"field":"threat.indicator.geo.continent_code","type":"keyword","description":"Continent code."},{"field":"threat.indicator.geo.continent_name","type":"keyword","description":"Name of the continent."},{"field":"threat.indicator.geo.country_iso_code","type":"keyword","description":"Country ISO code."},{"field":"threat.indicator.geo.country_name","type":"keyword","description":"Country name."},{"field":"threat.indicator.geo.location","type":"geo_point","description":"Longitude and latitude."},{"field":"threat.indicator.geo.name","type":"keyword","description":"User-defined description of a location."},{"field":"threat.indicator.geo.postal_code","type":"keyword","description":"Postal code."},{"field":"threat.indicator.geo.region_iso_code","type":"keyword","description":"Region ISO code."},{"field":"threat.indicator.geo.region_name","type":"keyword","description":"Region name."},{"field":"threat.indicator.geo.timezone","type":"keyword","description":"Time zone."},{"field":"threat.indicator.ip","type":"ip","description":"Indicator IP address"},{"field":"threat.indicator.last_seen","type":"date","description":"Date/time indicator was last reported."},{"field":"threat.indicator.marking.tlp","type":"keyword","description":"Indicator TLP marking"},{"field":"threat.indicator.modified_at","type":"date","description":"Date/time indicator was last updated."},{"field":"threat.indicator.port","type":"long","description":"Indicator port"},{"field":"threat.indicator.provider","type":"keyword","description":"Indicator provider"},{"field":"threat.indicator.reference","type":"keyword","description":"Indicator reference URL"},{"field":"threat.indicator.registry.data.bytes","type":"keyword","description":"Original bytes written with base64 encoding."},{"field":"threat.indicator.registry.data.strings","type":"wildcard","description":"List of strings representing what was written to the registry."},{"field":"threat.indicator.registry.data.type","type":"keyword","description":"Standard registry type for encoding contents"},{"field":"threat.indicator.registry.hive","type":"keyword","description":"Abbreviated name for the hive."},{"field":"threat.indicator.registry.key","type":"keyword","description":"Hive-relative path of keys."},{"field":"threat.indicator.registry.path","type":"keyword","description":"Full path, including hive, key and value"},{"field":"threat.indicator.registry.value","type":"keyword","description":"Name of the value written."},{"field":"threat.indicator.scanner_stats","type":"long","description":"Scanner statistics"},{"field":"threat.indicator.sightings","type":"long","description":"Number of times indicator observed"},{"field":"threat.indicator.type","type":"keyword","description":"Type of indicator"},{"field":"threat.indicator.url.domain","type":"keyword","description":"Domain of the url."},{"field":"threat.indicator.url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"threat.indicator.url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"threat.indicator.url.full","type":"wildcard","description":"Full unparsed URL."},{"field":"threat.indicator.url.full.text","type":"match_only_text","description":"Full unparsed URL."},{"field":"threat.indicator.url.original","type":"wildcard","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.original.text","type":"match_only_text","description":"Unmodified original url as seen in the event source."},{"field":"threat.indicator.url.password","type":"keyword","description":"Password of the request."},{"field":"threat.indicator.url.path","type":"wildcard","description":"Path of the request, such as \"/search\"."},{"field":"threat.indicator.url.port","type":"long","description":"Port of the request, such as 443."},{"field":"threat.indicator.url.query","type":"keyword","description":"Query string of the request."},{"field":"threat.indicator.url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"threat.indicator.url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"threat.indicator.url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"threat.indicator.url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"threat.indicator.url.username","type":"keyword","description":"Username of the request."},{"field":"threat.indicator.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"threat.indicator.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"threat.indicator.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"threat.indicator.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"threat.indicator.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"threat.indicator.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"threat.indicator.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"threat.indicator.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"threat.indicator.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"threat.indicator.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"threat.indicator.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"threat.indicator.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"threat.indicator.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"threat.indicator.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"threat.indicator.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"threat.indicator.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"threat.indicator.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"threat.indicator.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"threat.software.alias","type":"keyword","description":"Alias of the software"},{"field":"threat.software.id","type":"keyword","description":"ID of the software"},{"field":"threat.software.name","type":"keyword","description":"Name of the software."},{"field":"threat.software.platforms","type":"keyword","description":"Platforms of the software."},{"field":"threat.software.reference","type":"keyword","description":"Software reference URL."},{"field":"threat.software.type","type":"keyword","description":"Software type."},{"field":"threat.tactic.id","type":"keyword","description":"Threat tactic id."},{"field":"threat.tactic.name","type":"keyword","description":"Threat tactic."},{"field":"threat.tactic.reference","type":"keyword","description":"Threat tactic URL reference."},{"field":"threat.technique.id","type":"keyword","description":"Threat technique id."},{"field":"threat.technique.name","type":"keyword","description":"Threat technique name."},{"field":"threat.technique.name.text","type":"match_only_text","description":"Threat technique name."},{"field":"threat.technique.reference","type":"keyword","description":"Threat technique URL reference."},{"field":"threat.technique.subtechnique.id","type":"keyword","description":"Threat subtechnique id."},{"field":"threat.technique.subtechnique.name","type":"keyword","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.name.text","type":"match_only_text","description":"Threat subtechnique name."},{"field":"threat.technique.subtechnique.reference","type":"keyword","description":"Threat subtechnique URL reference."},{"field":"tls.cipher","type":"keyword","description":"String indicating the cipher used during the current connection."},{"field":"tls.client.certificate","type":"keyword","description":"PEM-encoded stand-alone certificate offered by the client."},{"field":"tls.client.certificate_chain","type":"keyword","description":"Array of PEM-encoded certificates that make up the certificate chain offered by the client."},{"field":"tls.client.hash.md5","type":"keyword","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha1","type":"keyword","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.hash.sha256","type":"keyword","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client."},{"field":"tls.client.issuer","type":"keyword","description":"Distinguished name of subject of the issuer of the x.509 certificate presented by the client."},{"field":"tls.client.ja3","type":"keyword","description":"A hash that identifies clients based on how they perform an SSL/TLS handshake."},{"field":"tls.client.not_after","type":"date","description":"Date/Time indicating when client certificate is no longer considered valid."},{"field":"tls.client.not_before","type":"date","description":"Date/Time indicating when client certificate is first considered valid."},{"field":"tls.client.server_name","type":"keyword","description":"Hostname the client is trying to connect to. Also called the SNI."},{"field":"tls.client.subject","type":"keyword","description":"Distinguished name of subject of the x.509 certificate presented by the client."},{"field":"tls.client.supported_ciphers","type":"keyword","description":"Array of ciphers offered by the client during the client hello."},{"field":"tls.client.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"tls.client.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"tls.client.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.client.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.client.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.client.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.client.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.client.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"tls.client.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"tls.client.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.client.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.client.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"tls.client.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"tls.client.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"tls.client.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"tls.client.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"tls.client.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.client.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.client.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"tls.client.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"tls.client.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.client.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"tls.curve","type":"keyword","description":"String indicating the curve used for the given cipher, when applicable."},{"field":"tls.established","type":"boolean","description":"Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."},{"field":"tls.next_protocol","type":"keyword","description":"String indicating the protocol being tunneled."},{"field":"tls.resumed","type":"boolean","description":"Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."},{"field":"tls.server.certificate","type":"keyword","description":"PEM-encoded stand-alone certificate offered by the server."},{"field":"tls.server.certificate_chain","type":"keyword","description":"Array of PEM-encoded certificates that make up the certificate chain offered by the server."},{"field":"tls.server.hash.md5","type":"keyword","description":"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha1","type":"keyword","description":"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.hash.sha256","type":"keyword","description":"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server."},{"field":"tls.server.issuer","type":"keyword","description":"Subject of the issuer of the x.509 certificate presented by the server."},{"field":"tls.server.ja3s","type":"keyword","description":"A hash that identifies servers based on how they perform an SSL/TLS handshake."},{"field":"tls.server.not_after","type":"date","description":"Timestamp indicating when server certificate is no longer considered valid."},{"field":"tls.server.not_before","type":"date","description":"Timestamp indicating when server certificate is first considered valid."},{"field":"tls.server.subject","type":"keyword","description":"Subject of the x.509 certificate presented by the server."},{"field":"tls.server.x509.alternative_names","type":"keyword","description":"List of subject alternative names (SAN)."},{"field":"tls.server.x509.issuer.common_name","type":"keyword","description":"List of common name (CN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.country","type":"keyword","description":"List of country (C) codes"},{"field":"tls.server.x509.issuer.distinguished_name","type":"keyword","description":"Distinguished name (DN) of issuing certificate authority."},{"field":"tls.server.x509.issuer.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.server.x509.issuer.organization","type":"keyword","description":"List of organizations (O) of issuing certificate authority."},{"field":"tls.server.x509.issuer.organizational_unit","type":"keyword","description":"List of organizational units (OU) of issuing certificate authority."},{"field":"tls.server.x509.issuer.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.not_after","type":"date","description":"Time at which the certificate is no longer considered valid."},{"field":"tls.server.x509.not_before","type":"date","description":"Time at which the certificate is first considered valid."},{"field":"tls.server.x509.public_key_algorithm","type":"keyword","description":"Algorithm used to generate the public key."},{"field":"tls.server.x509.public_key_curve","type":"keyword","description":"The curve used by the elliptic curve public key algorithm. This is algorithm specific."},{"field":"tls.server.x509.public_key_exponent","type":"long","description":"Exponent used to derive the public key. This is algorithm specific."},{"field":"tls.server.x509.public_key_size","type":"long","description":"The size of the public key space in bits."},{"field":"tls.server.x509.serial_number","type":"keyword","description":"Unique serial number issued by the certificate authority."},{"field":"tls.server.x509.signature_algorithm","type":"keyword","description":"Identifier for certificate signature algorithm."},{"field":"tls.server.x509.subject.common_name","type":"keyword","description":"List of common names (CN) of subject."},{"field":"tls.server.x509.subject.country","type":"keyword","description":"List of country (C) code"},{"field":"tls.server.x509.subject.distinguished_name","type":"keyword","description":"Distinguished name (DN) of the certificate subject entity."},{"field":"tls.server.x509.subject.locality","type":"keyword","description":"List of locality names (L)"},{"field":"tls.server.x509.subject.organization","type":"keyword","description":"List of organizations (O) of subject."},{"field":"tls.server.x509.subject.organizational_unit","type":"keyword","description":"List of organizational units (OU) of subject."},{"field":"tls.server.x509.subject.state_or_province","type":"keyword","description":"List of state or province names (ST, S, or P)"},{"field":"tls.server.x509.version_number","type":"keyword","description":"Version of x509 format."},{"field":"tls.version","type":"keyword","description":"Numeric part of the version parsed from the original string."},{"field":"tls.version_protocol","type":"keyword","description":"Normalized lowercase protocol name parsed from original string."},{"field":"trace.id","type":"keyword","description":"Unique identifier of the trace."},{"field":"transaction.id","type":"keyword","description":"Unique identifier of the transaction within the scope of its trace."},{"field":"url.domain","type":"keyword","description":"Domain of the url."},{"field":"url.extension","type":"keyword","description":"File extension from the request url, excluding the leading dot."},{"field":"url.fragment","type":"keyword","description":"Portion of the url after the `#`."},{"field":"url.full","type":"wildcard","description":"Full unparsed URL."},{"field":"url.full.text","type":"match_only_text","description":"Full unparsed URL."},{"field":"url.original","type":"wildcard","description":"Unmodified original url as seen in the event source."},{"field":"url.original.text","type":"match_only_text","description":"Unmodified original url as seen in the event source."},{"field":"url.password","type":"keyword","description":"Password of the request."},{"field":"url.path","type":"wildcard","description":"Path of the request, such as \"/search\"."},{"field":"url.port","type":"long","description":"Port of the request, such as 443."},{"field":"url.query","type":"keyword","description":"Query string of the request."},{"field":"url.registered_domain","type":"keyword","description":"The highest registered url domain, stripped of the subdomain."},{"field":"url.scheme","type":"keyword","description":"Scheme of the url."},{"field":"url.subdomain","type":"keyword","description":"The subdomain of the domain."},{"field":"url.top_level_domain","type":"keyword","description":"The effective top level domain (com, org, net, co.uk)."},{"field":"url.username","type":"keyword","description":"Username of the request."},{"field":"user.changes.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.changes.email","type":"keyword","description":"User email address."},{"field":"user.changes.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.changes.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"user.changes.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.changes.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.changes.group.name","type":"keyword","description":"Name of the group."},{"field":"user.changes.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.changes.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.changes.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.changes.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"user.changes.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.effective.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.effective.email","type":"keyword","description":"User email address."},{"field":"user.effective.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.effective.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"user.effective.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.effective.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.effective.group.name","type":"keyword","description":"Name of the group."},{"field":"user.effective.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.effective.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.effective.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.effective.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"user.effective.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.email","type":"keyword","description":"User email address."},{"field":"user.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"user.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.group.name","type":"keyword","description":"Name of the group."},{"field":"user.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"user.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user.target.domain","type":"keyword","description":"Name of the directory the user is a member of."},{"field":"user.target.email","type":"keyword","description":"User email address."},{"field":"user.target.full_name","type":"keyword","description":"User's full name, if available."},{"field":"user.target.full_name.text","type":"match_only_text","description":"User's full name, if available."},{"field":"user.target.group.domain","type":"keyword","description":"Name of the directory the group is a member of."},{"field":"user.target.group.id","type":"keyword","description":"Unique identifier for the group on the system/platform."},{"field":"user.target.group.name","type":"keyword","description":"Name of the group."},{"field":"user.target.hash","type":"keyword","description":"Unique user hash to correlate information for a user in anonymized form."},{"field":"user.target.id","type":"keyword","description":"Unique identifier of the user."},{"field":"user.target.name","type":"keyword","description":"Short name or login of the user."},{"field":"user.target.name.text","type":"match_only_text","description":"Short name or login of the user."},{"field":"user.target.roles","type":"keyword","description":"Array of user roles at the time of the event."},{"field":"user_agent.device.name","type":"keyword","description":"Name of the device."},{"field":"user_agent.name","type":"keyword","description":"Name of the user agent."},{"field":"user_agent.original","type":"keyword","description":"Unparsed user_agent string."},{"field":"user_agent.original.text","type":"match_only_text","description":"Unparsed user_agent string."},{"field":"user_agent.os.family","type":"keyword","description":"OS family (such as redhat, debian, freebsd, windows)."},{"field":"user_agent.os.full","type":"keyword","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.full.text","type":"match_only_text","description":"Operating system name, including the version or code name."},{"field":"user_agent.os.kernel","type":"keyword","description":"Operating system kernel version as a raw string."},{"field":"user_agent.os.name","type":"keyword","description":"Operating system name, without the version."},{"field":"user_agent.os.name.text","type":"match_only_text","description":"Operating system name, without the version."},{"field":"user_agent.os.platform","type":"keyword","description":"Operating system platform (such centos, ubuntu, windows)."},{"field":"user_agent.os.type","type":"keyword","description":"Which commercial OS family (one of: linux, macos, unix or windows)."},{"field":"user_agent.os.version","type":"keyword","description":"Operating system version as a raw string."},{"field":"user_agent.version","type":"keyword","description":"Version of the user agent."},{"field":"vulnerability.category","type":"keyword","description":"Category of a vulnerability."},{"field":"vulnerability.classification","type":"keyword","description":"Classification of the vulnerability."},{"field":"vulnerability.description","type":"keyword","description":"Description of the vulnerability."},{"field":"vulnerability.description.text","type":"match_only_text","description":"Description of the vulnerability."},{"field":"vulnerability.enumeration","type":"keyword","description":"Identifier of the vulnerability."},{"field":"vulnerability.id","type":"keyword","description":"ID of the vulnerability."},{"field":"vulnerability.reference","type":"keyword","description":"Reference of the vulnerability."},{"field":"vulnerability.report_id","type":"keyword","description":"Scan identification number."},{"field":"vulnerability.scanner.vendor","type":"keyword","description":"Name of the scanner vendor."},{"field":"vulnerability.score.base","type":"float","description":"Vulnerability Base score."},{"field":"vulnerability.score.environmental","type":"float","description":"Vulnerability Environmental score."},{"field":"vulnerability.score.temporal","type":"float","description":"Vulnerability Temporal score."},{"field":"vulnerability.score.version","type":"keyword","description":"CVSS version."},{"field":"vulnerability.severity","type":"keyword","description":"Severity of the vulnerability."}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/osquery/v4.9.0.json b/x-pack/plugins/osquery/public/common/schemas/osquery/v4.9.0.json deleted file mode 100644 index 1c41c10ef4ebd..0000000000000 --- a/x-pack/plugins/osquery/public/common/schemas/osquery/v4.9.0.json +++ /dev/null @@ -1 +0,0 @@ -[{"name":"account_policy_data","description":"Additional OS X user account data from the AccountPolicy section of OpenDirectory.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the account was first created","type":"double","hidden":false,"required":false,"index":false},{"name":"failed_login_count","description":"The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"failed_login_timestamp","description":"The time of the last failed login attempt. Resets after a correct password is entered","type":"double","hidden":false,"required":false,"index":false},{"name":"password_last_set_time","description":"The time the password was last changed","type":"double","hidden":false,"required":false,"index":false}]},{"name":"acpi_tables","description":"Firmware ACPI functional table common metadata and content.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"ACPI table name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of compiled table data","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ad_config","description":"OS X Active Directory configuration.","platforms":["darwin"],"columns":[{"name":"name","description":"The OS X-specific configuration name","type":"text","hidden":false,"required":false,"index":false},{"name":"domain","description":"Active Directory trust domain","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"Canonical name of option","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Variable typed option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf","description":"OS X application layer firewall (ALF) service details.","platforms":["darwin"],"columns":[{"name":"allow_signed_enabled","description":"1 If allow signed mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"firewall_unload","description":"1 If firewall unloading enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"global_state","description":"1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_enabled","description":"1 If logging mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_option","description":"Firewall logging option","type":"integer","hidden":false,"required":false,"index":false},{"name":"stealth_enabled","description":"1 If stealth mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Application Layer Firewall version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf_exceptions","description":"OS X application layer firewall (ALF) service exceptions.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to the executable that is excepted","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Firewall exception state","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"alf_explicit_auths","description":"ALF services explicitly allowed to perform networking.","platforms":["darwin"],"columns":[{"name":"process","description":"Process name explicitly allowed","type":"text","hidden":false,"required":false,"index":false}]},{"name":"app_schemes","description":"OS X application schemes and handlers (e.g., http, file, mailto).","platforms":["darwin"],"columns":[{"name":"scheme","description":"Name of the scheme/protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"handler","description":"Application label for the handler","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this handler is the OS default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"external","description":"1 if this handler does NOT exist on OS X by default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"protected","description":"1 if this handler is protected (reserved) by OS X, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"apparmor_events","description":"Track AppArmor events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Raw audit message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"apparmor","description":"Apparmor Status like ALLOWED, DENIED etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"operation","description":"Permission requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process PID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"profile","description":"Apparmor profile name","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"denied_mask","description":"Denied permissions for the process","type":"text","hidden":false,"required":false,"index":false},{"name":"capname","description":"Capability requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ouid","description":"Object owner's user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"capability","description":"Capability number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"requested_mask","description":"Requested access mask","type":"text","hidden":false,"required":false,"index":false},{"name":"info","description":"Additional information","type":"text","hidden":false,"required":false,"index":false},{"name":"error","description":"Error information","type":"text","hidden":false,"required":false,"index":false},{"name":"namespace","description":"AppArmor namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"AppArmor label","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apparmor_profiles","description":"Track active AppArmor profiles.","platforms":["linux"],"columns":[{"name":"path","description":"Unique, aa-status compatible, policy identifier.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy name.","type":"text","hidden":false,"required":false,"index":false},{"name":"attach","description":"Which executable(s) a profile will attach to.","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"How the policy is applied.","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"A unique hash that identifies this policy.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"appcompat_shims","description":"Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.","platforms":["windows"],"columns":[{"name":"executable","description":"Name of the executable that is being shimmed. This is pulled from the registry.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the SDB.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Install time of the SDB","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"sdb_id","description":"Unique GUID of the SDB.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apps","description":"OS X applications installed in known search paths (e.g., /Applications).","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the Name.app folder","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute and full Name.app path","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_executable","description":"Info properties CFBundleExecutable label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"Info properties CFBundleIdentifier label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_name","description":"Info properties CFBundleName label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_short_version","description":"Info properties CFBundleShortVersionString label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_version","description":"Info properties CFBundleVersion label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_package_type","description":"Info properties CFBundlePackageType label","type":"text","hidden":false,"required":false,"index":false},{"name":"environment","description":"Application-set environment variables","type":"text","hidden":false,"required":false,"index":false},{"name":"element","description":"Does the app identify as a background agent","type":"text","hidden":false,"required":false,"index":false},{"name":"compiler","description":"Info properties DTCompiler label","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Info properties CFBundleDevelopmentRegion label","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Info properties CFBundleDisplayName label","type":"text","hidden":false,"required":false,"index":false},{"name":"info_string","description":"Info properties CFBundleGetInfoString label","type":"text","hidden":false,"required":false,"index":false},{"name":"minimum_system_version","description":"Minimum version of OS X required for the app to run","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The UTI that categorizes the app for the App Store","type":"text","hidden":false,"required":false,"index":false},{"name":"applescript_enabled","description":"Info properties NSAppleScriptEnabled label","type":"text","hidden":false,"required":false,"index":false},{"name":"copyright","description":"Info properties NSHumanReadableCopyright label","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"The time that the app was last used","type":"double","hidden":false,"required":false,"index":false}]},{"name":"apt_sources","description":"Current list of APT repositories or software channels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source file","type":"text","hidden":false,"required":false,"index":false},{"name":"base_uri","description":"Repository base URI","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Release name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Repository source version","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Repository maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"components","description":"Repository components","type":"text","hidden":false,"required":false,"index":false},{"name":"architectures","description":"Repository architectures","type":"text","hidden":false,"required":false,"index":false}]},{"name":"arp_cache","description":"Address resolution cache, both static and dynamic (from ARP, NDP).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IPv4 address target","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address of broadcasted address","type":"text","hidden":false,"required":false,"index":false},{"name":"interface","description":"Interface of the network for the MAC","type":"text","hidden":false,"required":false,"index":false},{"name":"permanent","description":"1 for true, 0 for false","type":"text","hidden":false,"required":false,"index":false}]},{"name":"asl","description":"Queries the Apple System Log data structure for system events.","platforms":["darwin"],"columns":[{"name":"time","description":"Unix timestamp. Set automatically","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_nano_sec","description":"Nanosecond time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Sender's address (set by the server).","type":"text","hidden":false,"required":false,"index":false},{"name":"sender","description":"Sender's identification string. Default is process name.","type":"text","hidden":false,"required":false,"index":false},{"name":"facility","description":"Sender's facility. Default is 'user'.","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Sending process ID encoded as a string. Set automatically.","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"GID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"UID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"level","description":"Log level number. See levels in asl.h.","type":"integer","hidden":false,"required":false,"index":false},{"name":"message","description":"Message text.","type":"text","hidden":false,"required":false,"index":false},{"name":"ref_pid","description":"Reference PID for messages proxied by launchd","type":"integer","hidden":false,"required":false,"index":false},{"name":"ref_proc","description":"Reference process for messages proxied by launchd","type":"text","hidden":false,"required":false,"index":false},{"name":"extra","description":"Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"atom_packages","description":"Lists all atom packages in a directory or globally installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package's package.json path","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"augeas","description":"Configuration files parsed by augeas.","platforms":["darwin","linux"],"columns":[{"name":"node","description":"The node path of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"The label of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path to the configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authenticode","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["windows"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"original_program_name","description":"The original program name that the publisher has signed","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_name","description":"The certificate issuer name","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_name","description":"The certificate subject name","type":"text","hidden":false,"required":false,"index":false},{"name":"result","description":"The signature check result","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorization_mechanisms","description":"OS X Authorization mechanisms database.","platforms":["darwin"],"columns":[{"name":"label","description":"Label of the authorization right","type":"text","hidden":false,"required":false,"index":false},{"name":"plugin","description":"Authorization plugin name","type":"text","hidden":false,"required":false,"index":false},{"name":"mechanism","description":"Name of the mechanism that will be called","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"If privileged it will run as root, else as an anonymous user","type":"text","hidden":false,"required":false,"index":false},{"name":"entry","description":"The whole string entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorizations","description":"OS X Authorization rights database.","platforms":["darwin"],"columns":[{"name":"label","description":"Item name, usually in reverse domain format","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_root","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"timeout","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"tries","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"authenticate_user","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"shared","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"session_owner","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorized_keys","description":"A line-delimited authorized_keys table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local owner of authorized_keys file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"algorithm","description":"algorithm of key","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"parsed authorized keys line","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to the authorized_keys file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"autoexec","description":"Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the program","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source table of the autoexec item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_metadata","description":"Azure instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"location","description":"Azure Region the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"offer","description":"Offer information for the VM image (Azure image gallery VMs only)","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Publisher of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"SKU for the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Linux or Windows","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_update_domain","description":"Update domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_fault_domain","description":"Fault domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_size","description":"VM size","type":"text","hidden":false,"required":false,"index":false},{"name":"subscription_id","description":"Azure subscription for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"resource_group_name","description":"Resource group for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"placement_group_id","description":"Placement group for the VM scale set","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_scale_set_name","description":"VM scale set name","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_tags","description":"Azure instance tags.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"The tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"background_activities_moderator","description":"Background Activities Moderator (BAM) tracks application execution.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"battery","description":"Provides information about the internal battery of a Macbook.","platforms":["darwin"],"columns":[{"name":"manufacturer","description":"The battery manufacturer's name","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacture_date","description":"The date the battery was manufactured UNIX Epoch","type":"integer","hidden":false,"required":false,"index":false},{"name":"model","description":"The battery's model number","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The battery's unique serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"cycle_count","description":"The number of charge/discharge cycles","type":"integer","hidden":false,"required":false,"index":false},{"name":"health","description":"One of the following: \"Good\" describes a well-performing battery, \"Fair\" describes a functional battery with limited capacity, or \"Poor\" describes a battery that's not capable of providing power","type":"text","hidden":false,"required":false,"index":false},{"name":"condition","description":"One of the following: \"Normal\" indicates the condition of the battery is within normal tolerances, \"Service Needed\" indicates that the battery should be checked out by a licensed Mac repair service, \"Permanent Failure\" indicates the battery needs replacement","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"One of the following: \"AC Power\" indicates the battery is connected to an external power source, \"Battery Power\" indicates that the battery is drawing internal power, \"Off Line\" indicates the battery is off-line or no longer connected","type":"text","hidden":false,"required":false,"index":false},{"name":"charging","description":"1 if the battery is currently being charged by a power source. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"charged","description":"1 if the battery is currently completely charged. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"designed_capacity","description":"The battery's designed capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"The battery's actual capacity when it is fully charged in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_capacity","description":"The battery's current charged capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_remaining","description":"The percentage of battery remaining before it is drained","type":"integer","hidden":false,"required":false,"index":false},{"name":"amperage","description":"The battery's current amperage in mA","type":"integer","hidden":false,"required":false,"index":false},{"name":"voltage","description":"The battery's current voltage in mV","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_until_empty","description":"The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_to_full_charge","description":"The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"bitlocker_info","description":"Retrieve bitlocker status of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"ID of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"Drive letter of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent_volume_id","description":"Persistent ID of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"conversion_status","description":"The bitlocker conversion status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_status","description":"The bitlocker protection status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption_method","description":"The encryption type of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The FVE metadata version of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"percentage_encrypted","description":"The percentage of the drive that is encrypted.","type":"integer","hidden":false,"required":false,"index":false},{"name":"lock_status","description":"The accessibility status of the drive from Windows.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"block_devices","description":"Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Block device name","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Block device parent name","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Block device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Block device model string identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Block device size in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Block device Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Block device type string","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Block device label string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"bpf_process_events","description":"Track time/action process executions.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"json_cmdline","description":"Command line arguments, in JSON format","type":"text","hidden":true,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"bpf_socket_events","description":"Track network socket opens and closes.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The socket type","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"browser_plugins","description":"All C/NPAPI browser plugin details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Plugin display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Plugin identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Plugin short version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Build SDK used to compile plugin","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Plugin description text","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Plugin language-localization","type":"text","hidden":false,"required":false,"index":false},{"name":"native","description":"Plugin requires native execution","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Is the plugin disabled. 1 = Disabled","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carbon_black_info","description":"Returns info about a Carbon Black sensor install.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"sensor_id","description":"Sensor ID of the Carbon Black sensor","type":"integer","hidden":false,"required":false,"index":false},{"name":"config_name","description":"Sensor group","type":"text","hidden":false,"required":false,"index":false},{"name":"collect_store_files","description":"If the sensor is configured to send back binaries to the Carbon Black server","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_loads","description":"If the sensor is configured to capture module loads","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_info","description":"If the sensor is configured to collect metadata of binaries","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_file_mods","description":"If the sensor is configured to collect file modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_reg_mods","description":"If the sensor is configured to collect registry modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_net_conns","description":"If the sensor is configured to collect network connections","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_processes","description":"If the sensor is configured to process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_cross_processes","description":"If the sensor is configured to cross process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_emet_events","description":"If the sensor is configured to EMET events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_data_file_writes","description":"If the sensor is configured to collect non binary file writes","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_process_user_context","description":"If the sensor is configured to collect the user running a process","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_sensor_operations","description":"Unknown","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_mb","description":"Event file disk quota in MB","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_percentage","description":"Event file disk quota in a percentage","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_disabled","description":"If the sensor is configured to report tamper events","type":"integer","hidden":false,"required":false,"index":false},{"name":"sensor_ip_addr","description":"IP address of the sensor","type":"text","hidden":false,"required":false,"index":false},{"name":"sensor_backend_server","description":"Carbon Black server","type":"text","hidden":false,"required":false,"index":false},{"name":"event_queue","description":"Size in bytes of Carbon Black event files on disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"binary_queue","description":"Size in bytes of binaries waiting to be sent to Carbon Black server","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carves","description":"List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"time","description":"Time at which the carve was kicked off","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"A SHA256 sum of the carved archive","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the carved archive","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the requested carve","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED","type":"text","hidden":false,"required":false,"index":false},{"name":"carve_guid","description":"Identifying value of the carve session","type":"text","hidden":false,"required":false,"index":false},{"name":"request_id","description":"Identifying value of the carve request (e.g., scheduled query name, distributed request, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"carve","description":"Set this value to '1' to start a file carve","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"certificates","description":"Certificate Authorities installed in Keychains/ca-bundles.","platforms":["darwin","windows"],"columns":[{"name":"common_name","description":"Certificate CommonName","type":"text","hidden":false,"required":false,"index":false},{"name":"subject","description":"Certificate distinguished name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer","description":"Certificate issuer distinguished name","type":"text","hidden":false,"required":false,"index":false},{"name":"ca","description":"1 if CA: true (certificate is an authority) else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"self_signed","description":"1 if self-signed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"not_valid_before","description":"Lower bound of valid date","type":"text","hidden":false,"required":false,"index":false},{"name":"not_valid_after","description":"Certificate expiration data","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_algorithm","description":"Signing algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_algorithm","description":"Key algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_strength","description":"Key size used for RSA/DSA, or curve name","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Certificate key usage and extended key usage","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_id","description":"SKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_id","description":"AKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the raw certificate contents","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Keychain or PEM bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"sid","description":"SID","type":"text","hidden":true,"required":false,"index":false},{"name":"store_location","description":"Certificate system store location","type":"text","hidden":true,"required":false,"index":false},{"name":"store","description":"Certificate system store","type":"text","hidden":true,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":true,"required":false,"index":false},{"name":"store_id","description":"Exists for service/user stores. Contains raw store id provided by WinAPI.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"chassis_info","description":"Display information pertaining to the chassis and its security status.","platforms":["windows"],"columns":[{"name":"audible_alarm","description":"If TRUE, the frame is equipped with an audible alarm.","type":"text","hidden":false,"required":false,"index":false},{"name":"breach_description","description":"If provided, gives a more detailed description of a detected security breach.","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_types","description":"A comma-separated list of chassis types, such as Desktop or Laptop.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"An extended description of the chassis if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"lock","description":"If TRUE, the frame is equipped with a lock.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"security_breach","description":"The physical status of the chassis such as Breach Successful, Breach Attempted, etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"smbios_tag","description":"The assigned asset tag number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"The Stock Keeping Unit number if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.","type":"text","hidden":false,"required":false,"index":false},{"name":"visible_alarm","description":"If TRUE, the frame is equipped with a visual alarm.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chocolatey_packages","description":"Chocolatey packages installed in a system.","platforms":["windows"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this package resides","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chrome_extension_content_scripts","description":"Chrome browser extension content scripts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"script","description":"The content script used by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"The pattern that the script is matched against","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"chrome_extensions","description":"Chrome-based browser extensions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"profile","description":"The name of the Chrome profile that contains this extension","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced_identifier","description":"Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile.","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier, computed from its manifest. Empty in case of error.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Extension-optional description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_locale","description":"Default locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"current_locale","description":"Current locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent","description":"1 If extension is persistent across all tabs else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"The permissions required by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions_json","description":"The JSON-encoded permissions required by the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"optional_permissions","description":"The permissions optionally required by the extensions","type":"text","hidden":false,"required":false,"index":false},{"name":"optional_permissions_json","description":"The JSON-encoded permissions optionally required by the extensions","type":"text","hidden":true,"required":false,"index":false},{"name":"manifest_hash","description":"The SHA256 hash of the manifest.json file","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false},{"name":"from_webstore","description":"True if this extension was installed from the web store","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"1 if this extension is enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Extension install time, in its original Webkit format","type":"text","hidden":false,"required":false,"index":false},{"name":"install_timestamp","description":"Extension install time, converted to unix time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manifest_json","description":"The manifest file of the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"key","description":"The extension key, from the manifest file","type":"text","hidden":true,"required":false,"index":false}]},{"name":"connectivity","description":"Provides the overall system's network state.","platforms":["windows"],"columns":[{"name":"disconnected","description":"True if the all interfaces are not connected to any network","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_no_traffic","description":"True if any interface is connected via IPv4, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_no_traffic","description":"True if any interface is connected via IPv6, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_subnet","description":"True if any interface is connected to the local subnet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_local_network","description":"True if any interface is connected to a routed network via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_internet","description":"True if any interface is connected to the Internet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_subnet","description":"True if any interface is connected to the local subnet via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_local_network","description":"True if any interface is connected to a routed network via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_internet","description":"True if any interface is connected to the Internet via IPv6","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"cpu_info","description":"Retrieve cpu hardware info of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"The DeviceID of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"processor_type","description":"The processor type, such as Central, Math, or Video.","type":"text","hidden":false,"required":false,"index":false},{"name":"availability","description":"The availability and status of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_status","description":"The current operating status of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"number_of_cores","description":"The number of cores of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"logical_processors","description":"The number of logical processors of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"address_width","description":"The width of the CPU address bus.","type":"text","hidden":false,"required":false,"index":false},{"name":"current_clock_speed","description":"The current frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_clock_speed","description":"The maximum possible frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket_designation","description":"The assigned socket on the board for the given CPU.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cpu_time","description":"Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.","platforms":["darwin","linux"],"columns":[{"name":"core","description":"Name of the cpu (core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"Time spent in user mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"nice","description":"Time spent in user mode with low priority (nice)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system","description":"Time spent in system mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idle","description":"Time spent in the idle task","type":"bigint","hidden":false,"required":false,"index":false},{"name":"iowait","description":"Time spent waiting for I/O to complete","type":"bigint","hidden":false,"required":false,"index":false},{"name":"irq","description":"Time spent servicing interrupts","type":"bigint","hidden":false,"required":false,"index":false},{"name":"softirq","description":"Time spent servicing softirqs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"steal","description":"Time spent in other operating systems when running in a virtualized environment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest","description":"Time spent running a virtual CPU for a guest OS under the control of the Linux kernel","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest_nice","description":"Time spent running a niced guest ","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"cpuid","description":"Useful CPU features from the cpuid ASM call.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"feature","description":"Present feature flags","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Bit value or string","type":"text","hidden":false,"required":false,"index":false},{"name":"output_register","description":"Register used to for feature value","type":"text","hidden":false,"required":false,"index":false},{"name":"output_bit","description":"Bit in register value for feature value","type":"integer","hidden":false,"required":false,"index":false},{"name":"input_eax","description":"Value of EAX used","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crashes","description":"Application, System, and Mobile App crash logs.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent PID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"responsible","description":"Process responsible for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the crashed process","type":"integer","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Date/Time at which the crash occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"crashed_thread","description":"Thread ID which crashed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Most recent frame from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_type","description":"Exception type of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_codes","description":"Exception codes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_notes","description":"Exception notes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The value of the system registers","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crontab","description":"Line parsed values from system and user cron/tab.","platforms":["darwin","linux"],"columns":[{"name":"event","description":"The job @event name (rare)","type":"text","hidden":false,"required":false,"index":false},{"name":"minute","description":"The exact minute for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"hour","description":"The hour of the day for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_month","description":"The day of the month for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"month","description":"The month of the year for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_week","description":"The day of the week for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Raw command string","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File parsed","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cups_destinations","description":"Returns all configured printers.","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the printer","type":"text","hidden":false,"required":false,"index":false},{"name":"option_name","description":"Option name","type":"text","hidden":false,"required":false,"index":false},{"name":"option_value","description":"Option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cups_jobs","description":"Returns all completed print jobs from cups.","platforms":["darwin"],"columns":[{"name":"title","description":"Title of the printed job","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"The printer the job was sent to","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The user who printed the job","type":"text","hidden":false,"required":false,"index":false},{"name":"format","description":"The format of the print job","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the print job","type":"integer","hidden":false,"required":false,"index":false},{"name":"completed_time","description":"When the job completed printing","type":"integer","hidden":false,"required":false,"index":false},{"name":"processing_time","description":"How long the job took to process","type":"integer","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the print request was initiated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"curl","description":"Perform an http request and return stats about it.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"url","description":"The url for the request","type":"text","hidden":false,"required":true,"index":false},{"name":"method","description":"The HTTP method for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"user_agent","description":"The user-agent string to use for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"response_code","description":"The HTTP status code for the response","type":"integer","hidden":false,"required":false,"index":false},{"name":"round_trip_time","description":"Time taken to complete the request","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of bytes in the response","type":"bigint","hidden":false,"required":false,"index":false},{"name":"result","description":"The HTTP response body","type":"text","hidden":false,"required":false,"index":false}]},{"name":"curl_certificate","description":"Inspect TLS certificates by connecting to input hostnames.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Hostname (domain[:port]) to CURL","type":"text","hidden":false,"required":true,"index":false},{"name":"common_name","description":"Common name of company issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization","description":"Organization issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization_unit","description":"Organization unit issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_common_name","description":"Issuer common name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization","description":"Issuer organization","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization_unit","description":"Issuer organization unit","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_from","description":"Period of validity start date","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_to","description":"Period of validity end date","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256_fingerprint","description":"SHA-256 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1_fingerprint","description":"SHA1 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version Number","type":"integer","hidden":false,"required":false,"index":false},{"name":"signature_algorithm","description":"Signature Algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"signature","description":"Signature","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_identifier","description":"Subject Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_identifier","description":"Authority Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"extended_key_usage","description":"Extended usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"policies","description":"Certificate Policies","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_alternative_names","description":"Subject Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_alternative_names","description":"Issuer Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"info_access","description":"Authority Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_info_access","description":"Subject Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_mappings","description":"Policy Mappings","type":"text","hidden":false,"required":false,"index":false},{"name":"has_expired","description":"1 if the certificate has expired, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"basic_constraint","description":"Basic Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"name_constraints","description":"Name Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_constraints","description":"Policy Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"dump_certificate","description":"Set this value to '1' to dump certificate","type":"integer","hidden":true,"required":false,"index":false},{"name":"timeout","description":"Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)","type":"integer","hidden":true,"required":false,"index":false},{"name":"pem","description":"Certificate PEM format","type":"text","hidden":false,"required":false,"index":false}]},{"name":"deb_packages","description":"The installed DEB package database.","platforms":["linux"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Package source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Package architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Package revision","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Package status","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Package maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"section","description":"Package section","type":"text","hidden":false,"required":false,"index":false},{"name":"priority","description":"Package priority","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"default_environment","description":"Default environment variables and values.","platforms":["windows"],"columns":[{"name":"variable","description":"Name of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"expand","description":"1 if the variable needs expanding, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"device_file","description":"Similar to the file table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"A logical path within the device node","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Creation time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_firmware","description":"A best-effort list of discovered firmware versions.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of device","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"The device name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Firmware version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_hash","description":"Similar to the hash table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_partitions","description":"Use TSK to enumerate details about partitions on a disk device.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number or description","type":"integer","hidden":false,"required":false,"index":false},{"name":"label","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Byte size of each block","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Number of blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Number of meta nodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"disk_encryption","description":"Disk encryption status and information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Disk name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Disk Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 If encrypted: true (disk is encrypted), else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Description of cipher type and mode if available","type":"text","hidden":false,"required":false,"index":false},{"name":"encryption_status","description":"Disk encryption status with one of following values: encrypted | not encrypted | undefined","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Currently authenticated user if available","type":"text","hidden":true,"required":false,"index":false},{"name":"user_uuid","description":"UUID of authenticated user if available","type":"text","hidden":true,"required":false,"index":false},{"name":"filevault_status","description":"FileVault status with one of following values: on | off | unknown","type":"text","hidden":true,"required":false,"index":false}]},{"name":"disk_events","description":"Track DMG disk image events (appearance/disappearance) when opened.","platforms":["darwin"],"columns":[{"name":"action","description":"Appear or disappear","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the DMG file accessed","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Disk event name","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Disk event BSD name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"UUID of the volume inside DMG if available","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of partition in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ejectable","description":"1 if ejectable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"mountable","description":"1 if mountable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"writable","description":"1 if writable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"content","description":"Disk event content","type":"text","hidden":false,"required":false,"index":false},{"name":"media_name","description":"Disk event media name string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Disk event vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"filesystem","description":"Filesystem if available","type":"text","hidden":false,"required":false,"index":false},{"name":"checksum","description":"UDIF Master checksum if available (CRC32)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of appearance/disappearance in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"disk_info","description":"Retrieve basic information about the physical disks of a system.","platforms":["windows"],"columns":[{"name":"partitions","description":"Number of detected partitions on disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"disk_index","description":"Physical drive number of the disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The interface type of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"pnp_device_id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"disk_size","description":"Size of the disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hard drive model.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"The label of the disk object.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The OS's description of the disk.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"dns_cache","description":"Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.","platforms":["windows"],"columns":[{"name":"name","description":"DNS record name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"DNS record type","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"DNS record flags","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"dns_resolvers","description":"Resolvers used by this host.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Address type index or order","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Address type: sortlist, nameserver, search","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Resolver IP/IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Address (sortlist) netmask length","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Resolver options","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"docker_container_fs_changes","description":"Changes to files or directories on container's filesystem.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"FIle or directory path relative to rootfs","type":"text","hidden":false,"required":false,"index":false},{"name":"change_type","description":"Type of change: C:Modified, A:Added, D:Deleted","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_labels","description":"Docker container labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_mounts","description":"Docker container mounts.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of mount (bind, volume)","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Optional mount name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source path on host","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"Destination path inside container","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver providing the mount","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"Mount options (rw, ro)","type":"text","hidden":false,"required":false,"index":false},{"name":"rw","description":"1 if read/write. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"propagation","description":"Mount propagation","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_networks","description":"Docker container networks.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"network_id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"endpoint_id","description":"Endpoint ID","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_address","description":"IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_prefix_len","description":"IP subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_gateway","description":"IPv6 gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_prefix_len","description":"IPv6 subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"mac_address","description":"MAC address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_ports","description":"Docker container ports.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Protocol (tcp, udp)","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Port inside the container","type":"integer","hidden":false,"required":false,"index":false},{"name":"host_ip","description":"Host IP address on which public port is listening","type":"text","hidden":false,"required":false,"index":false},{"name":"host_port","description":"Host port","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_container_processes","description":"Docker container processes.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start in seconds since boot (non-sleeping)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"User name","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Cumulative CPU time. [DD-]HH:MM:SS format","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu","description":"CPU utilization as percentage","type":"double","hidden":false,"required":false,"index":false},{"name":"mem","description":"Memory utilization as percentage","type":"double","hidden":false,"required":false,"index":false}]},{"name":"docker_container_stats","description":"Docker container statistics. Queries on this table take at least one second.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"pids","description":"Number of processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"read","description":"UNIX time when stats were read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"preread","description":"UNIX time when stats were last read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"interval","description":"Difference between read and preread in nano-seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_read","description":"Total disk read bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_write","description":"Total disk write bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"num_procs","description":"Number of processors","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_total_usage","description":"Total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_kernelmode_usage","description":"CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_usermode_usage","description":"CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_cpu_usage","description":"CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"online_cpus","description":"Online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"pre_cpu_total_usage","description":"Last read total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_kernelmode_usage","description":"Last read CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_usermode_usage","description":"Last read CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_system_cpu_usage","description":"Last read CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_online_cpus","description":"Last read online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_usage","description":"Memory usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_max_usage","description":"Memory maximum usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"Memory limit","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_rx_bytes","description":"Total network bytes read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_tx_bytes","description":"Total network bytes transmitted","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"docker_containers","description":"Docker containers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Docker image (name) used to launch this container","type":"text","hidden":false,"required":false,"index":false},{"name":"image_id","description":"Docker image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Command with arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"state","description":"Container state (created, restarting, running, removing, paused, exited, dead)","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Container status information","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Identifier of the initial process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Container path","type":"text","hidden":false,"required":false,"index":false},{"name":"config_entrypoint","description":"Container entrypoint(s)","type":"text","hidden":false,"required":false,"index":false},{"name":"started_at","description":"Container start time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"finished_at","description":"Container finish time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"Is the container privileged","type":"integer","hidden":false,"required":false,"index":false},{"name":"security_options","description":"List of container security options","type":"text","hidden":false,"required":false,"index":false},{"name":"env_variables","description":"Container environmental variables","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly_rootfs","description":"Is the root filesystem mounted as read only","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"ipc_namespace","description":"IPC namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"mnt_namespace","description":"Mount namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"Network namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_namespace","description":"PID namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"user_namespace","description":"User namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"uts_namespace","description":"UTS namespace","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_history","description":"Docker image history information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of instruction in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_by","description":"Created by instruction","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of tags","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Instruction comment","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_labels","description":"Docker image labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_layers","description":"Docker image layers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_id","description":"Layer ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_order","description":"Layer Order (1 = base layer)","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_images","description":"Docker images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size_bytes","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of repository tags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_info","description":"Docker system information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Docker system ID","type":"text","hidden":false,"required":false,"index":false},{"name":"containers","description":"Total number of containers","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_running","description":"Number of containers currently running","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_paused","description":"Number of containers in paused state","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_stopped","description":"Number of containers in stopped state","type":"integer","hidden":false,"required":false,"index":false},{"name":"images","description":"Number of images","type":"integer","hidden":false,"required":false,"index":false},{"name":"storage_driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"1 if memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"swap_limit","description":"1 if swap limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"kernel_memory","description":"1 if kernel memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_period","description":"1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_quota","description":"1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_shares","description":"1 if CPU share weighting support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_set","description":"1 if CPU set selection support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_forwarding","description":"1 if IPv4 forwarding is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_iptables","description":"1 if bridge netfilter iptables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_ip6tables","description":"1 if bridge netfilter ip6tables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"oom_kill_disable","description":"1 if Out-of-memory kill is disabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_driver","description":"Logging driver","type":"text","hidden":false,"required":false,"index":false},{"name":"cgroup_driver","description":"Control groups driver","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Operating system type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"cpus","description":"Number of CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory","description":"Total memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"http_proxy","description":"HTTP proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"https_proxy","description":"HTTPS proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"no_proxy","description":"Comma-separated list of domain extensions proxy should not be used for","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the docker host","type":"text","hidden":false,"required":false,"index":false},{"name":"server_version","description":"Server version","type":"text","hidden":false,"required":false,"index":false},{"name":"root_dir","description":"Docker root directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_network_labels","description":"Docker network labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_networks","description":"Docker networks information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Network driver","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"enable_ipv6","description":"1 if IPv6 is enabled on this network. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"subnet","description":"Network subnet","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Network gateway","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_version","description":"Docker version information.","platforms":["darwin","linux"],"columns":[{"name":"version","description":"Docker version","type":"text","hidden":false,"required":false,"index":false},{"name":"api_version","description":"API version","type":"text","hidden":false,"required":false,"index":false},{"name":"min_api_version","description":"Minimum API version supported","type":"text","hidden":false,"required":false,"index":false},{"name":"git_commit","description":"Docker build git commit","type":"text","hidden":false,"required":false,"index":false},{"name":"go_version","description":"Go version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Build time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volume_labels","description":"Docker volume labels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volumes","description":"Docker volumes information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Volume driver","type":"text","hidden":false,"required":false,"index":false},{"name":"mount_point","description":"Mount point","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Volume type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"drivers","description":"Details for in-use Windows device drivers. This does not display installed but unused drivers.","platforms":["windows"],"columns":[{"name":"device_id","description":"Device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"device_name","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Path to driver image file","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Driver description","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"Driver service name, if one exists","type":"text","hidden":false,"required":false,"index":false},{"name":"service_key","description":"Driver service registry key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Driver version","type":"text","hidden":false,"required":false,"index":false},{"name":"inf","description":"Associated inf file","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Device/driver class name","type":"text","hidden":false,"required":false,"index":false},{"name":"provider","description":"Driver provider","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Device manufacturer","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_key","description":"Driver key","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Driver date","type":"bigint","hidden":false,"required":false,"index":false},{"name":"signed","description":"Whether the driver is signed or not","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_metadata","description":"EC2 instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_type","description":"EC2 instance type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"region","description":"AWS region in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"availability_zone","description":"Availability zone in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Private IPv4 DNS hostname of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"local_ipv4","description":"Private IPv4 address of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address for the first network interface of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"security_groups","description":"Comma separated list of security group names","type":"text","hidden":false,"required":false,"index":false},{"name":"iam_arn","description":"If there is an IAM role associated with the instance, contains instance profile ARN","type":"text","hidden":false,"required":false,"index":false},{"name":"ami_id","description":"AMI ID used to launch this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"reservation_id","description":"ID of the reservation","type":"text","hidden":false,"required":false,"index":false},{"name":"account_id","description":"AWS account ID which owns this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_tags","description":"EC2 instance tag key value pairs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"elf_dynamic","description":"ELF dynamic section information.","platforms":["linux"],"columns":[{"name":"tag","description":"Tag ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"integer","hidden":false,"required":false,"index":false},{"name":"class","description":"Class (32 or 64)","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_info","description":"ELF file information.","platforms":["linux"],"columns":[{"name":"class","description":"Class type, 32 or 64bit","type":"text","hidden":false,"required":false,"index":false},{"name":"abi","description":"Section type","type":"text","hidden":false,"required":false,"index":false},{"name":"abi_version","description":"Section virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Offset of section in file","type":"text","hidden":false,"required":false,"index":false},{"name":"machine","description":"Machine type","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Object file version","type":"integer","hidden":false,"required":false,"index":false},{"name":"entry","description":"Entry point address","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"ELF header flags","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_sections","description":"ELF section information.","platforms":["linux"],"columns":[{"name":"name","description":"Section name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Section type","type":"integer","hidden":false,"required":false,"index":false},{"name":"vaddr","description":"Section virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset of section in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of section","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Section attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"link","description":"Link to other section","type":"text","hidden":false,"required":false,"index":false},{"name":"align","description":"Segment alignment","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_segments","description":"ELF segment information.","platforms":["linux"],"columns":[{"name":"name","description":"Segment type/name","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Segment offset in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"vaddr","description":"Segment virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"psize","description":"Size of segment in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"msize","description":"Segment offset in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Segment attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"align","description":"Segment alignment","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_symbols","description":"ELF symbol list.","platforms":["linux"],"columns":[{"name":"name","description":"Symbol name","type":"text","hidden":false,"required":false,"index":false},{"name":"addr","description":"Symbol address (value)","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of object","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Symbol type","type":"text","hidden":false,"required":false,"index":false},{"name":"binding","description":"Binding type","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Section table index","type":"integer","hidden":false,"required":false,"index":false},{"name":"table","description":"Table name containing symbol","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"es_process_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"original_parent","description":"Original parent process ID in case of reparenting","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_count","description":"Number of command line arguments","type":"bigint","hidden":false,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":false,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_id","description":"Signature identifier of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"team_id","description":"Team identifier of thd process","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Codesigning hash of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_binary","description":"Indicates if the binary is Apple signed binary (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of a process in case of an exit event","type":"integer","hidden":false,"required":false,"index":false},{"name":"child_pid","description":"Process ID of a child process in case of a fork event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"etc_hosts","description":"Line-parsed /etc/hosts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IP address mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"hostnames","description":"Raw hosts mapping","type":"text","hidden":false,"required":false,"index":false}]},{"name":"etc_protocols","description":"Line-parsed /etc/protocols.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Protocol name","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"Protocol number","type":"integer","hidden":false,"required":false,"index":false},{"name":"alias","description":"Protocol alias","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Comment with protocol description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"etc_services","description":"Line-parsed /etc/services.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Service port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Optional space separated list of other names for a service","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment for a service.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"event_taps","description":"Returns information about installed event taps.","platforms":["darwin"],"columns":[{"name":"enabled","description":"Is the Event Tap enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tap_id","description":"Unique ID for the Tap","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tapped","description":"The mask that identifies the set of events to be observed.","type":"text","hidden":false,"required":false,"index":false},{"name":"process_being_tapped","description":"The process ID of the target application","type":"integer","hidden":false,"required":false,"index":false},{"name":"tapping_process","description":"The process ID of the application that created the event tap.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"example","description":"This is an example table spec.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Description for name column","type":"text","hidden":false,"required":false,"index":false},{"name":"points","description":"This is a signed SQLite int column","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"This is a signed SQLite bigint column","type":"bigint","hidden":false,"required":false,"index":false},{"name":"action","description":"Action performed in generation","type":"text","hidden":false,"required":true,"index":false},{"name":"id","description":"An index of some sort","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of example","type":"text","hidden":false,"required":false,"index":false}]},{"name":"extended_attributes","description":"Returns the extended attributes for files (similar to Windows ADS).","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the value generated from the extended attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The parsed information from the attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"base64","description":"1 if the value is base64 encoded else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fan_speed_sensors","description":"Fan speeds.","platforms":["darwin"],"columns":[{"name":"fan","description":"Fan number","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Fan name","type":"text","hidden":false,"required":false,"index":false},{"name":"actual","description":"Actual speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"target","description":"Target speed","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fbsd_kmods","description":"Loaded FreeBSD kernel modules.","platforms":["freebsd"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Module reverse dependencies","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"file","description":"Interactive filesystem attributes and metadata.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Device ID (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"(B)irth or (cr)eate time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"symlink","description":"1 if the path is a symlink, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false},{"name":"attributes","description":"File attrib string. See: https://ss64.com/nt/attrib.html","type":"text","hidden":true,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number","type":"text","hidden":true,"required":false,"index":false},{"name":"file_id","description":"file ID","type":"text","hidden":true,"required":false,"index":false},{"name":"file_version","description":"File version","type":"text","hidden":true,"required":false,"index":false},{"name":"product_version","description":"File product version","type":"text","hidden":true,"required":false,"index":false},{"name":"bsd_flags","description":"The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND","type":"text","hidden":true,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"file_events","description":"Track time/action changes to files specified in configuration data.","platforms":["darwin","linux"],"columns":[{"name":"target_path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file defined in the config","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"md5","description":"The MD5 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"The SHA1 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"The SHA256 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"hashed","description":"1 if the file was hashed, 0 if not, -1 if hashing failed","type":"integer","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"firefox_addons","description":"Firefox browser extensions, webapps, and addons.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the addon","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Addon display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Addon identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"creator","description":"Addon-supported creator string","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Extension, addon, webapp","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Addon-supplied version string","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Addon-supplied description string","type":"text","hidden":false,"required":false,"index":false},{"name":"source_url","description":"URL that installed the addon","type":"text","hidden":false,"required":false,"index":false},{"name":"visible","description":"1 If the addon is shown in browser else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If the addon is active else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 If the addon is application-disabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"1 If the addon applies background updates else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"native","description":"1 If the addon includes binary components else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"location","description":"Global, profile location","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper","description":"OS X Gatekeeper Details.","platforms":["darwin"],"columns":[{"name":"assessments_enabled","description":"1 If a Gatekeeper is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"dev_id_enabled","description":"1 If a Gatekeeper allows execution from identified developers else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of Gatekeeper's gke.bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"opaque_version","description":"Version of Gatekeeper's gkopaque.bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper_approved_apps","description":"Gatekeeper apps a user has allowed to run.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of executable allowed to run","type":"text","hidden":false,"required":false,"index":false},{"name":"requirement","description":"Code signing requirement language","type":"text","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last change time","type":"double","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"double","hidden":false,"required":false,"index":false}]},{"name":"groups","description":"Local system groups.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","hidden":true,"required":false,"index":false},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"hardware_events","description":"Hardware (PCI/USB/HID) events from UDEV or IOKit.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"Remove, insert, change properties, etc","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local device path assigned (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of hardware and hardware event","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver claiming the device","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Hardware device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded Hardware vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Hardware device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded Hardware model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Device serial (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Device revision (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of hardware event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hash","description":"Filesystem hash data.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"ssdeep","description":"ssdeep hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"homebrew_packages","description":"The installed homebrew package database.","platforms":["darwin"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package install path","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Current 'linked' version","type":"text","hidden":false,"required":false,"index":false},{"name":"prefix","description":"Homebrew install prefix","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hvci_status","description":"Retrieve HVCI info of the machine.","platforms":["windows"],"columns":[{"name":"version","description":"The version number of the Device Guard build.","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_identifier","description":"The instance ID of Device Guard.","type":"text","hidden":false,"required":false,"index":false},{"name":"vbs_status","description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"code_integrity_policy_enforcement_status","description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"umci_policy_status","description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ibridge_info","description":"Information about the Apple iBridge hardware controller.","platforms":["darwin"],"columns":[{"name":"boot_uuid","description":"Boot UUID of the iBridge controller","type":"text","hidden":false,"required":false,"index":false},{"name":"coprocessor_version","description":"The manufacturer and chip version","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"The build version of the firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"unique_chip_id","description":"Unique id of the iBridge controller","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ie_extensions","description":"Internet Explorer browser extensions.","platforms":["windows"],"columns":[{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"registry_path","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executable","type":"text","hidden":false,"required":false,"index":false}]},{"name":"intel_me_info","description":"Intel ME/CSE Info.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"version","description":"Intel ME version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"interface_addresses","description":"Network interfaces and relevant metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"Interface netmask","type":"text","hidden":false,"required":false,"index":false},{"name":"broadcast","description":"Broadcast address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"point_to_point","description":"PtP address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of address. One of dhcp, manual, auto, other, unknown","type":"text","hidden":false,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_details","description":"Detailed information and stats of network interfaces.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC of interface (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Interface type (includes virtual)","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Network MTU","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Metric based on the speed of the interface","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags (netdevice) for the device","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipackets","description":"Input packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"opackets","description":"Output packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ibytes","description":"Input bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"obytes","description":"Output bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ierrors","description":"Input errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"oerrors","description":"Output errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idrops","description":"Input drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"odrops","description":"Output drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"collisions","description":"Packet Collisions detected","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Time of last device modification (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"link_speed","description":"Interface speed in Mb/s","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pci_slot","description":"PCI slot number","type":"text","hidden":false,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false},{"name":"description","description":"Short description of the object a one-line string.","type":"text","hidden":true,"required":false,"index":false},{"name":"manufacturer","description":"Name of the network adapter's manufacturer.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_id","description":"Name of the network connection as it appears in the Network Connections Control Panel program.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_status","description":"State of the network adapter connection to the network.","type":"text","hidden":true,"required":false,"index":false},{"name":"enabled","description":"Indicates whether the adapter is enabled or not.","type":"integer","hidden":true,"required":false,"index":false},{"name":"physical_adapter","description":"Indicates whether the adapter is a physical or a logical adapter.","type":"integer","hidden":true,"required":false,"index":false},{"name":"speed","description":"Estimate of the current bandwidth in bits per second.","type":"integer","hidden":true,"required":false,"index":false},{"name":"service","description":"The name of the service the network adapter uses.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_enabled","description":"If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.","type":"integer","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_expires","description":"Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_obtained","description":"Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_server","description":"IP address of the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain","description":"Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain_suffix_search_order","description":"Array of DNS domain suffixes to be appended to the end of host names during name resolution.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_host_name","description":"Host name used to identify the local computer for authentication by some utilities.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_server_search_order","description":"Array of server IP addresses to be used in querying for DNS servers.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_ipv6","description":"IPv6 configuration and stats of network interfaces.","platforms":["darwin","linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"hop_limit","description":"Current Hop Limit","type":"integer","hidden":false,"required":false,"index":false},{"name":"forwarding_enabled","description":"Enable IP forwarding","type":"integer","hidden":false,"required":false,"index":false},{"name":"redirect_accept","description":"Accept ICMP redirect messages","type":"integer","hidden":false,"required":false,"index":false},{"name":"rtadv_accept","description":"Accept ICMP Router Advertisement","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_devicetree","description":"The IOKit registry matching the DeviceTree plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Device node name","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent device registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device_path","description":"Device tree path","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"1 if the device conforms to IOService else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the device is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The device reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Device nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_registry","description":"The full IOKit registry without selecting a plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Default name of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the node is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The node reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Node nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iptables","description":"Linux IP packet filtering and NAT tool.","platforms":["linux"],"columns":[{"name":"filter_name","description":"Packet matching filter table name.","type":"text","hidden":false,"required":false,"index":false},{"name":"chain","description":"Size of module content.","type":"text","hidden":false,"required":false,"index":false},{"name":"policy","description":"Policy that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"target","description":"Target that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Protocol number identification.","type":"integer","hidden":false,"required":false,"index":false},{"name":"src_port","description":"Protocol source port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_port","description":"Protocol destination port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"src_ip","description":"Source IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"src_mask","description":"Source IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface","description":"Input interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface_mask","description":"Input interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_ip","description":"Destination IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_mask","description":"Destination IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface","description":"Output interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface_mask","description":"Output interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"Matching rule that applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"packets","description":"Number of matching packets for this rule.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of matching bytes for this rule.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"kernel_extensions","description":"OS X's kernel extensions, both loaded and within the load search path.","platforms":["darwin"],"columns":[{"name":"idx","description":"Extension load tag or index","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Bytes of wired memory used by extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension label","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"linked_against","description":"Indexes of extensions this extension is linked against","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Optional path to extension bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_info","description":"Basic active kernel information.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"arguments","description":"Kernel arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Kernel path","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Kernel device identifier","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_modules","description":"Linux kernel modules both loaded and within the load search path.","platforms":["linux"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"bigint","hidden":false,"required":false,"index":false},{"name":"used_by","description":"Module reverse dependencies","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Kernel module status","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_panics","description":"System kernel panic logs.","platforms":["darwin"],"columns":[{"name":"path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Formatted time of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"A space delimited line of register:value pairs","type":"text","hidden":false,"required":false,"index":false},{"name":"frame_backtrace","description":"Backtrace of the crashed module","type":"text","hidden":false,"required":false,"index":false},{"name":"module_backtrace","description":"Modules appearing in the crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"dependencies","description":"Module dependencies existing in crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name corresponding to crashed thread","type":"text","hidden":false,"required":false,"index":false},{"name":"os_version","description":"Version of the operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Version of the system kernel","type":"text","hidden":false,"required":false,"index":false},{"name":"system_model","description":"Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"System uptime at kernel panic in nanoseconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_loaded","description":"Last loaded module before panic","type":"text","hidden":false,"required":false,"index":false},{"name":"last_unloaded","description":"Last unloaded module before panic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_acls","description":"Applications that have ACL entries in the keychain.","platforms":["darwin"],"columns":[{"name":"keychain_path","description":"The path of the keychain","type":"text","hidden":false,"required":false,"index":false},{"name":"authorizations","description":"A space delimited set of authorization attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the authorized application","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The description included with the ACL entry","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"An optional label tag that may be included with the keychain entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_items","description":"Generic details about keychain items.","platforms":["darwin"],"columns":[{"name":"label","description":"Generic item name","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional item description","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional keychain comment","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Data item was created","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Date of last modification","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Keychain item type (class)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to keychain containing item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"known_hosts","description":"A line-delimited known_hosts table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local user that owns the known_hosts file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"key","description":"parsed authorized keys line","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to known_hosts file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kva_speculative_info","description":"Display kernel virtual address and speculative execution information for the system.","platforms":["windows"],"columns":[{"name":"kva_shadow_enabled","description":"Kernel Virtual Address shadowing is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_user_global","description":"User pages are marked as global.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_pcid","description":"Kernel VA PCID flushing optimization is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_inv_pcid","description":"Kernel VA INVPCID is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_mitigations","description":"Branch Prediction mitigations are enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_system_pol_disabled","description":"Branch Predictions are disabled via system policy.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_microcode_disabled","description":"Branch Predictions are disabled due to lack of microcode update.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_spec_ctrl_supported","description":"SPEC_CTRL MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false},{"name":"ibrs_support_enabled","description":"Windows uses IBRS.","type":"integer","hidden":false,"required":false,"index":false},{"name":"stibp_support_enabled","description":"Windows uses STIBP.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_pred_cmd_supported","description":"PRED_CMD MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"last","description":"System logins and logouts.","platforms":["darwin","linux"],"columns":[{"name":"username","description":"Entry username","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Entry terminal","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Entry type, according to ut_type types (utmp.h)","type":"integer","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Entry hostname","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd","description":"LaunchAgents and LaunchDaemons from default search paths.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"File name of plist (used by launchd)","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"program","description":"Path to target program","type":"text","hidden":false,"required":false,"index":false},{"name":"run_at_load","description":"Should the program run on launch load","type":"text","hidden":false,"required":false,"index":false},{"name":"keep_alive","description":"Should the process be restarted if killed","type":"text","hidden":false,"required":false,"index":false},{"name":"on_demand","description":"Deprecated key, replaced by keep_alive","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Skip loading this daemon or agent on boot","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Run this daemon or agent as this username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Run this daemon or agent as this group","type":"text","hidden":false,"required":false,"index":false},{"name":"stdout_path","description":"Pipe stdout to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"stderr_path","description":"Pipe stderr to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"start_interval","description":"Frequency to run in seconds","type":"text","hidden":false,"required":false,"index":false},{"name":"program_arguments","description":"Command line arguments passed to program","type":"text","hidden":false,"required":false,"index":false},{"name":"watch_paths","description":"Key that launches daemon or agent if path is modified","type":"text","hidden":false,"required":false,"index":false},{"name":"queue_directories","description":"Similar to watch_paths but only with non-empty directories","type":"text","hidden":false,"required":false,"index":false},{"name":"inetd_compatibility","description":"Run this daemon or agent as it was launched from inetd","type":"text","hidden":false,"required":false,"index":false},{"name":"start_on_mount","description":"Run daemon or agent every time a filesystem is mounted","type":"text","hidden":false,"required":false,"index":false},{"name":"root_directory","description":"Key used to specify a directory to chroot to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"working_directory","description":"Key used to specify a directory to chdir to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"process_type","description":"Key describes the intended purpose of the job","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd_overrides","description":"Override keys, per user, for LaunchDaemons and Agents.","platforms":["darwin"],"columns":[{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Name of the override key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Overridden value","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID applied to the override, 0 applies to all","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"listening_ports","description":"Processes with listening (bound) network sockets/ports.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"port","description":"Transport layer port","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for bind","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path for UNIX domain sockets","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lldp_neighbors","description":"LLDP neighbors of interfaces.","platforms":["linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"rid","description":"Neighbor chassis index","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_id_type","description":"Neighbor chassis ID type","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_id","description":"Neighbor chassis ID value","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_sysname","description":"CPU brand string, contains vendor and model","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_sys_description","description":"Max number of CPU physical cores","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_bridge_capability_available","description":"Chassis bridge capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_bridge_capability_enabled","description":"Is chassis bridge capability enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_router_capability_available","description":"Chassis router capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_router_capability_enabled","description":"Chassis router capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_repeater_capability_available","description":"Chassis repeater capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_repeater_capability_enabled","description":"Chassis repeater capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_wlan_capability_available","description":"Chassis wlan capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_wlan_capability_enabled","description":"Chassis wlan capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_tel_capability_available","description":"Chassis telephone capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_tel_capability_enabled","description":"Chassis telephone capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_docsis_capability_available","description":"Chassis DOCSIS capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_docsis_capability_enabled","description":"Chassis DOCSIS capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_station_capability_available","description":"Chassis station capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_station_capability_enabled","description":"Chassis station capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_other_capability_available","description":"Chassis other capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_other_capability_enabled","description":"Chassis other capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_mgmt_ips","description":"Comma delimited list of chassis management IPS","type":"text","hidden":false,"required":false,"index":false},{"name":"port_id_type","description":"Port ID type","type":"text","hidden":false,"required":false,"index":false},{"name":"port_id","description":"Port ID value","type":"text","hidden":false,"required":false,"index":false},{"name":"port_description","description":"Port description","type":"text","hidden":false,"required":false,"index":false},{"name":"port_ttl","description":"Age of neighbor port","type":"bigint","hidden":false,"required":false,"index":false},{"name":"port_mfs","description":"Port max frame size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"port_aggregation_id","description":"Port aggregation ID","type":"text","hidden":false,"required":false,"index":false},{"name":"port_autoneg_supported","description":"Auto negotiation supported","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_enabled","description":"Is auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_mau_type","description":"MAU type","type":"text","hidden":false,"required":false,"index":false},{"name":"port_autoneg_10baset_hd_enabled","description":"10Base-T HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_10baset_fd_enabled","description":"10Base-T FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100basetx_hd_enabled","description":"100Base-TX HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100basetx_fd_enabled","description":"100Base-TX FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset2_hd_enabled","description":"100Base-T2 HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset2_fd_enabled","description":"100Base-T2 FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset4_hd_enabled","description":"100Base-T4 HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset4_fd_enabled","description":"100Base-T4 FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000basex_hd_enabled","description":"1000Base-X HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000basex_fd_enabled","description":"1000Base-X FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000baset_hd_enabled","description":"1000Base-T HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000baset_fd_enabled","description":"1000Base-T FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_device_type","description":"Dot3 power device type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_mdi_supported","description":"MDI power supported","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_mdi_enabled","description":"Is MDI power enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_paircontrol_enabled","description":"Is power pair control enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_pairs","description":"Dot3 power pairs","type":"text","hidden":false,"required":false,"index":false},{"name":"power_class","description":"Power class","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_enabled","description":"Is 802.3at enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_type","description":"802.3at power type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_source","description":"802.3at power source","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_priority","description":"802.3at power priority","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_allocated","description":"802.3at power allocated","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_requested","description":"802.3at power requested","type":"text","hidden":false,"required":false,"index":false},{"name":"med_device_type","description":"Chassis MED type","type":"text","hidden":false,"required":false,"index":false},{"name":"med_capability_capabilities","description":"Is MED capabilities enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_policy","description":"Is MED policy capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_location","description":"Is MED location capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_mdi_pse","description":"Is MED MDI PSE capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_mdi_pd","description":"Is MED MDI PD capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_inventory","description":"Is MED inventory capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_policies","description":"Comma delimited list of MED policies","type":"text","hidden":false,"required":false,"index":false},{"name":"vlans","description":"Comma delimited list of vlan ids","type":"text","hidden":false,"required":false,"index":false},{"name":"pvid","description":"Primary VLAN id","type":"text","hidden":false,"required":false,"index":false},{"name":"ppvids_supported","description":"Comma delimited list of supported PPVIDs","type":"text","hidden":false,"required":false,"index":false},{"name":"ppvids_enabled","description":"Comma delimited list of enabled PPVIDs","type":"text","hidden":false,"required":false,"index":false},{"name":"pids","description":"Comma delimited list of PIDs","type":"text","hidden":false,"required":false,"index":false}]},{"name":"load_average","description":"Displays information about the system wide load averages.","platforms":["darwin","linux"],"columns":[{"name":"period","description":"Period over which the average is calculated.","type":"text","hidden":false,"required":false,"index":false},{"name":"average","description":"Load average over the specified period.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"location_services","description":"Reports the status of the Location Services feature of the OS.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 if Location Services are enabled, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logged_in_users","description":"Users with an active shell on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"type","description":"Login type","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"User login name","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Remote hostname","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time entry was made","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"The user's unique security identifier","type":"text","hidden":true,"required":false,"index":false},{"name":"registry_hive","description":"HKEY_USERS registry hive","type":"text","hidden":true,"required":false,"index":false}]},{"name":"logical_drives","description":"Details for logical drives on the system. A logical drive generally represents a single partition.","platforms":["windows"],"columns":[{"name":"device_id","description":"The drive id, usually the drive name, e.g., 'C:'.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Deprecated (always 'Unknown').","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'.","type":"text","hidden":false,"required":false,"index":false},{"name":"free_space","description":"The amount of free space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The total amount of space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_system","description":"The file system of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"boot_partition","description":"True if Windows booted from this drive.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logon_sessions","description":"Windows Logon Session.","platforms":["windows"],"columns":[{"name":"logon_id","description":"A locally unique identifier (LUID) that identifies a logon session.","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"The account name of the security principal that owns the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_domain","description":"The name of the domain used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"authentication_package","description":"The authentication package used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_type","description":"The logon method.","type":"text","hidden":false,"required":false,"index":false},{"name":"session_id","description":"The Terminal Services session identifier.","type":"integer","hidden":false,"required":false,"index":false},{"name":"logon_sid","description":"The user's security identifier (SID).","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_time","description":"The time the session owner logged on.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"logon_server","description":"The name of the server used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_domain_name","description":"The DNS name for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"upn","description":"The user principal name (UPN) for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_script","description":"The script used for logging on.","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory_drive","description":"The drive location of the home directory of the logon session.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_certificates","description":"LXD certificates information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"fingerprint","description":"SHA256 hash of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"certificate","description":"Certificate content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster","description":"LXD cluster information.","platforms":["darwin","linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether clustering enabled (1) or not (0) on this node","type":"integer","hidden":false,"required":false,"index":false},{"name":"member_config_entity","description":"Type of configuration parameter for this node","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_name","description":"Name of configuration parameter","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_key","description":"Config key","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_value","description":"Config value","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_description","description":"Config description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster_members","description":"LXD cluster members information.","platforms":["darwin","linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"url","description":"URL of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"database","description":"Whether the server is a database node (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_images","description":"LXD images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Target architecture for the image","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"OS on which image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"OS release version on which the image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Image description","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Comma-separated list of image aliases","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Filename of the image file","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auto_update","description":"Whether the image auto-updates (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"cached","description":"Whether image is cached (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"public","description":"Whether image is public (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of image creation","type":"text","hidden":false,"required":false,"index":false},{"name":"expires_at","description":"ISO time of image expiration","type":"text","hidden":false,"required":false,"index":false},{"name":"uploaded_at","description":"ISO time of image upload","type":"text","hidden":false,"required":false,"index":false},{"name":"last_used_at","description":"ISO time for the most recent use of this image in terms of container spawn","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_server","description":"Server for image update","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_protocol","description":"Protocol used for image information update and image import from source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_certificate","description":"Certificate for update source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_alias","description":"Alias of image at update source server","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_config","description":"LXD instance configuration information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Configuration parameter name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Configuration parameter value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_devices","description":"LXD instance devices information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"device","description":"Name of the device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device type","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Device info param name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Device info param value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instances","description":"LXD instances information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Instance state (running, stopped, etc.)","type":"text","hidden":false,"required":false,"index":false},{"name":"stateful","description":"Whether the instance is stateful(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ephemeral","description":"Whether the instance is ephemeral(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of creation","type":"text","hidden":false,"required":false,"index":false},{"name":"base_image","description":"ID of image used to launch this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Instance architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"The OS of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Instance description","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Instance's process ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"processes","description":"Number of processes running inside this instance","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_networks","description":"LXD network information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of network","type":"text","hidden":false,"required":false,"index":false},{"name":"managed","description":"1 if network created by LXD, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_address","description":"IPv4 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"used_by","description":"URLs for containers using this network","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_received","description":"Number of bytes received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes_sent","description":"Number of bytes sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_received","description":"Number of packets received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_sent","description":"Number of packets sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hwaddr","description":"Hardware address for this network","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Network status","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"MTU size","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_storage_pools","description":"LXD storage pool information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Storage pool source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"space_used","description":"Storage space used in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"space_total","description":"Total available storage space in bytes for this storage pool","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_used","description":"Number of inodes used","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_total","description":"Total number of inodes available in this storage pool","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"magic","description":"Magic number recognition library table.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute path to target file","type":"text","hidden":false,"required":true,"index":false},{"name":"magic_db_files","description":"Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Magic number data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_type","description":"MIME type data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_encoding","description":"MIME encoding data from libmagic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"managed_policies","description":"The managed configuration policies from AD, MDM, MCX, etc.","platforms":["darwin"],"columns":[{"name":"domain","description":"System or manager-chosen domain key","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Optional UUID assigned to policy set","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy key name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Policy value","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Policy applies only this user","type":"text","hidden":false,"required":false,"index":false},{"name":"manual","description":"1 if policy was loaded manually, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"md_devices","description":"Software RAID array settings.","platforms":["linux"],"columns":[{"name":"device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Current state of the array","type":"text","hidden":false,"required":false,"index":false},{"name":"raid_level","description":"Current raid level of the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"size of the array in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"chunk_size","description":"chunk size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"raid_disks","description":"Number of configured RAID disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"nr_raid_disks","description":"Number of partitions or disk devices to comprise the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"working_disks","description":"Number of working disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"active_disks","description":"Number of active disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"failed_disks","description":"Number of failed disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"spare_disks","description":"Number of idle disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"superblock_state","description":"State of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_version","description":"Version of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_update_time","description":"Unix timestamp of last update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bitmap_on_mem","description":"Pages allocated in in-memory bitmap, if enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_chunk_size","description":"Bitmap chunk size","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_external_file","description":"External referenced bitmap file","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_progress","description":"Progress of the recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_finish","description":"Estimated duration of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_speed","description":"Speed of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_progress","description":"Progress of the resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_finish","description":"Estimated duration of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_speed","description":"Speed of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_progress","description":"Progress of the reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_finish","description":"Estimated duration of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_speed","description":"Speed of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_progress","description":"Progress of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_finish","description":"Estimated duration of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_speed","description":"Speed of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"unused_devices","description":"Unused devices","type":"text","hidden":false,"required":false,"index":false},{"name":"other","description":"Other information associated with array from /proc/mdstat","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_drives","description":"Drive devices used for Software RAID.","platforms":["linux"],"columns":[{"name":"md_device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_name","description":"Drive device name","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"Slot position of disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the drive","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_personalities","description":"Software RAID setting supported by the kernel.","platforms":["linux"],"columns":[{"name":"name","description":"Name of personality supported by kernel","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mdfind","description":"Run searches against the spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file returned from spotlight","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The query that was run to find the file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"mdls","description":"Query file metadata in the Spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value stored in the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"valuetype","description":"CoreFoundation type of data stored in value","type":"text","hidden":true,"required":false,"index":false}]},{"name":"memory_array_mapped_addresses","description":"Data associated for address mapping of physical memory arrays.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_handle","description":"Handle of the memory array associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_width","description":"Number of memory devices that form a single row of memory for the address partition of this structure","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_arrays","description":"Data associated with collection of memory devices that operate to form a memory address.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the array","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Physical location of the memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"Function for which the array is used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_error_correction","description":"Primary hardware error correction or detection method supported","type":"text","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"Maximum capacity of array in gigabytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_error_info_handle","description":"Handle, or instance number, associated with any error that was detected for the array","type":"text","hidden":false,"required":false,"index":false},{"name":"number_memory_devices","description":"Number of memory devices on array","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_device_mapped_addresses","description":"Data associated for address mapping of physical memory devices.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_device_handle","description":"Handle of the memory device structure associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_mapped_address_handle","description":"Handle of the memory array mapped address to which this device range is mapped to","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_row_position","description":"Identifies the position of the referenced memory device in a row of the address partition","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_position","description":"The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_data_depth","description":"The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_devices","description":"Physical memory device (type 17) information retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure in SMBIOS","type":"text","hidden":false,"required":false,"index":false},{"name":"array_handle","description":"The memory array that the device is attached to","type":"text","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Implementation form factor for this memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"total_width","description":"Total width, in bits, of this memory device, including any check or error-correction bits","type":"integer","hidden":false,"required":false,"index":false},{"name":"data_width","description":"Data width, in bits, of this memory device","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of memory device in Megabyte","type":"integer","hidden":false,"required":false,"index":false},{"name":"set","description":"Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"device_locator","description":"String number of the string that identifies the physically-labeled socket or board position where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"bank_locator","description":"String number of the string that identifies the physically-labeled bank where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type","description":"Type of memory used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type_details","description":"Additional details for memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"max_speed","description":"Max speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_clock_speed","description":"Configured speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Manufacturer ID string","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"asset_tag","description":"Manufacturer specific asset tag of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"part_number","description":"Manufacturer specific serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"min_voltage","description":"Minimum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_voltage","description":"Maximum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_voltage","description":"Configured operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_error_info","description":"Data associated with errors of a physical memory array.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"error_type","description":"type of error associated with current error status for array or device","type":"text","hidden":false,"required":false,"index":false},{"name":"error_granularity","description":"Granularity to which the error can be resolved","type":"text","hidden":false,"required":false,"index":false},{"name":"error_operation","description":"Memory access operation that caused the error","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_syndrome","description":"Vendor specific ECC syndrome or CRC data associated with the erroneous access","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_error_address","description":"32 bit physical address of the error based on the addressing of the bus to which the memory array is connected","type":"text","hidden":false,"required":false,"index":false},{"name":"device_error_address","description":"32 bit physical address of the error relative to the start of the failing memory address, in bytes","type":"text","hidden":false,"required":false,"index":false},{"name":"error_resolution","description":"Range, in bytes, within which this error can be determined, when an error address is given","type":"text","hidden":false,"required":false,"index":false}]},{"name":"memory_info","description":"Main memory information in bytes.","platforms":["linux"],"columns":[{"name":"memory_total","description":"Total amount of physical RAM, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_free","description":"The amount of physical RAM, in bytes, left unused by the system","type":"bigint","hidden":false,"required":false,"index":false},{"name":"buffers","description":"The amount of physical RAM, in bytes, used for file buffers","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cached","description":"The amount of physical RAM, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_cached","description":"The amount of swap, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"The total amount of buffer or page cache memory, in bytes, that is in active use","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"The total amount of buffer or page cache memory, in bytes, that are free and available","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_total","description":"The total amount of swap available, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_free","description":"The total amount of swap free, in bytes","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"memory_map","description":"OS memory region map.","platforms":["linux"],"columns":[{"name":"name","description":"Region name","type":"text","hidden":false,"required":false,"index":false},{"name":"start","description":"Start address of memory region","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"End address of memory region","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mounts","description":"System mounted devices and filesystems (not process specific).","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Mounted device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_alias","description":"Mounted device alias","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Mounted device path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Mounted device type","type":"text","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Block size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Mounted device used blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_free","description":"Mounted device free blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_available","description":"Mounted device available blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Mounted device used inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_free","description":"Mounted device free inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"Mounted device flags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"msr","description":"Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.","platforms":["linux"],"columns":[{"name":"processor_number","description":"The processor number as reported in /proc/cpuinfo","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_disabled","description":"Whether the turbo feature is disabled.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_ratio_limit","description":"The turbo feature ratio limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"platform_info","description":"Platform information.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_ctl","description":"Performance setting for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_status","description":"Performance status for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"feature_control","description":"Bitfield controlling enabled features.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_limit","description":"Run Time Average Power Limiting power limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_energy_status","description":"Run Time Average Power Limiting energy status.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_units","description":"Run Time Average Power Limiting power units.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"nfs_shares","description":"NFS shares exported by the host.","platforms":["darwin"],"columns":[{"name":"share","description":"Filesystem path to the share","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Options string set on the export share","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly","description":"1 if the share is exported readonly else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"npm_packages","description":"Lists all npm packages in a directory or globally installed in a system.","platforms":["linux"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Package author name","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Module's package.json path","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Node module's directory where this package is located","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ntdomains","description":"Display basic NT domain information of a Windows machine.","platforms":["windows"],"columns":[{"name":"name","description":"The label by which the object is known.","type":"text","hidden":false,"required":false,"index":false},{"name":"client_site_name","description":"The name of the site where the domain controller is configured.","type":"text","hidden":false,"required":false,"index":false},{"name":"dc_site_name","description":"The name of the site where the domain controller is located.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_forest_name","description":"The name of the root of the DNS tree.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_address","description":"The IP Address of the discovered domain controller..","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_name","description":"The name of the discovered domain controller.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_name","description":"The name of the domain.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"The current status of the domain object.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_acl_permissions","description":"Retrieve NTFS ACL permission information for files and directories.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the file or directory.","type":"text","hidden":false,"required":true,"index":false},{"name":"type","description":"Type of access mode for the access control entry.","type":"text","hidden":false,"required":false,"index":false},{"name":"principal","description":"User or group to which the ACE applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"access","description":"Specific permissions that indicate the rights described by the ACE.","type":"text","hidden":false,"required":false,"index":false},{"name":"inherited_from","description":"The inheritance policy of the ACE.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_journal_events","description":"Track time/action changes to files specified in configuration data.","platforms":["windows"],"columns":[{"name":"action","description":"Change action (Write, Delete, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category that the event originated from","type":"text","hidden":false,"required":false,"index":false},{"name":"old_path","description":"Old path (renames only)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path","type":"text","hidden":false,"required":false,"index":false},{"name":"record_timestamp","description":"Journal record timestamp","type":"text","hidden":false,"required":false,"index":false},{"name":"record_usn","description":"The update sequence number that identifies the journal record","type":"text","hidden":false,"required":false,"index":false},{"name":"node_ref_number","description":"The ordinal that associates a journal record with a filename","type":"text","hidden":false,"required":false,"index":false},{"name":"parent_ref_number","description":"The ordinal that associates a journal record with a filename's parent directory","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"The drive letter identifying the source journal","type":"text","hidden":false,"required":false,"index":false},{"name":"file_attributes","description":"File attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"Set to 1 if either path or old_path only contains the file or folder name","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"nvram","description":"Apple NVRAM variable listing.","platforms":["darwin"],"columns":[{"name":"name","description":"Variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type (CFData, CFString, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Raw variable data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"oem_strings","description":"OEM defined strings retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the Type 11 structure","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"The string index of the structure","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the OEM string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"office_mru","description":"View recently opened Office documents.","platforms":["windows"],"columns":[{"name":"application","description":"Associated Office application","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Office application version number","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"Most recent opened time file was opened","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false}]},{"name":"os_version","description":"A single row containing the operating system name and version.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Distribution or product name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Pretty, suitable for presentation, OS version","type":"text","hidden":false,"required":false,"index":false},{"name":"major","description":"Major release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor","description":"Minor release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"patch","description":"Optional patch release","type":"integer","hidden":false,"required":false,"index":false},{"name":"build","description":"Optional build-specific or variant string","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"OS Platform or ID","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_like","description":"Closely related platforms","type":"text","hidden":false,"required":false,"index":false},{"name":"codename","description":"OS version codename","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"OS Architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"The install date of the OS.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"osquery_events","description":"Information about the event publishers and subscribers.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Event publisher or subscriber name","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the associated publisher","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either publisher or subscriber","type":"text","hidden":false,"required":false,"index":false},{"name":"subscriptions","description":"Number of subscriptions the publisher received or subscriber used","type":"integer","hidden":false,"required":false,"index":false},{"name":"events","description":"Number of events emitted or received since osquery started","type":"integer","hidden":false,"required":false,"index":false},{"name":"refreshes","description":"Publisher only: number of runloop restarts","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 if the publisher or subscriber is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_extensions","description":"List of active osquery extensions.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"uuid","description":"The transient ID assigned for communication","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension's name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension's version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk_version","description":"osquery SDK version used to build the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the extension's Thrift connection or library path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SDK extension type: extension or module","type":"text","hidden":false,"required":false,"index":false}]},{"name":"osquery_flags","description":"Configurable flags that modify osquery's behavior.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Flag name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Flag type","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Flag description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_value","description":"Flag default value","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Flag value","type":"text","hidden":false,"required":false,"index":false},{"name":"shell_only","description":"Is the flag shell only?","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_info","description":"Top level information about the running version of osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"pid","description":"Process (or thread/handle) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_id","description":"Unique, long-lived ID per instance of osquery","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"osquery toolkit version","type":"text","hidden":false,"required":false,"index":false},{"name":"config_hash","description":"Hash of the working configuration state","type":"text","hidden":false,"required":false,"index":false},{"name":"config_valid","description":"1 if the config was loaded and considered valid, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"extensions","description":"osquery extensions status","type":"text","hidden":false,"required":false,"index":false},{"name":"build_platform","description":"osquery toolkit build platform","type":"text","hidden":false,"required":false,"index":false},{"name":"build_distro","description":"osquery toolkit platform distribution name (os version)","type":"text","hidden":false,"required":false,"index":false},{"name":"start_time","description":"UNIX time in seconds when the process started","type":"integer","hidden":false,"required":false,"index":false},{"name":"watcher","description":"Process (or thread/handle) ID of optional watcher process","type":"integer","hidden":false,"required":false,"index":false},{"name":"platform_mask","description":"The osquery platform bitmask","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_packs","description":"Information about the current query packs that are loaded in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query pack","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"Platforms this query is supported on","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Minimum osquery version that this query will run on","type":"text","hidden":false,"required":false,"index":false},{"name":"shard","description":"Shard restriction limit, 1-100, 0 meaning no restriction","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_cache_hits","description":"The number of times that the discovery query used cached values since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_executions","description":"The number of times that the discovery queries have been executed since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_registry","description":"List the osquery registry plugins.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"registry","description":"Name of the osquery registry","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the plugin item","type":"text","hidden":false,"required":false,"index":false},{"name":"owner_uuid","description":"Extension route UUID (0 for core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"internal","description":"1 If the plugin is internal else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If this plugin is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_schedule","description":"Information about the current queries that are scheduled in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The exact query to run","type":"text","hidden":false,"required":false,"index":false},{"name":"interval","description":"The interval in seconds to run this query, not an exact interval","type":"integer","hidden":false,"required":false,"index":false},{"name":"executions","description":"Number of times the query was executed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_executed","description":"UNIX time stamp in seconds of the last completed execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"denylisted","description":"1 if the query is denylisted else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"output_size","description":"Total number of bytes generated by the query","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wall_time","description":"Total wall time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"Total user time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"Total system time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"average_memory","description":"Average private memory left after executing","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"package_bom","description":"OS X package bill of materials (BOM) file list.","platforms":["darwin"],"columns":[{"name":"filepath","description":"Package file or directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Expected user of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"Expected group of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"mode","description":"Expected permissions","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Timestamp the file was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of package bom","type":"text","hidden":false,"required":true,"index":false}]},{"name":"package_install_history","description":"OS X package install history.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Label packageIdentifiers","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Label date as UNIX timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package display version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Install source: usually the installer process name","type":"text","hidden":false,"required":false,"index":false},{"name":"content_type","description":"Package content_type (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"package_receipts","description":"OS X package receipt details.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Package domain identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"package_filename","description":"Filename of original .pkg file","type":"text","hidden":true,"required":false,"index":false},{"name":"version","description":"Installed package version","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Optional relative install path on volume","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Timestamp of install time","type":"double","hidden":false,"required":false,"index":false},{"name":"installer_name","description":"Name of installer process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of receipt plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"patches","description":"Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).","platforms":["windows"],"columns":[{"name":"csname","description":"The name of the host the patch is installed on.","type":"text","hidden":false,"required":false,"index":false},{"name":"hotfix_id","description":"The KB ID of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Short description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Fuller description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"fix_comments","description":"Additional comments about the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_by","description":"The system context in which the patch as installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_on","description":"The date when the patch was installed.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pci_devices","description":"PCI devices active on the host system.","platforms":["darwin","linux"],"columns":[{"name":"pci_slot","description":"PCI Device used slot","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class","description":"PCI Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"PCI Device used driver","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"PCI Device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded PCI Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"PCI Device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded PCI Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class_id","description":"PCI Device class ID in hex format","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_subclass_id","description":"PCI Device subclass in hex format","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_subclass","description":"PCI Device subclass","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem_vendor_id","description":"Vendor ID of PCI device subsystem","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem_vendor","description":"Vendor of PCI device subsystem","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem_model_id","description":"Model ID of PCI device subsystem","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem_model","description":"Device description of PCI device subsystem","type":"text","hidden":false,"required":false,"index":false}]},{"name":"physical_disk_performance","description":"Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the physical disk","type":"text","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_read","description":"Average number of bytes transferred from the disk during read operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_write","description":"Average number of bytes transferred to the disk during write operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_read_queue_length","description":"Average number of read requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_write_queue_length","description":"Average number of write requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_read","description":"Average time, in seconds, of a read operation of data from the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_write","description":"Average time, in seconds, of a write operation of data to the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_disk_queue_length","description":"Number of requests outstanding on the disk at the time the performance data is collected","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_disk_read_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_write_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read or write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_idle_time","description":"Percentage of time during the sample interval that the disk was idle","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"pipes","description":"Named and Anonymous pipes.","platforms":["windows"],"columns":[{"name":"pid","description":"Process ID of the process to which the pipe belongs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the pipe","type":"text","hidden":false,"required":false,"index":false},{"name":"instances","description":"Number of instances of the named pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_instances","description":"The maximum number of instances creatable for this pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pkg_packages","description":"pkgng packages that are currently installed on the host system.","platforms":["freebsd"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"flatsize","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false}]},{"name":"platform_info","description":"Information about EFI/UEFI/ROM and platform/boot.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vendor","description":"Platform code vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Platform code version","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Self-reported platform code update date","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"BIOS major and minor revision","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Relative address of firmware mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes of firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_size","description":"(Optional) size of firmware volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"extra","description":"Platform-specific additional information","type":"text","hidden":false,"required":false,"index":false}]},{"name":"plist","description":"Read and parse a plist file.","platforms":["darwin"],"columns":[{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intermediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"(required) read preferences from a plist","type":"text","hidden":false,"required":true,"index":false}]},{"name":"portage_keywords","description":"A summary about portage configurations like keywords, mask and unmask.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"keyword","description":"The keyword applied to the package","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"If the package is masked","type":"integer","hidden":false,"required":false,"index":false},{"name":"unmask","description":"If the package is unmasked","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_packages","description":"List of currently installed packages.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"The slot used by package","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Unix time when package was built","type":"bigint","hidden":false,"required":false,"index":false},{"name":"repository","description":"From which repository the ebuild was used","type":"text","hidden":false,"required":false,"index":false},{"name":"eapi","description":"The eapi for the ebuild","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the package","type":"bigint","hidden":false,"required":false,"index":false},{"name":"world","description":"If package is in the world file","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_use","description":"List of enabled portage USE values for specific package.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version of the installed package","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"USE flag which has been enabled for package","type":"text","hidden":false,"required":false,"index":false}]},{"name":"power_sensors","description":"Machine power (currents, voltages, wattages, etc) sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on OS X","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The sensor category: currents, voltage, wattage","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of power source","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Power in Watts","type":"text","hidden":false,"required":false,"index":false}]},{"name":"powershell_events","description":"Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received by the osquery event publisher","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the Powershell script event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_id","description":"The unique GUID of the powershell script to which this block belongs","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_count","description":"The total number of script blocks for this script","type":"integer","hidden":false,"required":false,"index":false},{"name":"script_text","description":"The text content of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_name","description":"The name of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_path","description":"The path for the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"cosine_similarity","description":"How similar the Powershell script is to a provided 'normal' character frequency","type":"double","hidden":false,"required":false,"index":false}]},{"name":"preferences","description":"OS X defaults and managed preferences.","platforms":["darwin"],"columns":[{"name":"domain","description":"Application ID usually in com.name.product format","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intemediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"forced","description":"1 if the value is forced/managed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"username","description":"(optional) read preferences for a specific user","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"'current' or 'any' host, where 'current' takes precedence","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prefetch","description":"Prefetch files show metadata related to file execution.","platforms":["windows"],"columns":[{"name":"path","description":"Prefetch file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Executable filename.","type":"text","hidden":false,"required":false,"index":false},{"name":"hash","description":"Prefetch CRC hash.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Most recent time application was run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"other_run_times","description":"Other execution times in prefetch file.","type":"text","hidden":false,"required":false,"index":false},{"name":"run_count","description":"Number of times the application has been run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Application file size.","type":"integer","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_creation","description":"Volume creation time.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_files_count","description":"Number of files accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_directories_count","description":"Number of directories accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_files","description":"Files accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_directories","description":"Directories accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_envs","description":"A key/value table of environment variables for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"key","description":"Environment variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_events","description":"Track time/action process executions.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File mode permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_size","description":"Actual size (bytes) of command line arguments","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":true,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env_size","description":"Actual size (bytes) of environment list","type":"bigint","hidden":true,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"File owner user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_gid","description":"File owner group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"File last access in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"File modification in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"File last metadata change in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"File creation in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"overflows","description":"List of structures that overflowed","type":"text","hidden":true,"required":false,"index":false},{"name":"parent","description":"Process parent's PID, or -1 if cannot be determined.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"status","description":"OpenBSM Attribute: Status of the process","type":"bigint","hidden":true,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"syscall","description":"Syscall name: fork, vfork, clone, execve, execveat","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_file_events","description":"A File Integrity Monitor implementation using the audit service.","platforms":["linux"],"columns":[{"name":"operation","description":"Operation type","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ppid","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"executable","description":"The executable path","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"True if this is a partial event (i.e.: this process existed before we started osquery)","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The current working directory of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"dest_path","description":"The canonical path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The uid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"gid","description":"The gid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"process_memory_map","description":"Process memory mapped files and pseudo device/regions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"start","description":"Virtual start address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"Virtual end address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"r=read, w=write, x=execute, p=private (cow)","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset into mapped path","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device","description":"MA:MI Major/minor device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Mapped path inode, 0 means uninitialized (BSS)","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to mapped file or mapped type","type":"text","hidden":false,"required":false,"index":false},{"name":"pseudo","description":"1 If path is a pseudo path, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"process_namespaces","description":"Linux namespaces for processes running on the host system.","platforms":["linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"ipc_namespace","description":"ipc namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"mnt_namespace","description":"mnt namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"net namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_namespace","description":"pid namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"user_namespace","description":"user namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"uts_namespace","description":"uts namespace inode","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_files","description":"File descriptors for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"Process-specific file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Filesystem path of descriptor","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_pipes","description":"Pipes and partner processes for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"File descriptor","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Pipe open mode (r/w)","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Pipe inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"type","description":"Pipe Type: named vs unnamed/anonymous","type":"text","hidden":false,"required":false,"index":false},{"name":"partner_pid","description":"Process ID of partner process sharing a particular pipe","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_fd","description":"File descriptor of shared pipe at partner's end","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_mode","description":"Mode of shared pipe at partner's end","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_sockets","description":"Processes which have open network sockets on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Socket local address","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Socket remote address","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Socket local port","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Socket remote port","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"For UNIX sockets (family=AF_UNIX), the domain path","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"TCP socket state","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":false,"required":false,"index":false}]},{"name":"processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"protection_type","description":"The protection type of the process","type":"text","hidden":true,"required":false,"index":false},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","hidden":true,"required":false,"index":false},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"programs","description":"Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.","platforms":["windows"],"columns":[{"name":"name","description":"Commonly used product name.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Product version information.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_location","description":"The installation location directory of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_source","description":"The installation source of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"language","description":"The language of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the product supplier.","type":"text","hidden":false,"required":false,"index":false},{"name":"uninstall_string","description":"Path and filename of the uninstaller.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Date that this product was installed on the system. ","type":"text","hidden":false,"required":false,"index":false},{"name":"identifying_number","description":"Product identification such as a serial number on software, or a die number on a hardware chip.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prometheus_metrics","description":"Retrieve metrics from a Prometheus server.","platforms":["darwin","linux"],"columns":[{"name":"target_name","description":"Address of prometheus target","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_name","description":"Name of collected Prometheus metric","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_value","description":"Value of collected Prometheus metric","type":"double","hidden":false,"required":false,"index":false},{"name":"timestamp_ms","description":"Unix timestamp of collected data in MS","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"python_packages","description":"Python packages installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where Python modules are located","type":"text","hidden":false,"required":false,"index":false}]},{"name":"quicklook_cache","description":"Files and thumbnails within OS X's Quicklook Cache.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of file","type":"text","hidden":false,"required":false,"index":false},{"name":"rowid","description":"Quicklook file rowid key","type":"integer","hidden":false,"required":false,"index":false},{"name":"fs_id","description":"Quicklook file fs_id key","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_id","description":"Parsed volume ID from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"inode","description":"Parsed file ID (inode) from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Parsed version date field","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Parsed version size field","type":"bigint","hidden":false,"required":false,"index":false},{"name":"label","description":"Parsed version 'gen' field","type":"text","hidden":false,"required":false,"index":false},{"name":"last_hit_date","description":"Apple date format for last thumbnail cache hit","type":"integer","hidden":false,"required":false,"index":false},{"name":"hit_count","description":"Number of cache hits on thumbnail","type":"text","hidden":false,"required":false,"index":false},{"name":"icon_mode","description":"Thumbnail icon mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cache_path","description":"Path to cache data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"registry","description":"All of the Windows registry hives.","platforms":["windows"],"columns":[{"name":"key","description":"Name of the key to search for","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Full path to the value","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the registry value entry","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the registry value, or 'subkey' if item is a subkey","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data content of registry value","type":"text","hidden":false,"required":false,"index":false},{"name":"mtime","description":"timestamp of the most recent registry write","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"routes","description":"The active route table for the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"destination","description":"Destination IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Netmask length","type":"integer","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Route gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Route source","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags to describe route","type":"integer","hidden":false,"required":false,"index":false},{"name":"interface","description":"Route local interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Maximum Transmission Unit for the route","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Cost of route. Lowest is preferred","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of route","type":"text","hidden":false,"required":false,"index":false},{"name":"hopcount","description":"Max hops expected","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"rpm_package_files","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"package","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path within the package","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"File default username from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"File default groupname from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File permissions mode from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size in bytes from RPM info DB","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 file digest from RPM info DB","type":"text","hidden":false,"required":false,"index":false}]},{"name":"rpm_packages","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"name","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Package release","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source RPM package name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the package contents","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false},{"name":"epoch","description":"Package epoch value","type":"integer","hidden":false,"required":false,"index":false},{"name":"install_time","description":"When the package was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Package vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"package_group","description":"Package group","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"running_apps","description":"macOS applications currently running on the host system.","platforms":["darwin"],"columns":[{"name":"pid","description":"The pid of the application","type":"integer","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"The bundle identifier of the application","type":"text","hidden":false,"required":false,"index":false},{"name":"is_active","description":"1 if the application is in focus, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"safari_extensions","description":"Safari browser extension details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension long version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Bundle SDK used to compile extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Optional developer identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional extension description text","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension XAR bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sandboxes","description":"OS X application sandboxes container details.","platforms":["darwin"],"columns":[{"name":"label","description":"UTI-format bundle or label ID","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"Sandbox owner","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Application sandboxings enabled on container","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_id","description":"Sandbox-specific identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"Application bundle used by the sandbox","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to sandbox container directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"scheduled_tasks","description":"Lists all of the tasks in the Windows task scheduler.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Actions executed by the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the executable to be run","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether or not the scheduled task is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"Whether or not the task is visible in the UI","type":"integer","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Timestamp the task last ran","type":"bigint","hidden":false,"required":false,"index":false},{"name":"next_run_time","description":"Timestamp the task is scheduled to run next","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_run_message","description":"Exit status message of the last task run","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_code","description":"Exit status code of the last task run","type":"text","hidden":false,"required":false,"index":false}]},{"name":"screenlock","description":"macOS screenlock status for the current logged in user context.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 If a password is required after sleep or the screensaver begins; else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"grace_period","description":"The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"seccomp_events","description":"A virtual table that tracks seccomp events.","platforms":["linux"],"columns":[{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID (loginuid) of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ses","description":"Session ID of the session from which the analyzed process was invoked","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"exe","description":"The path to the executable that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"sig","description":"Signal value sent to process by seccomp","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Information about the CPU architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"syscall","description":"Type of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"compat","description":"Is system call in compatibility mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ip","description":"Instruction pointer value","type":"text","hidden":false,"required":false,"index":false},{"name":"code","description":"The seccomp action","type":"text","hidden":false,"required":false,"index":false}]},{"name":"selinux_events","description":"Track SELinux events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"selinux_settings","description":"Track active SELinux settings.","platforms":["linux"],"columns":[{"name":"scope","description":"Where the key is located inside the SELinuxFS mount point.","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Key or class name.","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Active value.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"services","description":"Lists all installed Windows services and their relevant data.","platforms":["windows"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"service_type","description":"Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Service Display name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"the Process ID of the service","type":"integer","hidden":false,"required":false,"index":false},{"name":"start_type","description":"Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED","type":"text","hidden":false,"required":false,"index":false},{"name":"win32_exit_code","description":"The error code that the service uses to report an error that occurs when it is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"service_exit_code","description":"The service-specific error code that the service returns when an error occurs while the service is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Service Executable","type":"text","hidden":false,"required":false,"index":false},{"name":"module_path","description":"Path to ServiceDll","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Service Description","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account","description":"The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\\UserName. If the account belongs to the built-in domain, the name can be of the form .\\UserName.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shadow","description":"Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.","platforms":["linux"],"columns":[{"name":"password_status","description":"Password status","type":"text","hidden":false,"required":false,"index":false},{"name":"hash_alg","description":"Password hashing algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Date of last password change (starting from UNIX epoch date)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimal number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"warning","description":"Number of days before password expires to warn user about it","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Number of days after password expires until account is blocked","type":"bigint","hidden":false,"required":false,"index":false},{"name":"expire","description":"Number of days since UNIX epoch date until account is disabled","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flag","description":"Reserved","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_folders","description":"Folders available to others via SMB or AFP.","platforms":["darwin"],"columns":[{"name":"name","description":"The shared name of the folder as it appears to other users","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute path of shared folder on the local system","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_memory","description":"OS shared memory regions.","platforms":["linux"],"columns":[{"name":"shmid","description":"Shared memory segment ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"User ID of owning process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_uid","description":"User ID of creator process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID to last use the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_pid","description":"Process ID that created the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Attached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"dtime","description":"Detached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Changed time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Memory segment permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"attached","description":"Number of attached processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Destination/attach status","type":"text","hidden":false,"required":false,"index":false},{"name":"locked","description":"1 if segment is locked else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shared_resources","description":"Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.","platforms":["windows"],"columns":[{"name":"description","description":"A textual description of the object","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"String that indicates the current status of the object.","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_maximum","description":"Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.","type":"integer","hidden":false,"required":false,"index":false},{"name":"maximum_allowed","description":"Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.","type":"integer","hidden":false,"required":false,"index":false},{"name":"name","description":"Alias given to a path set up as a share on a computer system running Windows.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local path of the Windows share.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"sharing_preferences","description":"OS X Sharing preferences.","platforms":["darwin"],"columns":[{"name":"screen_sharing","description":"1 If screen sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"file_sharing","description":"1 If file sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"printer_sharing","description":"1 If printer sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_login","description":"1 If remote login is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_management","description":"1 If remote management is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_apple_events","description":"1 If remote apple events are enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"internet_sharing","description":"1 If internet sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"bluetooth_sharing","description":"1 If bluetooth sharing is enabled for any user else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disc_sharing","description":"1 If CD or DVD sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"content_caching","description":"1 If content caching is enabled else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shell_history","description":"A line-delimited (command) table of per-user .*_history data.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"Shell history owner","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp. It could be absent, default value is 0.","type":"integer","hidden":false,"required":false,"index":false},{"name":"command","description":"Unparsed date/line/command history line","type":"text","hidden":false,"required":false,"index":false},{"name":"history_file","description":"Path to the .*_history for this user","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shellbags","description":"Shows directories accessed via Windows Explorer.","platforms":["windows"],"columns":[{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Shellbags source Registry file","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Directory name.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Directory Modified time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_time","description":"Directory Created time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"accessed_time","description":"Directory Accessed time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Directory master file table entry.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Directory master file table sequence.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shimcache","description":"Application Compatibility Cache, contains artifacts of execution.","platforms":["windows"],"columns":[{"name":"entry","description":"Execution order.","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the executed file.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"File Modified time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"execution_flag","description":"Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shortcut_files","description":"View data about Windows Shortcut files.","platforms":["windows"],"columns":[{"name":"path","description":"Directory name.","type":"text","hidden":false,"required":true,"index":false},{"name":"target_path","description":"Target file path","type":"text","hidden":false,"required":false,"index":false},{"name":"target_modified","description":"Target Modified time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_created","description":"Target Created time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_accessed","description":"Target Accessed time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_size","description":"Size of target file.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to target file from lnk file.","type":"text","hidden":false,"required":false,"index":false},{"name":"local_path","description":"Local system path to target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"working_path","description":"Target file directory.","type":"text","hidden":false,"required":false,"index":false},{"name":"icon_path","description":"Lnk file icon location.","type":"text","hidden":false,"required":false,"index":false},{"name":"common_path","description":"Common system path to target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"command_args","description":"Command args passed to lnk file.","type":"text","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Optional hostname of the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"share_name","description":"Share name of the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device containing the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Target mft entry.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Target mft sequence.","type":"integer","hidden":false,"required":false,"index":false},{"name":"description","description":"Lnk file description.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"signature","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["darwin"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"hash_resources","description":"Set to 1 to also hash resources, or 0 otherwise. Default is 1","type":"integer","hidden":false,"required":false,"index":false},{"name":"arch","description":"If applicable, the arch of the signed code","type":"text","hidden":false,"required":false,"index":false},{"name":"signed","description":"1 If the file is signed else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"identifier","description":"The signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Hash of the application Code Directory","type":"text","hidden":false,"required":false,"index":false},{"name":"team_identifier","description":"The team signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"authority","description":"Certificate Common Name","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sip_config","description":"Apple's System Integrity Protection (rootless) status.","platforms":["darwin"],"columns":[{"name":"config_flag","description":"The System Integrity Protection config flag","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"enabled_nvram","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"smart_drive_info","description":"Drive information read by SMART controller utilizing autodetect.","platforms":["darwin","linux"],"columns":[{"name":"device_name","description":"Name of block device","type":"text","hidden":false,"required":false,"index":false},{"name":"disk_id","description":"Physical slot number of device, only exists when hardware storage controller exists","type":"integer","hidden":false,"required":false,"index":false},{"name":"driver_type","description":"The explicit device type used to retrieve the SMART information","type":"text","hidden":false,"required":false,"index":false},{"name":"model_family","description":"Drive model family","type":"text","hidden":false,"required":false,"index":false},{"name":"device_model","description":"Device Model","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Device serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"lu_wwn_device_id","description":"Device Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"additional_product_id","description":"An additional drive identifier if any","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"Drive firmware version","type":"text","hidden":false,"required":false,"index":false},{"name":"user_capacity","description":"Bytes of drive capacity","type":"text","hidden":false,"required":false,"index":false},{"name":"sector_sizes","description":"Bytes of drive sector sizes","type":"text","hidden":false,"required":false,"index":false},{"name":"rotation_rate","description":"Drive RPM","type":"text","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Form factor if reported","type":"text","hidden":false,"required":false,"index":false},{"name":"in_smartctl_db","description":"Boolean value for if drive is recognized","type":"integer","hidden":false,"required":false,"index":false},{"name":"ata_version","description":"ATA version of drive","type":"text","hidden":false,"required":false,"index":false},{"name":"transport_type","description":"Drive transport type","type":"text","hidden":false,"required":false,"index":false},{"name":"sata_version","description":"SATA version, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"read_device_identity_failure","description":"Error string for device id read, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"smart_supported","description":"SMART support status","type":"text","hidden":false,"required":false,"index":false},{"name":"smart_enabled","description":"SMART enabled status","type":"text","hidden":false,"required":false,"index":false},{"name":"packet_device_type","description":"Packet device type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_mode","description":"Device power mode","type":"text","hidden":false,"required":false,"index":false},{"name":"warnings","description":"Warning messages from SMART controller","type":"text","hidden":false,"required":false,"index":false}]},{"name":"smbios_tables","description":"BIOS (DMI) structure common details and content.","platforms":["darwin","linux"],"columns":[{"name":"number","description":"Table entry number","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Table entry type","type":"integer","hidden":false,"required":false,"index":false},{"name":"description","description":"Table entry description","type":"text","hidden":false,"required":false,"index":false},{"name":"handle","description":"Table entry handle","type":"integer","hidden":false,"required":false,"index":false},{"name":"header_size","description":"Header size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Table entry size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"smc_keys","description":"Apple's system management controller keys.","platforms":["darwin"],"columns":[{"name":"key","description":"4-character key","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SMC-reported type literal type","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Reported size of data in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"A type-encoded representation of the key value","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"1 if this key is normally hidden, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"socket_events","description":"Track network socket opens and closes.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"The socket action (bind, listen, close)","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"success","description":"The socket open attempt status","type":"integer","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":true,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket","description":"The local path (UNIX domain socket only)","type":"text","hidden":true,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ssh_configs","description":"A table of parsed ssh_configs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local owner of the ssh_config file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block","description":"The host or match block","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"The option and value","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_config_file","description":"Path to the ssh_config file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"startup_items","description":"Applications and binaries set as user/login startup items.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Name of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"args","description":"Arguments provided to startup executable","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Startup Item or Login Item","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Directory or plist containing startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Startup status; either enabled or disabled","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"The user associated with the startup item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sudoers","description":"Rules for running commands as other users via sudo.","platforms":["darwin","linux"],"columns":[{"name":"source","description":"Source file containing the given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"header","description":"Symbol for given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"rule_details","description":"Rule definition","type":"text","hidden":false,"required":false,"index":false}]},{"name":"suid_bin","description":"suid binaries in common locations.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Binary owner username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Binary owner group","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Binary permissions","type":"text","hidden":false,"required":false,"index":false}]},{"name":"syslog_events","description":"","platforms":["linux"],"columns":[{"name":"time","description":"Current unix epoch time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Time known to syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Hostname configured for syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"severity","description":"Syslog severity","type":"integer","hidden":false,"required":false,"index":false},{"name":"facility","description":"Syslog facility","type":"text","hidden":false,"required":false,"index":false},{"name":"tag","description":"The syslog tag","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"The syslog message","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"system_controls","description":"sysctl names, values, and settings information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Full sysctl MIB name","type":"text","hidden":false,"required":false,"index":false},{"name":"oid","description":"Control MIB","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"Subsystem ID, control type","type":"text","hidden":false,"required":false,"index":false},{"name":"current_value","description":"Value of setting","type":"text","hidden":false,"required":false,"index":false},{"name":"config_value","description":"The MIB value set in /etc/sysctl.conf","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type","type":"text","hidden":false,"required":false,"index":false},{"name":"field_name","description":"Specific attribute of opaque type","type":"text","hidden":true,"required":false,"index":false}]},{"name":"system_extensions","description":"macOS (>= 10.15) system extension table.","platforms":["darwin"],"columns":[{"name":"path","description":"Original path of system extension","type":"text","hidden":false,"required":false,"index":false},{"name":"UUID","description":"Extension unique id","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"System extension state","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"System extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"System extension category","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"System extension bundle path","type":"text","hidden":false,"required":false,"index":false},{"name":"team","description":"Signing team ID","type":"text","hidden":false,"required":false,"index":false},{"name":"mdm_managed","description":"1 if managed by MDM system extension payload configuration, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"system_info","description":"System information for identification.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Network hostname including domain","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"CPU type","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"CPU subtype","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_brand","description":"CPU brand string, contains vendor and model","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_physical_cores","description":"Number of physical CPU cores in to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_logical_cores","description":"Number of logical CPU cores available to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_microcode","description":"Microcode version","type":"text","hidden":false,"required":false,"index":false},{"name":"physical_memory","description":"Total physical memory in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hardware_vendor","description":"Hardware vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hardware model","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_version","description":"Hardware version","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_serial","description":"Device serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"board_vendor","description":"Board vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"board_model","description":"Board model","type":"text","hidden":false,"required":false,"index":false},{"name":"board_version","description":"Board version","type":"text","hidden":false,"required":false,"index":false},{"name":"board_serial","description":"Board serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Friendly computer name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Local hostname (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"systemd_units","description":"Track systemd units.","platforms":["linux"],"columns":[{"name":"id","description":"Unique unit identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Unit description","type":"text","hidden":false,"required":false,"index":false},{"name":"load_state","description":"Reflects whether the unit definition was properly loaded","type":"text","hidden":false,"required":false,"index":false},{"name":"active_state","description":"The high-level unit activation state, i.e. generalization of SUB","type":"text","hidden":false,"required":false,"index":false},{"name":"sub_state","description":"The low-level unit activation state, values depend on unit type","type":"text","hidden":false,"required":false,"index":false},{"name":"following","description":"The name of another unit that this unit follows in state","type":"text","hidden":false,"required":false,"index":false},{"name":"object_path","description":"The object path for this unit","type":"text","hidden":false,"required":false,"index":false},{"name":"job_id","description":"Next queued job id","type":"bigint","hidden":false,"required":false,"index":false},{"name":"job_type","description":"Job type","type":"text","hidden":false,"required":false,"index":false},{"name":"job_path","description":"The object path for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"fragment_path","description":"The unit file path this unit was read from, if there is any","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The configured user, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"source_path","description":"Path to the (possibly generated) unit configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"temperature_sensors","description":"Machine's temperature sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on OS X","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of temperature source","type":"text","hidden":false,"required":false,"index":false},{"name":"celsius","description":"Temperature in Celsius","type":"double","hidden":false,"required":false,"index":false},{"name":"fahrenheit","description":"Temperature in Fahrenheit","type":"double","hidden":false,"required":false,"index":false}]},{"name":"time","description":"Track current date and time in the system.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"weekday","description":"Current weekday in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"year","description":"Current year in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"month","description":"Current month in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"day","description":"Current day in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"hour","description":"Current hour in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Current minutes in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Current seconds in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"timezone","description":"Current timezone in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"local_time","description":"Current local UNIX time in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_timezone","description":"Current local timezone in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"unix_time","description":"Current UNIX time in the system, converted to UTC if --utc enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"timestamp","description":"Current timestamp (log format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Current date and time (ISO format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"iso_8601","description":"Current time (ISO format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"win_timestamp","description":"Timestamp value in 100 nanosecond units.","type":"bigint","hidden":true,"required":false,"index":false}]},{"name":"time_machine_backups","description":"Backups to drives using TimeMachine.","platforms":["darwin"],"columns":[{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"backup_date","description":"Backup Date","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"time_machine_destinations","description":"Locations backed up to using Time Machine.","platforms":["darwin"],"columns":[{"name":"alias","description":"Human readable name of drive","type":"text","hidden":false,"required":false,"index":false},{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"consistency_scan_date","description":"Consistency scan date","type":"integer","hidden":false,"required":false,"index":false},{"name":"root_volume_uuid","description":"Root UUID of backup volume","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_available","description":"Bytes available on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes_used","description":"Bytes used on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption","description":"Last known encrypted state","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ulimit_info","description":"System resource usage limits.","platforms":["darwin","linux"],"columns":[{"name":"type","description":"System resource to be limited","type":"text","hidden":false,"required":false,"index":false},{"name":"soft_limit","description":"Current limit value","type":"text","hidden":false,"required":false,"index":false},{"name":"hard_limit","description":"Maximum limit value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"uptime","description":"Track time passed since last boot.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"days","description":"Days of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"hours","description":"Hours of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Minutes of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Seconds of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"total_seconds","description":"Total uptime seconds","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"usb_devices","description":"USB devices that are actively plugged into the host system.","platforms":["darwin","linux"],"columns":[{"name":"usb_address","description":"USB Device used address","type":"integer","hidden":false,"required":false,"index":false},{"name":"usb_port","description":"USB Device used port","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"USB Device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded USB Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"USB Device version number","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"USB Device model string","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded USB Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"USB Device serial connection","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"USB Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"subclass","description":"USB Device subclass","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"USB Device protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"removable","description":"1 If USB device is removable else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"user_events","description":"Track user events from the audit framework.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the event","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"The file description for the process socket","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Supplied path from event","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"The Internet protocol address or family ID","type":"text","hidden":false,"required":false,"index":false},{"name":"terminal","description":"The network protocol ID","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"user_groups","description":"Local system user group relationships.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_interaction_events","description":"Track user interaction events from macOS' event tapping framework.","platforms":["darwin"],"columns":[{"name":"time","description":"Time","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_ssh_keys","description":"Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the key file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to key file","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 if key is encrypted, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"userassist","description":"UserAssist Registry Key tracks when a user executes an application from Windows Explorer.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of times the application has been executed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"video_info","description":"Retrieve video card information of the machine.","platforms":["windows"],"columns":[{"name":"color_depth","description":"The amount of bits per pixel to represent color.","type":"integer","hidden":false,"required":false,"index":false},{"name":"driver","description":"The driver of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_date","description":"The date listed on the installed driver.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"driver_version","description":"The version of the installed driver.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"series","description":"The series of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"video_mode","description":"The current resolution of the display.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"virtual_memory_info","description":"Darwin Virtual Memory statistics.","platforms":["darwin"],"columns":[{"name":"free","description":"Total number of free pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"Total number of active pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Total number of inactive pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"speculative","description":"Total number of speculative pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"throttled","description":"Total number of throttled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired","description":"Total number of wired down pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purgeable","description":"Total number of purgeable pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"faults","description":"Total number of calls to vm_faults.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"copy","description":"Total number of copy-on-write pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"zero_fill","description":"Total number of zero filled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"reactivated","description":"Total number of reactivated pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purged","description":"Total number of purged pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_backed","description":"Total number of file backed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"anonymous","description":"Total number of anonymous pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uncompressed","description":"Total number of uncompressed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressor","description":"The number of pages used to store compressed VM pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"decompressed","description":"The total number of pages that have been decompressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressed","description":"The total number of pages that have been compressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_ins","description":"The total number of requests for pages from a pager.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_outs","description":"Total number of pages paged out.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_ins","description":"The total number of compressed pages that have been swapped out to disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_outs","description":"The total number of compressed pages that have been swapped back in from disk.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"wifi_networks","description":"OS X known/remembered Wi-Fi networks list.","platforms":["darwin"],"columns":[{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"last_connected","description":"Last time this netword was connected to as a unix_time","type":"integer","hidden":false,"required":false,"index":false},{"name":"passpoint","description":"1 if Passpoint is supported, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"possibly_hidden","description":"1 if network is possibly a hidden network, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"roaming","description":"1 if roaming is supported, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"roaming_profile","description":"Describe the roaming profile, usually one of Single, Dual or Multi","type":"text","hidden":false,"required":false,"index":false},{"name":"captive_portal","description":"1 if this network has a captive portal, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"auto_login","description":"1 if auto login is enabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"temporarily_disabled","description":"1 if this network is temporarily disabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 if this network is disabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"wifi_status","description":"OS X current WiFi status.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false},{"name":"transmit_rate","description":"The current transmit rate","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"The current operating mode for the Wi-Fi interface","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wifi_survey","description":"Scan for nearby WiFi networks.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"winbaseobj","description":"Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.","platforms":["windows"],"columns":[{"name":"session_id","description":"Terminal Services Session Id","type":"integer","hidden":false,"required":false,"index":false},{"name":"object_name","description":"Object Name","type":"text","hidden":false,"required":false,"index":false},{"name":"object_type","description":"Object Type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_crashes","description":"Extracted information from Windows crash logs (Minidumps).","platforms":["windows"],"columns":[{"name":"datetime","description":"Timestamp (log format) of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"module","description":"Path of the crashed module within the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the executable file for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID of the crashed thread","type":"bigint","hidden":false,"required":false,"index":false},{"name":"version","description":"File version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"process_uptime","description":"Uptime of the process in seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Multiple stack frames from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_code","description":"The Windows exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_message","description":"The NTSTATUS error message associated with the exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_address","description":"Address (in hex) where the exception occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The values of the system registers","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line","description":"Command-line string passed to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"current_directory","description":"Current working directory of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Username of the user who ran the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"machine_name","description":"Name of the machine where the crash happened","type":"text","hidden":false,"required":false,"index":false},{"name":"major_version","description":"Windows major version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor_version","description":"Windows minor version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_number","description":"Windows build number of the crashing machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Path of the log file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_eventlog","description":"Table for querying all recorded Windows event logs.","platforms":["windows"],"columns":[{"name":"channel","description":"Source or channel of the event","type":"text","hidden":false,"required":true,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"Severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_range","description":"System time to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"timestamp","description":"Timestamp to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"xpath","description":"The custom query to filter events","type":"text","hidden":true,"required":true,"index":false}]},{"name":"windows_events","description":"Windows Event logs.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source or channel of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"The severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"windows_optional_features","description":"Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the feature","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Caption of feature in settings UI","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent","type":"integer","hidden":false,"required":false,"index":false},{"name":"statename","description":"Installation state name. 'Enabled','Disabled','Absent'","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_center","description":"The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".","platforms":["windows"],"columns":[{"name":"firewall","description":"The health of the monitored Firewall (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"The health of the Windows Autoupdate feature","type":"text","hidden":false,"required":false,"index":false},{"name":"antivirus","description":"The health of the monitored Antivirus solution (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"antispyware","description":"The health of the monitored Antispyware solution (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"internet_settings","description":"The health of the Internet Settings","type":"text","hidden":false,"required":false,"index":false},{"name":"windows_security_center_service","description":"The health of the Windows Security Center Service","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account_control","description":"The health of the User Account Control (UAC) capability in Windows","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_products","description":"Enumeration of registered Windows security products.","platforms":["windows"],"columns":[{"name":"type","description":"Type of security product","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of product","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"State of protection","type":"text","hidden":false,"required":false,"index":false},{"name":"state_timestamp","description":"Timestamp for the product state","type":"text","hidden":false,"required":false,"index":false},{"name":"remediation_path","description":"Remediation path","type":"text","hidden":false,"required":false,"index":false},{"name":"signatures_up_to_date","description":"1 if product signatures are up to date, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"wmi_bios_info","description":"Lists important information from the system bios.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the Bios setting","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the Bios setting","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_cli_event_consumers","description":"WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique name of a consumer.","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line_template","description":"Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.","type":"text","hidden":false,"required":false,"index":false},{"name":"executable_path","description":"Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_event_filters","description":"Lists WMI event filters.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier of an event filter.","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.","type":"text","hidden":false,"required":false,"index":false},{"name":"query_language","description":"Query language that the query is written in.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_filter_consumer_binding","description":"Lists the relationship between event consumers and filters.","platforms":["windows"],"columns":[{"name":"consumer","description":"Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.","type":"text","hidden":false,"required":false,"index":false},{"name":"filter","description":"Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_script_event_consumers","description":"WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier for the event consumer. ","type":"text","hidden":false,"required":false,"index":false},{"name":"scripting_engine","description":"Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_file_name","description":"Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_text","description":"Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_entries","description":"Database of the machine's XProtect signatures.","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"launch_type","description":"Launch services content type","type":"text","hidden":false,"required":false,"index":false},{"name":"identity","description":"XProtect identity (SHA1) of content","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Use this file name to match","type":"text","hidden":false,"required":false,"index":false},{"name":"filetype","description":"Use this file type to match","type":"text","hidden":false,"required":false,"index":false},{"name":"optional","description":"Match any of the identities/patterns for this XProtect name","type":"integer","hidden":false,"required":false,"index":false},{"name":"uses_pattern","description":"Uses a match pattern instead of identity","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"xprotect_meta","description":"Database of the machine's XProtect browser-related signatures.","platforms":["darwin"],"columns":[{"name":"identifier","description":"Browser plugin or extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either plugin or extension","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Developer identity (SHA1) of extension","type":"text","hidden":false,"required":false,"index":false},{"name":"min_version","description":"The minimum allowed plugin version.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_reports","description":"Database of XProtect matches (if user generated/sent an XProtect report).","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"user_action","description":"Action taken by user after prompted","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Quarantine alert time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yara","description":"Track YARA matches for files or PIDs.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"The path scanned","type":"text","hidden":false,"required":true,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"sig_group","description":"Signature group used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigfile","description":"Signature file used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigrule","description":"Signature strings used","type":"text","hidden":true,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"sigurl","description":"Signature url","type":"text","hidden":true,"required":false,"index":false}]},{"name":"yara_events","description":"Track YARA matches for files specified in configuration data.","platforms":["darwin","linux","windows"],"columns":[{"name":"target_path","description":"The path scanned","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of the scan","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ycloud_instance_metadata","description":"Yandex.Cloud instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"folder_id","description":"Folder identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Hostname of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_port_enabled","description":"Indicates if serial port is enabled for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"metadata_endpoint","description":"Endpoint used to fetch VM metadata","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yum_sources","description":"Current list of Yum repositories or software channels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"baseurl","description":"Repository base URL","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether the repository is used","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgcheck","description":"Whether packages are GPG checked","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgkey","description":"URL to GPG key","type":"text","hidden":false,"required":false,"index":false}]}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.0.1.json b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.0.1.json new file mode 100644 index 0000000000000..e995062462022 --- /dev/null +++ b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.0.1.json @@ -0,0 +1 @@ +[{"name":"account_policy_data","description":"Additional OS X user account data from the AccountPolicy section of OpenDirectory.","platforms":["darwin"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the account was first created","type":"double","hidden":false,"required":false,"index":false},{"name":"failed_login_count","description":"The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"failed_login_timestamp","description":"The time of the last failed login attempt. Resets after a correct password is entered","type":"double","hidden":false,"required":false,"index":false},{"name":"password_last_set_time","description":"The time the password was last changed","type":"double","hidden":false,"required":false,"index":false}]},{"name":"acpi_tables","description":"Firmware ACPI functional table common metadata and content.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"ACPI table name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of compiled table data","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ad_config","description":"OS X Active Directory configuration.","platforms":["darwin"],"columns":[{"name":"name","description":"The OS X-specific configuration name","type":"text","hidden":false,"required":false,"index":false},{"name":"domain","description":"Active Directory trust domain","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"Canonical name of option","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Variable typed option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf","description":"OS X application layer firewall (ALF) service details.","platforms":["darwin"],"columns":[{"name":"allow_signed_enabled","description":"1 If allow signed mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"firewall_unload","description":"1 If firewall unloading enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"global_state","description":"1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_enabled","description":"1 If logging mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_option","description":"Firewall logging option","type":"integer","hidden":false,"required":false,"index":false},{"name":"stealth_enabled","description":"1 If stealth mode is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Application Layer Firewall version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"alf_exceptions","description":"OS X application layer firewall (ALF) service exceptions.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to the executable that is excepted","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Firewall exception state","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"alf_explicit_auths","description":"ALF services explicitly allowed to perform networking.","platforms":["darwin"],"columns":[{"name":"process","description":"Process name explicitly allowed","type":"text","hidden":false,"required":false,"index":false}]},{"name":"app_schemes","description":"OS X application schemes and handlers (e.g., http, file, mailto).","platforms":["darwin"],"columns":[{"name":"scheme","description":"Name of the scheme/protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"handler","description":"Application label for the handler","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this handler is the OS default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"external","description":"1 if this handler does NOT exist on OS X by default, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"protected","description":"1 if this handler is protected (reserved) by OS X, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"apparmor_events","description":"Track AppArmor events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Raw audit message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"apparmor","description":"Apparmor Status like ALLOWED, DENIED etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"operation","description":"Permission requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process PID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"profile","description":"Apparmor profile name","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"denied_mask","description":"Denied permissions for the process","type":"text","hidden":false,"required":false,"index":false},{"name":"capname","description":"Capability requested by the process","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ouid","description":"Object owner's user ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"capability","description":"Capability number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"requested_mask","description":"Requested access mask","type":"text","hidden":false,"required":false,"index":false},{"name":"info","description":"Additional information","type":"text","hidden":false,"required":false,"index":false},{"name":"error","description":"Error information","type":"text","hidden":false,"required":false,"index":false},{"name":"namespace","description":"AppArmor namespace","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"AppArmor label","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apparmor_profiles","description":"Track active AppArmor profiles.","platforms":["linux"],"columns":[{"name":"path","description":"Unique, aa-status compatible, policy identifier.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy name.","type":"text","hidden":false,"required":false,"index":false},{"name":"attach","description":"Which executable(s) a profile will attach to.","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"How the policy is applied.","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"A unique hash that identifies this policy.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"appcompat_shims","description":"Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.","platforms":["windows"],"columns":[{"name":"executable","description":"Name of the executable that is being shimmed. This is pulled from the registry.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the SDB.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Install time of the SDB","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the SDB database.","type":"text","hidden":false,"required":false,"index":false},{"name":"sdb_id","description":"Unique GUID of the SDB.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"apps","description":"OS X applications installed in known search paths (e.g., /Applications).","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the Name.app folder","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute and full Name.app path","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_executable","description":"Info properties CFBundleExecutable label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"Info properties CFBundleIdentifier label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_name","description":"Info properties CFBundleName label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_short_version","description":"Info properties CFBundleShortVersionString label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_version","description":"Info properties CFBundleVersion label","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_package_type","description":"Info properties CFBundlePackageType label","type":"text","hidden":false,"required":false,"index":false},{"name":"environment","description":"Application-set environment variables","type":"text","hidden":false,"required":false,"index":false},{"name":"element","description":"Does the app identify as a background agent","type":"text","hidden":false,"required":false,"index":false},{"name":"compiler","description":"Info properties DTCompiler label","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Info properties CFBundleDevelopmentRegion label","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Info properties CFBundleDisplayName label","type":"text","hidden":false,"required":false,"index":false},{"name":"info_string","description":"Info properties CFBundleGetInfoString label","type":"text","hidden":false,"required":false,"index":false},{"name":"minimum_system_version","description":"Minimum version of OS X required for the app to run","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The UTI that categorizes the app for the App Store","type":"text","hidden":false,"required":false,"index":false},{"name":"applescript_enabled","description":"Info properties NSAppleScriptEnabled label","type":"text","hidden":false,"required":false,"index":false},{"name":"copyright","description":"Info properties NSHumanReadableCopyright label","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"The time that the app was last used","type":"double","hidden":false,"required":false,"index":false}]},{"name":"apt_sources","description":"Current list of APT repositories or software channels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source file","type":"text","hidden":false,"required":false,"index":false},{"name":"base_uri","description":"Repository base URI","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Release name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Repository source version","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Repository maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"components","description":"Repository components","type":"text","hidden":false,"required":false,"index":false},{"name":"architectures","description":"Repository architectures","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"arp_cache","description":"Address resolution cache, both static and dynamic (from ARP, NDP).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IPv4 address target","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address of broadcasted address","type":"text","hidden":false,"required":false,"index":false},{"name":"interface","description":"Interface of the network for the MAC","type":"text","hidden":false,"required":false,"index":false},{"name":"permanent","description":"1 for true, 0 for false","type":"text","hidden":false,"required":false,"index":false}]},{"name":"asl","description":"Queries the Apple System Log data structure for system events.","platforms":["darwin"],"columns":[{"name":"time","description":"Unix timestamp. Set automatically","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_nano_sec","description":"Nanosecond time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Sender's address (set by the server).","type":"text","hidden":false,"required":false,"index":false},{"name":"sender","description":"Sender's identification string. Default is process name.","type":"text","hidden":false,"required":false,"index":false},{"name":"facility","description":"Sender's facility. Default is 'user'.","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Sending process ID encoded as a string. Set automatically.","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"GID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"UID that sent the log message (set by the server).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"level","description":"Log level number. See levels in asl.h.","type":"integer","hidden":false,"required":false,"index":false},{"name":"message","description":"Message text.","type":"text","hidden":false,"required":false,"index":false},{"name":"ref_pid","description":"Reference PID for messages proxied by launchd","type":"integer","hidden":false,"required":false,"index":false},{"name":"ref_proc","description":"Reference process for messages proxied by launchd","type":"text","hidden":false,"required":false,"index":false},{"name":"extra","description":"Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"atom_packages","description":"Lists all atom packages in a directory or globally installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package's package.json path","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","hidden":false,"required":false,"index":false},{"name":"homepage","description":"Package supplied homepage","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"augeas","description":"Configuration files parsed by augeas.","platforms":["darwin","linux"],"columns":[{"name":"node","description":"The node path of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"The label of the configuration item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path to the configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authenticode","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["windows"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"original_program_name","description":"The original program name that the publisher has signed","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_name","description":"The certificate issuer name","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_name","description":"The certificate subject name","type":"text","hidden":false,"required":false,"index":false},{"name":"result","description":"The signature check result","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorization_mechanisms","description":"OS X Authorization mechanisms database.","platforms":["darwin"],"columns":[{"name":"label","description":"Label of the authorization right","type":"text","hidden":false,"required":false,"index":false},{"name":"plugin","description":"Authorization plugin name","type":"text","hidden":false,"required":false,"index":false},{"name":"mechanism","description":"Name of the mechanism that will be called","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"If privileged it will run as root, else as an anonymous user","type":"text","hidden":false,"required":false,"index":false},{"name":"entry","description":"The whole string entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorizations","description":"OS X Authorization rights database.","platforms":["darwin"],"columns":[{"name":"label","description":"Item name, usually in reverse domain format","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_root","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"timeout","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"tries","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"authenticate_user","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"shared","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"session_owner","description":"Label top-level key","type":"text","hidden":false,"required":false,"index":false}]},{"name":"authorized_keys","description":"A line-delimited authorized_keys table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local owner of authorized_keys file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"algorithm","description":"algorithm of key","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"parsed authorized keys line","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to the authorized_keys file","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"autoexec","description":"Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the program","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source table of the autoexec item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_metadata","description":"Azure instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"location","description":"Azure Region the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"offer","description":"Offer information for the VM image (Azure image gallery VMs only)","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Publisher of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"SKU for the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the VM image","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Linux or Windows","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_update_domain","description":"Update domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_fault_domain","description":"Fault domain the VM is running in","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_size","description":"VM size","type":"text","hidden":false,"required":false,"index":false},{"name":"subscription_id","description":"Azure subscription for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"resource_group_name","description":"Resource group for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"placement_group_id","description":"Placement group for the VM scale set","type":"text","hidden":false,"required":false,"index":false},{"name":"vm_scale_set_name","description":"VM scale set name","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false}]},{"name":"azure_instance_tags","description":"Azure instance tags.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vm_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"The tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"background_activities_moderator","description":"Background Activities Moderator (BAM) tracks application execution.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"battery","description":"Provides information about the internal battery of a Macbook.","platforms":["darwin"],"columns":[{"name":"manufacturer","description":"The battery manufacturer's name","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacture_date","description":"The date the battery was manufactured UNIX Epoch","type":"integer","hidden":false,"required":false,"index":false},{"name":"model","description":"The battery's model number","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"The battery's unique serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"cycle_count","description":"The number of charge/discharge cycles","type":"integer","hidden":false,"required":false,"index":false},{"name":"health","description":"One of the following: \"Good\" describes a well-performing battery, \"Fair\" describes a functional battery with limited capacity, or \"Poor\" describes a battery that's not capable of providing power","type":"text","hidden":false,"required":false,"index":false},{"name":"condition","description":"One of the following: \"Normal\" indicates the condition of the battery is within normal tolerances, \"Service Needed\" indicates that the battery should be checked out by a licensed Mac repair service, \"Permanent Failure\" indicates the battery needs replacement","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"One of the following: \"AC Power\" indicates the battery is connected to an external power source, \"Battery Power\" indicates that the battery is drawing internal power, \"Off Line\" indicates the battery is off-line or no longer connected","type":"text","hidden":false,"required":false,"index":false},{"name":"charging","description":"1 if the battery is currently being charged by a power source. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"charged","description":"1 if the battery is currently completely charged. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"designed_capacity","description":"The battery's designed capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"The battery's actual capacity when it is fully charged in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_capacity","description":"The battery's current charged capacity in mAh","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_remaining","description":"The percentage of battery remaining before it is drained","type":"integer","hidden":false,"required":false,"index":false},{"name":"amperage","description":"The battery's current amperage in mA","type":"integer","hidden":false,"required":false,"index":false},{"name":"voltage","description":"The battery's current voltage in mV","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_until_empty","description":"The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes_to_full_charge","description":"The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"bitlocker_info","description":"Retrieve bitlocker status of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"ID of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"Drive letter of the encrypted drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent_volume_id","description":"Persistent ID of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"conversion_status","description":"The bitlocker conversion status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_status","description":"The bitlocker protection status of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption_method","description":"The encryption type of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The FVE metadata version of the drive.","type":"integer","hidden":false,"required":false,"index":false},{"name":"percentage_encrypted","description":"The percentage of the drive that is encrypted.","type":"integer","hidden":false,"required":false,"index":false},{"name":"lock_status","description":"The accessibility status of the drive from Windows.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"block_devices","description":"Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Block device name","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Block device parent name","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Block device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Block device model string identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Block device size in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Block device Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Block device type string","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Block device label string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"bpf_process_events","description":"Track time/action process executions.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"json_cmdline","description":"Command line arguments, in JSON format","type":"text","hidden":true,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"bpf_socket_events","description":"Track network socket opens and closes.","platforms":["linux"],"columns":[{"name":"tid","description":"Thread ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cid","description":"Cgroup ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"probe_error","description":"Set to 1 if one or more buffers could not be captured","type":"integer","hidden":false,"required":false,"index":false},{"name":"syscall","description":"System call name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The socket type","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"duration","description":"How much time was spent inside the syscall (nsecs)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ntime","description":"The nsecs uptime timestamp as obtained from BPF","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":true,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"browser_plugins","description":"All C/NPAPI browser plugin details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the plugin","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Plugin display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Plugin identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Plugin short version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Build SDK used to compile plugin","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Plugin description text","type":"text","hidden":false,"required":false,"index":false},{"name":"development_region","description":"Plugin language-localization","type":"text","hidden":false,"required":false,"index":false},{"name":"native","description":"Plugin requires native execution","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Is the plugin disabled. 1 = Disabled","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carbon_black_info","description":"Returns info about a Carbon Black sensor install.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"sensor_id","description":"Sensor ID of the Carbon Black sensor","type":"integer","hidden":false,"required":false,"index":false},{"name":"config_name","description":"Sensor group","type":"text","hidden":false,"required":false,"index":false},{"name":"collect_store_files","description":"If the sensor is configured to send back binaries to the Carbon Black server","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_loads","description":"If the sensor is configured to capture module loads","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_module_info","description":"If the sensor is configured to collect metadata of binaries","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_file_mods","description":"If the sensor is configured to collect file modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_reg_mods","description":"If the sensor is configured to collect registry modification events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_net_conns","description":"If the sensor is configured to collect network connections","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_processes","description":"If the sensor is configured to process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_cross_processes","description":"If the sensor is configured to cross process events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_emet_events","description":"If the sensor is configured to EMET events","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_data_file_writes","description":"If the sensor is configured to collect non binary file writes","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_process_user_context","description":"If the sensor is configured to collect the user running a process","type":"integer","hidden":false,"required":false,"index":false},{"name":"collect_sensor_operations","description":"Unknown","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_mb","description":"Event file disk quota in MB","type":"integer","hidden":false,"required":false,"index":false},{"name":"log_file_disk_quota_percentage","description":"Event file disk quota in a percentage","type":"integer","hidden":false,"required":false,"index":false},{"name":"protection_disabled","description":"If the sensor is configured to report tamper events","type":"integer","hidden":false,"required":false,"index":false},{"name":"sensor_ip_addr","description":"IP address of the sensor","type":"text","hidden":false,"required":false,"index":false},{"name":"sensor_backend_server","description":"Carbon Black server","type":"text","hidden":false,"required":false,"index":false},{"name":"event_queue","description":"Size in bytes of Carbon Black event files on disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"binary_queue","description":"Size in bytes of binaries waiting to be sent to Carbon Black server","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"carves","description":"List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"time","description":"Time at which the carve was kicked off","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"A SHA256 sum of the carved archive","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the carved archive","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the requested carve","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED","type":"text","hidden":false,"required":false,"index":false},{"name":"carve_guid","description":"Identifying value of the carve session","type":"text","hidden":false,"required":false,"index":false},{"name":"request_id","description":"Identifying value of the carve request (e.g., scheduled query name, distributed request, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"carve","description":"Set this value to '1' to start a file carve","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"certificates","description":"Certificate Authorities installed in Keychains/ca-bundles.","platforms":["darwin","windows"],"columns":[{"name":"common_name","description":"Certificate CommonName","type":"text","hidden":false,"required":false,"index":false},{"name":"subject","description":"Certificate distinguished name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer","description":"Certificate issuer distinguished name","type":"text","hidden":false,"required":false,"index":false},{"name":"ca","description":"1 if CA: true (certificate is an authority) else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"self_signed","description":"1 if self-signed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"not_valid_before","description":"Lower bound of valid date","type":"text","hidden":false,"required":false,"index":false},{"name":"not_valid_after","description":"Certificate expiration data","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_algorithm","description":"Signing algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_algorithm","description":"Key algorithm used","type":"text","hidden":false,"required":false,"index":false},{"name":"key_strength","description":"Key size used for RSA/DSA, or curve name","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Certificate key usage and extended key usage","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_id","description":"SKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_id","description":"AKID an optionally included SHA1","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the raw certificate contents","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Keychain or PEM bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"sid","description":"SID","type":"text","hidden":true,"required":false,"index":false},{"name":"store_location","description":"Certificate system store location","type":"text","hidden":true,"required":false,"index":false},{"name":"store","description":"Certificate system store","type":"text","hidden":true,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":true,"required":false,"index":false},{"name":"store_id","description":"Exists for service/user stores. Contains raw store id provided by WinAPI.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"chassis_info","description":"Display information pertaining to the chassis and its security status.","platforms":["windows"],"columns":[{"name":"audible_alarm","description":"If TRUE, the frame is equipped with an audible alarm.","type":"text","hidden":false,"required":false,"index":false},{"name":"breach_description","description":"If provided, gives a more detailed description of a detected security breach.","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_types","description":"A comma-separated list of chassis types, such as Desktop or Laptop.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"An extended description of the chassis if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"lock","description":"If TRUE, the frame is equipped with a lock.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"security_breach","description":"The physical status of the chassis such as Breach Successful, Breach Attempted, etc.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"smbios_tag","description":"The assigned asset tag number of the chassis.","type":"text","hidden":false,"required":false,"index":false},{"name":"sku","description":"The Stock Keeping Unit number if available.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.","type":"text","hidden":false,"required":false,"index":false},{"name":"visible_alarm","description":"If TRUE, the frame is equipped with a visual alarm.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chocolatey_packages","description":"Chocolatey packages installed in a system.","platforms":["windows"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this package resides","type":"text","hidden":false,"required":false,"index":false}]},{"name":"chrome_extension_content_scripts","description":"Chrome browser extension content scripts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"script","description":"The content script used by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"The pattern that the script is matched against","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"chrome_extensions","description":"Chrome-based browser extensions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"browser_type","description":"The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"profile","description":"The name of the Chrome profile that contains this extension","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The profile path","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced_identifier","description":"Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile.","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier, computed from its manifest. Empty in case of error.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Extension-optional description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_locale","description":"Default locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"current_locale","description":"Current locale supported by extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"persistent","description":"1 If extension is persistent across all tabs else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension folder","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"The permissions required by the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions_json","description":"The JSON-encoded permissions required by the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"optional_permissions","description":"The permissions optionally required by the extensions","type":"text","hidden":false,"required":false,"index":false},{"name":"optional_permissions_json","description":"The JSON-encoded permissions optionally required by the extensions","type":"text","hidden":true,"required":false,"index":false},{"name":"manifest_hash","description":"The SHA256 hash of the manifest.json file","type":"text","hidden":false,"required":false,"index":false},{"name":"referenced","description":"1 if this extension is referenced by the Preferences file of the profile","type":"bigint","hidden":false,"required":false,"index":false},{"name":"from_webstore","description":"True if this extension was installed from the web store","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"1 if this extension is enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Extension install time, in its original Webkit format","type":"text","hidden":false,"required":false,"index":false},{"name":"install_timestamp","description":"Extension install time, converted to unix time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manifest_json","description":"The manifest file of the extension","type":"text","hidden":true,"required":false,"index":false},{"name":"key","description":"The extension key, from the manifest file","type":"text","hidden":true,"required":false,"index":false}]},{"name":"connectivity","description":"Provides the overall system's network state.","platforms":["windows"],"columns":[{"name":"disconnected","description":"True if the all interfaces are not connected to any network","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_no_traffic","description":"True if any interface is connected via IPv4, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_no_traffic","description":"True if any interface is connected via IPv6, but has seen no traffic","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_subnet","description":"True if any interface is connected to the local subnet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_local_network","description":"True if any interface is connected to a routed network via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_internet","description":"True if any interface is connected to the Internet via IPv4","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_subnet","description":"True if any interface is connected to the local subnet via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_local_network","description":"True if any interface is connected to a routed network via IPv6","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_internet","description":"True if any interface is connected to the Internet via IPv6","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"cpu_info","description":"Retrieve cpu hardware info of the machine.","platforms":["windows"],"columns":[{"name":"device_id","description":"The DeviceID of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"processor_type","description":"The processor type, such as Central, Math, or Video.","type":"text","hidden":false,"required":false,"index":false},{"name":"availability","description":"The availability and status of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_status","description":"The current operating status of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"number_of_cores","description":"The number of cores of the CPU.","type":"text","hidden":false,"required":false,"index":false},{"name":"logical_processors","description":"The number of logical processors of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"address_width","description":"The width of the CPU address bus.","type":"text","hidden":false,"required":false,"index":false},{"name":"current_clock_speed","description":"The current frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_clock_speed","description":"The maximum possible frequency of the CPU.","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket_designation","description":"The assigned socket on the board for the given CPU.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cpu_time","description":"Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.","platforms":["darwin","linux"],"columns":[{"name":"core","description":"Name of the cpu (core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"Time spent in user mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"nice","description":"Time spent in user mode with low priority (nice)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system","description":"Time spent in system mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idle","description":"Time spent in the idle task","type":"bigint","hidden":false,"required":false,"index":false},{"name":"iowait","description":"Time spent waiting for I/O to complete","type":"bigint","hidden":false,"required":false,"index":false},{"name":"irq","description":"Time spent servicing interrupts","type":"bigint","hidden":false,"required":false,"index":false},{"name":"softirq","description":"Time spent servicing softirqs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"steal","description":"Time spent in other operating systems when running in a virtualized environment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest","description":"Time spent running a virtual CPU for a guest OS under the control of the Linux kernel","type":"bigint","hidden":false,"required":false,"index":false},{"name":"guest_nice","description":"Time spent running a niced guest ","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"cpuid","description":"Useful CPU features from the cpuid ASM call.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"feature","description":"Present feature flags","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Bit value or string","type":"text","hidden":false,"required":false,"index":false},{"name":"output_register","description":"Register used to for feature value","type":"text","hidden":false,"required":false,"index":false},{"name":"output_bit","description":"Bit in register value for feature value","type":"integer","hidden":false,"required":false,"index":false},{"name":"input_eax","description":"Value of EAX used","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crashes","description":"Application, System, and Mobile App crash logs.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent PID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"responsible","description":"Process responsible for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the crashed process","type":"integer","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Date/Time at which the crash occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"crashed_thread","description":"Thread ID which crashed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Most recent frame from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_type","description":"Exception type of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_codes","description":"Exception codes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_notes","description":"Exception notes from the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The value of the system registers","type":"text","hidden":false,"required":false,"index":false}]},{"name":"crontab","description":"Line parsed values from system and user cron/tab.","platforms":["darwin","linux"],"columns":[{"name":"event","description":"The job @event name (rare)","type":"text","hidden":false,"required":false,"index":false},{"name":"minute","description":"The exact minute for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"hour","description":"The hour of the day for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_month","description":"The day of the month for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"month","description":"The month of the year for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"day_of_week","description":"The day of the week for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Raw command string","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File parsed","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"cups_destinations","description":"Returns all configured printers.","platforms":["darwin"],"columns":[{"name":"name","description":"Name of the printer","type":"text","hidden":false,"required":false,"index":false},{"name":"option_name","description":"Option name","type":"text","hidden":false,"required":false,"index":false},{"name":"option_value","description":"Option value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"cups_jobs","description":"Returns all completed print jobs from cups.","platforms":["darwin"],"columns":[{"name":"title","description":"Title of the printed job","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"The printer the job was sent to","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The user who printed the job","type":"text","hidden":false,"required":false,"index":false},{"name":"format","description":"The format of the print job","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the print job","type":"integer","hidden":false,"required":false,"index":false},{"name":"completed_time","description":"When the job completed printing","type":"integer","hidden":false,"required":false,"index":false},{"name":"processing_time","description":"How long the job took to process","type":"integer","hidden":false,"required":false,"index":false},{"name":"creation_time","description":"When the print request was initiated","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"curl","description":"Perform an http request and return stats about it.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"url","description":"The url for the request","type":"text","hidden":false,"required":true,"index":false},{"name":"method","description":"The HTTP method for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"user_agent","description":"The user-agent string to use for the request","type":"text","hidden":false,"required":false,"index":false},{"name":"response_code","description":"The HTTP status code for the response","type":"integer","hidden":false,"required":false,"index":false},{"name":"round_trip_time","description":"Time taken to complete the request","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of bytes in the response","type":"bigint","hidden":false,"required":false,"index":false},{"name":"result","description":"The HTTP response body","type":"text","hidden":false,"required":false,"index":false}]},{"name":"curl_certificate","description":"Inspect TLS certificates by connecting to input hostnames.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Hostname (domain[:port]) to CURL","type":"text","hidden":false,"required":true,"index":false},{"name":"common_name","description":"Common name of company issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization","description":"Organization issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"organization_unit","description":"Organization unit issued to","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Certificate serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_common_name","description":"Issuer common name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization","description":"Issuer organization","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_organization_unit","description":"Issuer organization unit","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_from","description":"Period of validity start date","type":"text","hidden":false,"required":false,"index":false},{"name":"valid_to","description":"Period of validity end date","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256_fingerprint","description":"SHA-256 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1_fingerprint","description":"SHA1 fingerprint","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version Number","type":"integer","hidden":false,"required":false,"index":false},{"name":"signature_algorithm","description":"Signature Algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"signature","description":"Signature","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_key_identifier","description":"Subject Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"authority_key_identifier","description":"Authority Key Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"key_usage","description":"Usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"extended_key_usage","description":"Extended usage of key in certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"policies","description":"Certificate Policies","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_alternative_names","description":"Subject Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"issuer_alternative_names","description":"Issuer Alternative Name","type":"text","hidden":false,"required":false,"index":false},{"name":"info_access","description":"Authority Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"subject_info_access","description":"Subject Information Access","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_mappings","description":"Policy Mappings","type":"text","hidden":false,"required":false,"index":false},{"name":"has_expired","description":"1 if the certificate has expired, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"basic_constraint","description":"Basic Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"name_constraints","description":"Name Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"policy_constraints","description":"Policy Constraints","type":"text","hidden":false,"required":false,"index":false},{"name":"dump_certificate","description":"Set this value to '1' to dump certificate","type":"integer","hidden":true,"required":false,"index":false},{"name":"timeout","description":"Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)","type":"integer","hidden":true,"required":false,"index":false},{"name":"pem","description":"Certificate PEM format","type":"text","hidden":false,"required":false,"index":false}]},{"name":"deb_packages","description":"The installed DEB package database.","platforms":["linux"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Package source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Package architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Package revision","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Package status","type":"text","hidden":false,"required":false,"index":false},{"name":"maintainer","description":"Package maintainer","type":"text","hidden":false,"required":false,"index":false},{"name":"section","description":"Package section","type":"text","hidden":false,"required":false,"index":false},{"name":"priority","description":"Package priority","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"default_environment","description":"Default environment variables and values.","platforms":["windows"],"columns":[{"name":"variable","description":"Name of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the environment variable","type":"text","hidden":false,"required":false,"index":false},{"name":"expand","description":"1 if the variable needs expanding, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"device_file","description":"Similar to the file table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"A logical path within the device node","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Creation time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_firmware","description":"A best-effort list of discovered firmware versions.","platforms":["darwin"],"columns":[{"name":"type","description":"Type of device","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"The device name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Firmware version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_hash","description":"Similar to the hash table, but use TSK and allow block address access.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number","type":"text","hidden":false,"required":true,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided inode data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"device_partitions","description":"Use TSK to enumerate details about partitions on a disk device.","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Absolute file path to device node","type":"text","hidden":false,"required":true,"index":false},{"name":"partition","description":"A partition number or description","type":"integer","hidden":false,"required":false,"index":false},{"name":"label","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Byte size of each block","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Number of blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Number of meta nodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"disk_encryption","description":"Disk encryption status and information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Disk name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Disk Universally Unique Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 If encrypted: true (disk is encrypted), else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Description of cipher type and mode if available","type":"text","hidden":false,"required":false,"index":false},{"name":"encryption_status","description":"Disk encryption status with one of following values: encrypted | not encrypted | undefined","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Currently authenticated user if available","type":"text","hidden":false,"required":false,"index":false},{"name":"user_uuid","description":"UUID of authenticated user if available","type":"text","hidden":false,"required":false,"index":false},{"name":"filevault_status","description":"FileVault status with one of following values: on | off | unknown","type":"text","hidden":false,"required":false,"index":false}]},{"name":"disk_events","description":"Track DMG disk image events (appearance/disappearance) when opened.","platforms":["darwin"],"columns":[{"name":"action","description":"Appear or disappear","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the DMG file accessed","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Disk event name","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Disk event BSD name","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"UUID of the volume inside DMG if available","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of partition in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ejectable","description":"1 if ejectable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"mountable","description":"1 if mountable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"writable","description":"1 if writable, 0 if not","type":"integer","hidden":false,"required":false,"index":false},{"name":"content","description":"Disk event content","type":"text","hidden":false,"required":false,"index":false},{"name":"media_name","description":"Disk event media name string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Disk event vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"filesystem","description":"Filesystem if available","type":"text","hidden":false,"required":false,"index":false},{"name":"checksum","description":"UDIF Master checksum if available (CRC32)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of appearance/disappearance in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"disk_info","description":"Retrieve basic information about the physical disks of a system.","platforms":["windows"],"columns":[{"name":"partitions","description":"Number of detected partitions on disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"disk_index","description":"Physical drive number of the disk.","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"The interface type of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"pnp_device_id","description":"The unique identifier of the drive on the system.","type":"text","hidden":false,"required":false,"index":false},{"name":"disk_size","description":"Size of the disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hard drive model.","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"The label of the disk object.","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"The serial number of the disk.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The OS's description of the disk.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"dns_cache","description":"Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.","platforms":["windows"],"columns":[{"name":"name","description":"DNS record name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"DNS record type","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"DNS record flags","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"dns_resolvers","description":"Resolvers used by this host.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Address type index or order","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Address type: sortlist, nameserver, search","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Resolver IP/IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Address (sortlist) netmask length","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Resolver options","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"docker_container_fs_changes","description":"Changes to files or directories on container's filesystem.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"path","description":"FIle or directory path relative to rootfs","type":"text","hidden":false,"required":false,"index":false},{"name":"change_type","description":"Type of change: C:Modified, A:Added, D:Deleted","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_labels","description":"Docker container labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_mounts","description":"Docker container mounts.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of mount (bind, volume)","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Optional mount name","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source path on host","type":"text","hidden":false,"required":false,"index":false},{"name":"destination","description":"Destination path inside container","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver providing the mount","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"Mount options (rw, ro)","type":"text","hidden":false,"required":false,"index":false},{"name":"rw","description":"1 if read/write. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"propagation","description":"Mount propagation","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_networks","description":"Docker container networks.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"network_id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"endpoint_id","description":"Endpoint ID","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_address","description":"IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"ip_prefix_len","description":"IP subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv6_gateway","description":"IPv6 gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_prefix_len","description":"IPv6 subnet prefix length","type":"integer","hidden":false,"required":false,"index":false},{"name":"mac_address","description":"MAC address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_container_ports","description":"Docker container ports.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Protocol (tcp, udp)","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Port inside the container","type":"integer","hidden":false,"required":false,"index":false},{"name":"host_ip","description":"Host IP address on which public port is listening","type":"text","hidden":false,"required":false,"index":false},{"name":"host_port","description":"Host port","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_container_processes","description":"Docker container processes.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start in seconds since boot (non-sleeping)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"User name","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Cumulative CPU time. [DD-]HH:MM:SS format","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu","description":"CPU utilization as percentage","type":"double","hidden":false,"required":false,"index":false},{"name":"mem","description":"Memory utilization as percentage","type":"double","hidden":false,"required":false,"index":false}]},{"name":"docker_container_stats","description":"Docker container statistics. Queries on this table take at least one second.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":true,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"pids","description":"Number of processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"read","description":"UNIX time when stats were read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"preread","description":"UNIX time when stats were last read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"interval","description":"Difference between read and preread in nano-seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_read","description":"Total disk read bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_write","description":"Total disk write bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"num_procs","description":"Number of processors","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_total_usage","description":"Total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_kernelmode_usage","description":"CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_usermode_usage","description":"CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_cpu_usage","description":"CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"online_cpus","description":"Online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"pre_cpu_total_usage","description":"Last read total CPU usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_kernelmode_usage","description":"Last read CPU kernel mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_cpu_usermode_usage","description":"Last read CPU user mode usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_system_cpu_usage","description":"Last read CPU system usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pre_online_cpus","description":"Last read online CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_usage","description":"Memory usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_max_usage","description":"Memory maximum usage","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"Memory limit","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_rx_bytes","description":"Total network bytes read","type":"bigint","hidden":false,"required":false,"index":false},{"name":"network_tx_bytes","description":"Total network bytes transmitted","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"docker_containers","description":"Docker containers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Container ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Container name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Docker image (name) used to launch this container","type":"text","hidden":false,"required":false,"index":false},{"name":"image_id","description":"Docker image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"command","description":"Command with arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"state","description":"Container state (created, restarting, running, removing, paused, exited, dead)","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Container status information","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Identifier of the initial process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Container path","type":"text","hidden":false,"required":false,"index":false},{"name":"config_entrypoint","description":"Container entrypoint(s)","type":"text","hidden":false,"required":false,"index":false},{"name":"started_at","description":"Container start time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"finished_at","description":"Container finish time as string","type":"text","hidden":false,"required":false,"index":false},{"name":"privileged","description":"Is the container privileged","type":"integer","hidden":false,"required":false,"index":false},{"name":"security_options","description":"List of container security options","type":"text","hidden":false,"required":false,"index":false},{"name":"env_variables","description":"Container environmental variables","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly_rootfs","description":"Is the root filesystem mounted as read only","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"ipc_namespace","description":"IPC namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"mnt_namespace","description":"Mount namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"net_namespace","description":"Network namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"pid_namespace","description":"PID namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"user_namespace","description":"User namespace","type":"text","hidden":true,"required":false,"index":false},{"name":"uts_namespace","description":"UTS namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"docker_image_history","description":"Docker image history information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of instruction in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_by","description":"Created by instruction","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of tags","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Instruction comment","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_labels","description":"Docker image labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_image_layers","description":"Docker image layers information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_id","description":"Layer ID","type":"text","hidden":false,"required":false,"index":false},{"name":"layer_order","description":"Layer Order (1 = base layer)","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"docker_images","description":"Docker images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size_bytes","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tags","description":"Comma-separated list of repository tags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_info","description":"Docker system information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Docker system ID","type":"text","hidden":false,"required":false,"index":false},{"name":"containers","description":"Total number of containers","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_running","description":"Number of containers currently running","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_paused","description":"Number of containers in paused state","type":"integer","hidden":false,"required":false,"index":false},{"name":"containers_stopped","description":"Number of containers in stopped state","type":"integer","hidden":false,"required":false,"index":false},{"name":"images","description":"Number of images","type":"integer","hidden":false,"required":false,"index":false},{"name":"storage_driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_limit","description":"1 if memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"swap_limit","description":"1 if swap limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"kernel_memory","description":"1 if kernel memory limit support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_period","description":"1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_cfs_quota","description":"1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_shares","description":"1 if CPU share weighting support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_set","description":"1 if CPU set selection support is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_forwarding","description":"1 if IPv4 forwarding is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_iptables","description":"1 if bridge netfilter iptables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"bridge_nf_ip6tables","description":"1 if bridge netfilter ip6tables is enabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"oom_kill_disable","description":"1 if Out-of-memory kill is disabled. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"logging_driver","description":"Logging driver","type":"text","hidden":false,"required":false,"index":false},{"name":"cgroup_driver","description":"Control groups driver","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"os_type","description":"Operating system type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"cpus","description":"Number of CPUs","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory","description":"Total memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"http_proxy","description":"HTTP proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"https_proxy","description":"HTTPS proxy","type":"text","hidden":false,"required":false,"index":false},{"name":"no_proxy","description":"Comma-separated list of domain extensions proxy should not be used for","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the docker host","type":"text","hidden":false,"required":false,"index":false},{"name":"server_version","description":"Server version","type":"text","hidden":false,"required":false,"index":false},{"name":"root_dir","description":"Docker root directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_network_labels","description":"Docker network labels.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_networks","description":"Docker networks information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Network ID","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Network name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Network driver","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Time of creation as UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"enable_ipv6","description":"1 if IPv6 is enabled on this network. 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"subnet","description":"Network subnet","type":"text","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Network gateway","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_version","description":"Docker version information.","platforms":["darwin","linux"],"columns":[{"name":"version","description":"Docker version","type":"text","hidden":false,"required":false,"index":false},{"name":"api_version","description":"API version","type":"text","hidden":false,"required":false,"index":false},{"name":"min_api_version","description":"Minimum API version supported","type":"text","hidden":false,"required":false,"index":false},{"name":"git_commit","description":"Docker build git commit","type":"text","hidden":false,"required":false,"index":false},{"name":"go_version","description":"Go version","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"Operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Hardware architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Build time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volume_labels","description":"Docker volume labels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Label key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Optional label value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"docker_volumes","description":"Docker volumes information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Volume name","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Volume driver","type":"text","hidden":false,"required":false,"index":false},{"name":"mount_point","description":"Mount point","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Volume type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"drivers","description":"Details for in-use Windows device drivers. This does not display installed but unused drivers.","platforms":["windows"],"columns":[{"name":"device_id","description":"Device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"device_name","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"image","description":"Path to driver image file","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Driver description","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"Driver service name, if one exists","type":"text","hidden":false,"required":false,"index":false},{"name":"service_key","description":"Driver service registry key","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Driver version","type":"text","hidden":false,"required":false,"index":false},{"name":"inf","description":"Associated inf file","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Device/driver class name","type":"text","hidden":false,"required":false,"index":false},{"name":"provider","description":"Driver provider","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Device manufacturer","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_key","description":"Driver key","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Driver date","type":"bigint","hidden":false,"required":false,"index":false},{"name":"signed","description":"Whether the driver is signed or not","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_metadata","description":"EC2 instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_type","description":"EC2 instance type","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Hardware architecture of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"region","description":"AWS region in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"availability_zone","description":"Availability zone in which this instance launched","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Private IPv4 DNS hostname of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"local_ipv4","description":"Private IPv4 address of the first interface of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC address for the first network interface of this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"security_groups","description":"Comma separated list of security group names","type":"text","hidden":false,"required":false,"index":false},{"name":"iam_arn","description":"If there is an IAM role associated with the instance, contains instance profile ARN","type":"text","hidden":false,"required":false,"index":false},{"name":"ami_id","description":"AMI ID used to launch this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"reservation_id","description":"ID of the reservation","type":"text","hidden":false,"required":false,"index":false},{"name":"account_id","description":"AWS account ID which owns this EC2 instance","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ec2_instance_tags","description":"EC2 instance tag key value pairs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"EC2 instance ID","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Tag key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"elf_dynamic","description":"ELF dynamic section information.","platforms":["linux"],"columns":[{"name":"tag","description":"Tag ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"Tag value","type":"integer","hidden":false,"required":false,"index":false},{"name":"class","description":"Class (32 or 64)","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_info","description":"ELF file information.","platforms":["linux"],"columns":[{"name":"class","description":"Class type, 32 or 64bit","type":"text","hidden":false,"required":false,"index":false},{"name":"abi","description":"Section type","type":"text","hidden":false,"required":false,"index":false},{"name":"abi_version","description":"Section virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Offset of section in file","type":"text","hidden":false,"required":false,"index":false},{"name":"machine","description":"Machine type","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Object file version","type":"integer","hidden":false,"required":false,"index":false},{"name":"entry","description":"Entry point address","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"ELF header flags","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_sections","description":"ELF section information.","platforms":["linux"],"columns":[{"name":"name","description":"Section name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Section type","type":"integer","hidden":false,"required":false,"index":false},{"name":"vaddr","description":"Section virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset of section in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of section","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Section attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"link","description":"Link to other section","type":"text","hidden":false,"required":false,"index":false},{"name":"align","description":"Segment alignment","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_segments","description":"ELF segment information.","platforms":["linux"],"columns":[{"name":"name","description":"Segment type/name","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Segment offset in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"vaddr","description":"Segment virtual address in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"psize","description":"Size of segment in file","type":"integer","hidden":false,"required":false,"index":false},{"name":"msize","description":"Segment offset in memory","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Segment attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"align","description":"Segment alignment","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"elf_symbols","description":"ELF symbol list.","platforms":["linux"],"columns":[{"name":"name","description":"Symbol name","type":"text","hidden":false,"required":false,"index":false},{"name":"addr","description":"Symbol address (value)","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of object","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Symbol type","type":"text","hidden":false,"required":false,"index":false},{"name":"binding","description":"Binding type","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Section table index","type":"integer","hidden":false,"required":false,"index":false},{"name":"table","description":"Table name containing symbol","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to ELF file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"es_process_events","description":"Process execution events from EndpointSecurity.","platforms":["darwin"],"columns":[{"name":"version","description":"Version of EndpointSecurity event","type":"integer","hidden":false,"required":false,"index":false},{"name":"seq_num","description":"Per event sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"global_seq_num","description":"Global sequence number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"original_parent","description":"Original parent process ID in case of reparenting","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_count","description":"Number of command line arguments","type":"bigint","hidden":false,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":false,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective User ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective Group ID of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"signing_id","description":"Signature identifier of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"team_id","description":"Team identifier of thd process","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Codesigning hash of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_binary","description":"Indicates if the binary is Apple signed binary (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"exit_code","description":"Exit code of a process in case of an exit event","type":"integer","hidden":false,"required":false,"index":false},{"name":"child_pid","description":"Process ID of a child process in case of a fork event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"event_type","description":"Type of EndpointSecurity event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"etc_hosts","description":"Line-parsed /etc/hosts.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"address","description":"IP address mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"hostnames","description":"Raw hosts mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"etc_protocols","description":"Line-parsed /etc/protocols.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Protocol name","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"Protocol number","type":"integer","hidden":false,"required":false,"index":false},{"name":"alias","description":"Protocol alias","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Comment with protocol description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"etc_services","description":"Line-parsed /etc/services.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"port","description":"Service port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Optional space separated list of other names for a service","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional comment for a service.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"event_taps","description":"Returns information about installed event taps.","platforms":["darwin"],"columns":[{"name":"enabled","description":"Is the Event Tap enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tap_id","description":"Unique ID for the Tap","type":"integer","hidden":false,"required":false,"index":false},{"name":"event_tapped","description":"The mask that identifies the set of events to be observed.","type":"text","hidden":false,"required":false,"index":false},{"name":"process_being_tapped","description":"The process ID of the target application","type":"integer","hidden":false,"required":false,"index":false},{"name":"tapping_process","description":"The process ID of the application that created the event tap.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"example","description":"This is an example table spec.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Description for name column","type":"text","hidden":false,"required":false,"index":false},{"name":"points","description":"This is a signed SQLite int column","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"This is a signed SQLite bigint column","type":"bigint","hidden":false,"required":false,"index":false},{"name":"action","description":"Action performed in generation","type":"text","hidden":false,"required":true,"index":false},{"name":"id","description":"An index of some sort","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of example","type":"text","hidden":false,"required":false,"index":false}]},{"name":"extended_attributes","description":"Returns the extended attributes for files (similar to Windows ADS).","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the value generated from the extended attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"The parsed information from the attribute","type":"text","hidden":false,"required":false,"index":false},{"name":"base64","description":"1 if the value is base64 encoded else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fan_speed_sensors","description":"Fan speeds.","platforms":["darwin"],"columns":[{"name":"fan","description":"Fan number","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Fan name","type":"text","hidden":false,"required":false,"index":false},{"name":"actual","description":"Actual speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum speed","type":"integer","hidden":false,"required":false,"index":false},{"name":"target","description":"Target speed","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"fbsd_kmods","description":"Loaded FreeBSD kernel modules.","platforms":["freebsd"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Module reverse dependencies","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"file","description":"Interactive filesystem attributes and metadata.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"path","description":"Absolute file path","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Directory of file(s)","type":"text","hidden":false,"required":true,"index":false},{"name":"filename","description":"Name portion of file path","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Device ID (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block_size","description":"Block size of filesystem","type":"integer","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"(B)irth or (cr)eate time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hard_links","description":"Number of hard links","type":"integer","hidden":false,"required":false,"index":false},{"name":"symlink","description":"1 if the path is a symlink, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"File status","type":"text","hidden":false,"required":false,"index":false},{"name":"attributes","description":"File attrib string. See: https://ss64.com/nt/attrib.html","type":"text","hidden":true,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number","type":"text","hidden":true,"required":false,"index":false},{"name":"file_id","description":"file ID","type":"text","hidden":true,"required":false,"index":false},{"name":"file_version","description":"File version","type":"text","hidden":true,"required":false,"index":false},{"name":"product_version","description":"File product version","type":"text","hidden":true,"required":false,"index":false},{"name":"bsd_flags","description":"The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"file_events","description":"Track time/action changes to files specified in configuration data.","platforms":["darwin","linux"],"columns":[{"name":"target_path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file defined in the config","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inode","description":"Filesystem inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"Owning user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Owning group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Permission bits","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of file in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Last access time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last status change time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"md5","description":"The MD5 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"The SHA1 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"The SHA256 of the file after change","type":"text","hidden":false,"required":false,"index":false},{"name":"hashed","description":"1 if the file was hashed, 0 if not, -1 if hashing failed","type":"integer","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"firefox_addons","description":"Firefox browser extensions, webapps, and addons.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the addon","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Addon display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Addon identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"creator","description":"Addon-supported creator string","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Extension, addon, webapp","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Addon-supplied version string","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Addon-supplied description string","type":"text","hidden":false,"required":false,"index":false},{"name":"source_url","description":"URL that installed the addon","type":"text","hidden":false,"required":false,"index":false},{"name":"visible","description":"1 If the addon is shown in browser else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If the addon is active else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 If the addon is application-disabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"1 If the addon applies background updates else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"native","description":"1 If the addon includes binary components else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"location","description":"Global, profile location","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to plugin bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper","description":"OS X Gatekeeper Details.","platforms":["darwin"],"columns":[{"name":"assessments_enabled","description":"1 If a Gatekeeper is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"dev_id_enabled","description":"1 If a Gatekeeper allows execution from identified developers else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of Gatekeeper's gke.bundle","type":"text","hidden":false,"required":false,"index":false},{"name":"opaque_version","description":"Version of Gatekeeper's gkopaque.bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"gatekeeper_approved_apps","description":"Gatekeeper apps a user has allowed to run.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of executable allowed to run","type":"text","hidden":false,"required":false,"index":false},{"name":"requirement","description":"Code signing requirement language","type":"text","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Last change time","type":"double","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Last modification time","type":"double","hidden":false,"required":false,"index":false}]},{"name":"groups","description":"Local system groups.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"gid","description":"Unsigned int64 group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"A signed int64 version of gid","type":"bigint","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Canonical local group name","type":"text","hidden":false,"required":false,"index":false},{"name":"group_sid","description":"Unique group ID","type":"text","hidden":true,"required":false,"index":false},{"name":"comment","description":"Remarks or comments associated with the group","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"hardware_events","description":"Hardware (PCI/USB/HID) events from UDEV or IOKit.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"Remove, insert, change properties, etc","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local device path assigned (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of hardware and hardware event","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Driver claiming the device","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Hardware device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded Hardware vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"Hardware device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded Hardware model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"Device serial (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"Device revision (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of hardware event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hash","description":"Filesystem hash data.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"directory","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"md5","description":"MD5 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"ssdeep","description":"ssdeep hash of provided filesystem data","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"homebrew_packages","description":"The installed homebrew package database.","platforms":["darwin"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Package install path","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Current 'linked' version","type":"text","hidden":false,"required":false,"index":false},{"name":"prefix","description":"Homebrew install prefix","type":"text","hidden":true,"required":false,"index":false}]},{"name":"hvci_status","description":"Retrieve HVCI info of the machine.","platforms":["windows"],"columns":[{"name":"version","description":"The version number of the Device Guard build.","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_identifier","description":"The instance ID of Device Guard.","type":"text","hidden":false,"required":false,"index":false},{"name":"vbs_status","description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"code_integrity_policy_enforcement_status","description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false},{"name":"umci_policy_status","description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ibridge_info","description":"Information about the Apple iBridge hardware controller.","platforms":["darwin"],"columns":[{"name":"boot_uuid","description":"Boot UUID of the iBridge controller","type":"text","hidden":false,"required":false,"index":false},{"name":"coprocessor_version","description":"The manufacturer and chip version","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"The build version of the firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"unique_chip_id","description":"Unique id of the iBridge controller","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ie_extensions","description":"Internet Explorer browser extensions.","platforms":["windows"],"columns":[{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"registry_path","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Version of the executable","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executable","type":"text","hidden":false,"required":false,"index":false}]},{"name":"intel_me_info","description":"Intel ME/CSE Info.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"version","description":"Intel ME version","type":"text","hidden":false,"required":false,"index":false}]},{"name":"interface_addresses","description":"Network interfaces and relevant metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"Interface netmask","type":"text","hidden":false,"required":false,"index":false},{"name":"broadcast","description":"Broadcast address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"point_to_point","description":"PtP address for the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of address. One of dhcp, manual, auto, other, unknown","type":"text","hidden":false,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_details","description":"Detailed information and stats of network interfaces.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"mac","description":"MAC of interface (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Interface type (includes virtual)","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Network MTU","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Metric based on the speed of the interface","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags (netdevice) for the device","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipackets","description":"Input packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"opackets","description":"Output packets","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ibytes","description":"Input bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"obytes","description":"Output bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ierrors","description":"Input errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"oerrors","description":"Output errors","type":"bigint","hidden":false,"required":false,"index":false},{"name":"idrops","description":"Input drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"odrops","description":"Output drops","type":"bigint","hidden":false,"required":false,"index":false},{"name":"collisions","description":"Packet Collisions detected","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Time of last device modification (optional)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"link_speed","description":"Interface speed in Mb/s","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pci_slot","description":"PCI slot number","type":"text","hidden":true,"required":false,"index":false},{"name":"friendly_name","description":"The friendly display name of the interface.","type":"text","hidden":true,"required":false,"index":false},{"name":"description","description":"Short description of the object a one-line string.","type":"text","hidden":true,"required":false,"index":false},{"name":"manufacturer","description":"Name of the network adapter's manufacturer.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_id","description":"Name of the network connection as it appears in the Network Connections Control Panel program.","type":"text","hidden":true,"required":false,"index":false},{"name":"connection_status","description":"State of the network adapter connection to the network.","type":"text","hidden":true,"required":false,"index":false},{"name":"enabled","description":"Indicates whether the adapter is enabled or not.","type":"integer","hidden":true,"required":false,"index":false},{"name":"physical_adapter","description":"Indicates whether the adapter is a physical or a logical adapter.","type":"integer","hidden":true,"required":false,"index":false},{"name":"speed","description":"Estimate of the current bandwidth in bits per second.","type":"integer","hidden":true,"required":false,"index":false},{"name":"service","description":"The name of the service the network adapter uses.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_enabled","description":"If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.","type":"integer","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_expires","description":"Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_lease_obtained","description":"Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dhcp_server","description":"IP address of the dynamic host configuration protocol (DHCP) server.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain","description":"Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_domain_suffix_search_order","description":"Array of DNS domain suffixes to be appended to the end of host names during name resolution.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_host_name","description":"Host name used to identify the local computer for authentication by some utilities.","type":"text","hidden":true,"required":false,"index":false},{"name":"dns_server_search_order","description":"Array of server IP addresses to be used in querying for DNS servers.","type":"text","hidden":true,"required":false,"index":false}]},{"name":"interface_ipv6","description":"IPv6 configuration and stats of network interfaces.","platforms":["darwin","linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"hop_limit","description":"Current Hop Limit","type":"integer","hidden":false,"required":false,"index":false},{"name":"forwarding_enabled","description":"Enable IP forwarding","type":"integer","hidden":false,"required":false,"index":false},{"name":"redirect_accept","description":"Accept ICMP redirect messages","type":"integer","hidden":false,"required":false,"index":false},{"name":"rtadv_accept","description":"Accept ICMP Router Advertisement","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_devicetree","description":"The IOKit registry matching the DeviceTree plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Device node name","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent device registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device_path","description":"Device tree path","type":"text","hidden":false,"required":false,"index":false},{"name":"service","description":"1 if the device conforms to IOService else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the device is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The device reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Device nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iokit_registry","description":"The full IOKit registry without selecting a plane.","platforms":["darwin"],"columns":[{"name":"name","description":"Default name of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"Best matching device class (most-specific category)","type":"text","hidden":false,"required":false,"index":false},{"name":"id","description":"IOKit internal registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Parent registry ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"busy_state","description":"1 if the node is in a busy state else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"retain_count","description":"The node reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"depth","description":"Node nested depth","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"iptables","description":"Linux IP packet filtering and NAT tool.","platforms":["linux"],"columns":[{"name":"filter_name","description":"Packet matching filter table name.","type":"text","hidden":false,"required":false,"index":false},{"name":"chain","description":"Size of module content.","type":"text","hidden":false,"required":false,"index":false},{"name":"policy","description":"Policy that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"target","description":"Target that applies for this rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Protocol number identification.","type":"integer","hidden":false,"required":false,"index":false},{"name":"src_port","description":"Protocol source port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_port","description":"Protocol destination port(s).","type":"text","hidden":false,"required":false,"index":false},{"name":"src_ip","description":"Source IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"src_mask","description":"Source IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface","description":"Input interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"iniface_mask","description":"Input interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_ip","description":"Destination IP address.","type":"text","hidden":false,"required":false,"index":false},{"name":"dst_mask","description":"Destination IP address mask.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface","description":"Output interface for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"outiface_mask","description":"Output interface mask for the rule.","type":"text","hidden":false,"required":false,"index":false},{"name":"match","description":"Matching rule that applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"packets","description":"Number of matching packets for this rule.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes","description":"Number of matching bytes for this rule.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"kernel_extensions","description":"OS X's kernel extensions, both loaded and within the load search path.","platforms":["darwin"],"columns":[{"name":"idx","description":"Extension load tag or index","type":"integer","hidden":false,"required":false,"index":false},{"name":"refs","description":"Reference count","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Bytes of wired memory used by extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension label","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"linked_against","description":"Indexes of extensions this extension is linked against","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Optional path to extension bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_info","description":"Basic active kernel information.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"version","description":"Kernel version","type":"text","hidden":false,"required":false,"index":false},{"name":"arguments","description":"Kernel arguments","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Kernel path","type":"text","hidden":false,"required":false,"index":false},{"name":"device","description":"Kernel device identifier","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_modules","description":"Linux kernel modules both loaded and within the load search path.","platforms":["linux"],"columns":[{"name":"name","description":"Module name","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of module content","type":"bigint","hidden":false,"required":false,"index":false},{"name":"used_by","description":"Module reverse dependencies","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Kernel module status","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Kernel module address","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kernel_panics","description":"System kernel panic logs.","platforms":["darwin"],"columns":[{"name":"path","description":"Location of log file","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Formatted time of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"A space delimited line of register:value pairs","type":"text","hidden":false,"required":false,"index":false},{"name":"frame_backtrace","description":"Backtrace of the crashed module","type":"text","hidden":false,"required":false,"index":false},{"name":"module_backtrace","description":"Modules appearing in the crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"dependencies","description":"Module dependencies existing in crashed module's backtrace","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Process name corresponding to crashed thread","type":"text","hidden":false,"required":false,"index":false},{"name":"os_version","description":"Version of the operating system","type":"text","hidden":false,"required":false,"index":false},{"name":"kernel_version","description":"Version of the system kernel","type":"text","hidden":false,"required":false,"index":false},{"name":"system_model","description":"Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"System uptime at kernel panic in nanoseconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_loaded","description":"Last loaded module before panic","type":"text","hidden":false,"required":false,"index":false},{"name":"last_unloaded","description":"Last unloaded module before panic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_acls","description":"Applications that have ACL entries in the keychain.","platforms":["darwin"],"columns":[{"name":"keychain_path","description":"The path of the keychain","type":"text","hidden":false,"required":false,"index":false},{"name":"authorizations","description":"A space delimited set of authorization attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path of the authorized application","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The description included with the ACL entry","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"An optional label tag that may be included with the keychain entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"keychain_items","description":"Generic details about keychain items.","platforms":["darwin"],"columns":[{"name":"label","description":"Generic item name","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional item description","type":"text","hidden":false,"required":false,"index":false},{"name":"comment","description":"Optional keychain comment","type":"text","hidden":false,"required":false,"index":false},{"name":"created","description":"Data item was created","type":"text","hidden":false,"required":false,"index":false},{"name":"modified","description":"Date of last modification","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Keychain item type (class)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to keychain containing item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"known_hosts","description":"A line-delimited known_hosts table.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"The local user that owns the known_hosts file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"key","description":"parsed authorized keys line","type":"text","hidden":false,"required":false,"index":false},{"name":"key_file","description":"Path to known_hosts file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"kva_speculative_info","description":"Display kernel virtual address and speculative execution information for the system.","platforms":["windows"],"columns":[{"name":"kva_shadow_enabled","description":"Kernel Virtual Address shadowing is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_user_global","description":"User pages are marked as global.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_pcid","description":"Kernel VA PCID flushing optimization is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"kva_shadow_inv_pcid","description":"Kernel VA INVPCID is enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_mitigations","description":"Branch Prediction mitigations are enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_system_pol_disabled","description":"Branch Predictions are disabled via system policy.","type":"integer","hidden":false,"required":false,"index":false},{"name":"bp_microcode_disabled","description":"Branch Predictions are disabled due to lack of microcode update.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_spec_ctrl_supported","description":"SPEC_CTRL MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false},{"name":"ibrs_support_enabled","description":"Windows uses IBRS.","type":"integer","hidden":false,"required":false,"index":false},{"name":"stibp_support_enabled","description":"Windows uses STIBP.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_pred_cmd_supported","description":"PRED_CMD MSR supported by CPU Microcode.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"last","description":"System logins and logouts.","platforms":["darwin","linux"],"columns":[{"name":"username","description":"Entry username","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Entry terminal","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Entry type, according to ut_type types (utmp.h)","type":"integer","hidden":false,"required":false,"index":false},{"name":"type_name","description":"Entry type name, according to ut_type types (utmp.h)","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"host","description":"Entry hostname","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd","description":"LaunchAgents and LaunchDaemons from default search paths.","platforms":["darwin"],"columns":[{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"File name of plist (used by launchd)","type":"text","hidden":false,"required":false,"index":false},{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"program","description":"Path to target program","type":"text","hidden":false,"required":false,"index":false},{"name":"run_at_load","description":"Should the program run on launch load","type":"text","hidden":false,"required":false,"index":false},{"name":"keep_alive","description":"Should the process be restarted if killed","type":"text","hidden":false,"required":false,"index":false},{"name":"on_demand","description":"Deprecated key, replaced by keep_alive","type":"text","hidden":false,"required":false,"index":false},{"name":"disabled","description":"Skip loading this daemon or agent on boot","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Run this daemon or agent as this username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Run this daemon or agent as this group","type":"text","hidden":false,"required":false,"index":false},{"name":"stdout_path","description":"Pipe stdout to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"stderr_path","description":"Pipe stderr to a target path","type":"text","hidden":false,"required":false,"index":false},{"name":"start_interval","description":"Frequency to run in seconds","type":"text","hidden":false,"required":false,"index":false},{"name":"program_arguments","description":"Command line arguments passed to program","type":"text","hidden":false,"required":false,"index":false},{"name":"watch_paths","description":"Key that launches daemon or agent if path is modified","type":"text","hidden":false,"required":false,"index":false},{"name":"queue_directories","description":"Similar to watch_paths but only with non-empty directories","type":"text","hidden":false,"required":false,"index":false},{"name":"inetd_compatibility","description":"Run this daemon or agent as it was launched from inetd","type":"text","hidden":false,"required":false,"index":false},{"name":"start_on_mount","description":"Run daemon or agent every time a filesystem is mounted","type":"text","hidden":false,"required":false,"index":false},{"name":"root_directory","description":"Key used to specify a directory to chroot to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"working_directory","description":"Key used to specify a directory to chdir to before launch","type":"text","hidden":false,"required":false,"index":false},{"name":"process_type","description":"Key describes the intended purpose of the job","type":"text","hidden":false,"required":false,"index":false}]},{"name":"launchd_overrides","description":"Override keys, per user, for LaunchDaemons and Agents.","platforms":["darwin"],"columns":[{"name":"label","description":"Daemon or agent service name","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Name of the override key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Overridden value","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID applied to the override, 0 applies to all","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to daemon or agent plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"listening_ports","description":"Processes with listening (bound) network sockets/ports.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"port","description":"Transport layer port","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"address","description":"Specific address for bind","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path for UNIX domain sockets","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"lldp_neighbors","description":"LLDP neighbors of interfaces.","platforms":["linux"],"columns":[{"name":"interface","description":"Interface name","type":"text","hidden":false,"required":false,"index":false},{"name":"rid","description":"Neighbor chassis index","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_id_type","description":"Neighbor chassis ID type","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_id","description":"Neighbor chassis ID value","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_sysname","description":"CPU brand string, contains vendor and model","type":"text","hidden":false,"required":false,"index":false},{"name":"chassis_sys_description","description":"Max number of CPU physical cores","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_bridge_capability_available","description":"Chassis bridge capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_bridge_capability_enabled","description":"Is chassis bridge capability enabled.","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_router_capability_available","description":"Chassis router capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_router_capability_enabled","description":"Chassis router capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_repeater_capability_available","description":"Chassis repeater capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_repeater_capability_enabled","description":"Chassis repeater capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_wlan_capability_available","description":"Chassis wlan capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_wlan_capability_enabled","description":"Chassis wlan capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_tel_capability_available","description":"Chassis telephone capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_tel_capability_enabled","description":"Chassis telephone capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_docsis_capability_available","description":"Chassis DOCSIS capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_docsis_capability_enabled","description":"Chassis DOCSIS capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_station_capability_available","description":"Chassis station capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_station_capability_enabled","description":"Chassis station capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_other_capability_available","description":"Chassis other capability availability","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_other_capability_enabled","description":"Chassis other capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"chassis_mgmt_ips","description":"Comma delimited list of chassis management IPS","type":"text","hidden":false,"required":false,"index":false},{"name":"port_id_type","description":"Port ID type","type":"text","hidden":false,"required":false,"index":false},{"name":"port_id","description":"Port ID value","type":"text","hidden":false,"required":false,"index":false},{"name":"port_description","description":"Port description","type":"text","hidden":false,"required":false,"index":false},{"name":"port_ttl","description":"Age of neighbor port","type":"bigint","hidden":false,"required":false,"index":false},{"name":"port_mfs","description":"Port max frame size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"port_aggregation_id","description":"Port aggregation ID","type":"text","hidden":false,"required":false,"index":false},{"name":"port_autoneg_supported","description":"Auto negotiation supported","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_enabled","description":"Is auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_mau_type","description":"MAU type","type":"text","hidden":false,"required":false,"index":false},{"name":"port_autoneg_10baset_hd_enabled","description":"10Base-T HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_10baset_fd_enabled","description":"10Base-T FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100basetx_hd_enabled","description":"100Base-TX HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100basetx_fd_enabled","description":"100Base-TX FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset2_hd_enabled","description":"100Base-T2 HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset2_fd_enabled","description":"100Base-T2 FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset4_hd_enabled","description":"100Base-T4 HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_100baset4_fd_enabled","description":"100Base-T4 FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000basex_hd_enabled","description":"1000Base-X HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000basex_fd_enabled","description":"1000Base-X FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000baset_hd_enabled","description":"1000Base-T HD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"port_autoneg_1000baset_fd_enabled","description":"1000Base-T FD auto negotiation enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_device_type","description":"Dot3 power device type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_mdi_supported","description":"MDI power supported","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_mdi_enabled","description":"Is MDI power enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_paircontrol_enabled","description":"Is power pair control enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_pairs","description":"Dot3 power pairs","type":"text","hidden":false,"required":false,"index":false},{"name":"power_class","description":"Power class","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_enabled","description":"Is 802.3at enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_type","description":"802.3at power type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_source","description":"802.3at power source","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_priority","description":"802.3at power priority","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_allocated","description":"802.3at power allocated","type":"text","hidden":false,"required":false,"index":false},{"name":"power_8023at_power_requested","description":"802.3at power requested","type":"text","hidden":false,"required":false,"index":false},{"name":"med_device_type","description":"Chassis MED type","type":"text","hidden":false,"required":false,"index":false},{"name":"med_capability_capabilities","description":"Is MED capabilities enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_policy","description":"Is MED policy capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_location","description":"Is MED location capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_mdi_pse","description":"Is MED MDI PSE capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_mdi_pd","description":"Is MED MDI PD capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_capability_inventory","description":"Is MED inventory capability enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"med_policies","description":"Comma delimited list of MED policies","type":"text","hidden":false,"required":false,"index":false},{"name":"vlans","description":"Comma delimited list of vlan ids","type":"text","hidden":false,"required":false,"index":false},{"name":"pvid","description":"Primary VLAN id","type":"text","hidden":false,"required":false,"index":false},{"name":"ppvids_supported","description":"Comma delimited list of supported PPVIDs","type":"text","hidden":false,"required":false,"index":false},{"name":"ppvids_enabled","description":"Comma delimited list of enabled PPVIDs","type":"text","hidden":false,"required":false,"index":false},{"name":"pids","description":"Comma delimited list of PIDs","type":"text","hidden":false,"required":false,"index":false}]},{"name":"load_average","description":"Displays information about the system wide load averages.","platforms":["darwin","linux"],"columns":[{"name":"period","description":"Period over which the average is calculated.","type":"text","hidden":false,"required":false,"index":false},{"name":"average","description":"Load average over the specified period.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"location_services","description":"Reports the status of the Location Services feature of the OS.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 if Location Services are enabled, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logged_in_users","description":"Users with an active shell on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"type","description":"Login type","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"User login name","type":"text","hidden":false,"required":false,"index":false},{"name":"tty","description":"Device name","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Remote hostname","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time entry was made","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"The user's unique security identifier","type":"text","hidden":true,"required":false,"index":false},{"name":"registry_hive","description":"HKEY_USERS registry hive","type":"text","hidden":true,"required":false,"index":false}]},{"name":"logical_drives","description":"Details for logical drives on the system. A logical drive generally represents a single partition.","platforms":["windows"],"columns":[{"name":"device_id","description":"The drive id, usually the drive name, e.g., 'C:'.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Deprecated (always 'Unknown').","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'.","type":"text","hidden":false,"required":false,"index":false},{"name":"free_space","description":"The amount of free space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The total amount of space, in bytes, of the drive (-1 on failure).","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_system","description":"The file system of the drive.","type":"text","hidden":false,"required":false,"index":false},{"name":"boot_partition","description":"True if Windows booted from this drive.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"logon_sessions","description":"Windows Logon Session.","platforms":["windows"],"columns":[{"name":"logon_id","description":"A locally unique identifier (LUID) that identifies a logon session.","type":"integer","hidden":false,"required":false,"index":false},{"name":"user","description":"The account name of the security principal that owns the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_domain","description":"The name of the domain used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"authentication_package","description":"The authentication package used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_type","description":"The logon method.","type":"text","hidden":false,"required":false,"index":false},{"name":"session_id","description":"The Terminal Services session identifier.","type":"integer","hidden":false,"required":false,"index":false},{"name":"logon_sid","description":"The user's security identifier (SID).","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_time","description":"The time the session owner logged on.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"logon_server","description":"The name of the server used to authenticate the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_domain_name","description":"The DNS name for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"upn","description":"The user principal name (UPN) for the owner of the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"logon_script","description":"The script used for logging on.","type":"text","hidden":false,"required":false,"index":false},{"name":"profile_path","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory","description":"The home directory for the logon session.","type":"text","hidden":false,"required":false,"index":false},{"name":"home_directory_drive","description":"The drive location of the home directory of the logon session.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_certificates","description":"LXD certificates information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"fingerprint","description":"SHA256 hash of the certificate","type":"text","hidden":false,"required":false,"index":false},{"name":"certificate","description":"Certificate content","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster","description":"LXD cluster information.","platforms":["darwin","linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether clustering enabled (1) or not (0) on this node","type":"integer","hidden":false,"required":false,"index":false},{"name":"member_config_entity","description":"Type of configuration parameter for this node","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_name","description":"Name of configuration parameter","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_key","description":"Config key","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_value","description":"Config value","type":"text","hidden":false,"required":false,"index":false},{"name":"member_config_description","description":"Config description","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_cluster_members","description":"LXD cluster members information.","platforms":["darwin","linux"],"columns":[{"name":"server_name","description":"Name of the LXD server node","type":"text","hidden":false,"required":false,"index":false},{"name":"url","description":"URL of the node","type":"text","hidden":false,"required":false,"index":false},{"name":"database","description":"Whether the server is a database node (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Status of the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the node (Online/Offline)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_images","description":"LXD images information.","platforms":["darwin","linux"],"columns":[{"name":"id","description":"Image ID","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Target architecture for the image","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"OS on which image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"OS release version on which the image is based","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Image description","type":"text","hidden":false,"required":false,"index":false},{"name":"aliases","description":"Comma-separated list of image aliases","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Filename of the image file","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of image in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auto_update","description":"Whether the image auto-updates (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"cached","description":"Whether image is cached (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"public","description":"Whether image is public (1) or not (0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of image creation","type":"text","hidden":false,"required":false,"index":false},{"name":"expires_at","description":"ISO time of image expiration","type":"text","hidden":false,"required":false,"index":false},{"name":"uploaded_at","description":"ISO time of image upload","type":"text","hidden":false,"required":false,"index":false},{"name":"last_used_at","description":"ISO time for the most recent use of this image in terms of container spawn","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_server","description":"Server for image update","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_protocol","description":"Protocol used for image information update and image import from source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_certificate","description":"Certificate for update source server","type":"text","hidden":false,"required":false,"index":false},{"name":"update_source_alias","description":"Alias of image at update source server","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_config","description":"LXD instance configuration information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Configuration parameter name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Configuration parameter value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instance_devices","description":"LXD instance devices information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":true,"index":false},{"name":"device","description":"Name of the device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device type","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Device info param name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Device info param value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"lxd_instances","description":"LXD instances information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Instance name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Instance state (running, stopped, etc.)","type":"text","hidden":false,"required":false,"index":false},{"name":"stateful","description":"Whether the instance is stateful(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"ephemeral","description":"Whether the instance is ephemeral(1) or not(0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"created_at","description":"ISO time of creation","type":"text","hidden":false,"required":false,"index":false},{"name":"base_image","description":"ID of image used to launch this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"architecture","description":"Instance architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"os","description":"The OS of this instance","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Instance description","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Instance's process ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"processes","description":"Number of processes running inside this instance","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_networks","description":"LXD network information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of network","type":"text","hidden":false,"required":false,"index":false},{"name":"managed","description":"1 if network created by LXD, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"ipv4_address","description":"IPv4 address","type":"text","hidden":false,"required":false,"index":false},{"name":"ipv6_address","description":"IPv6 address","type":"text","hidden":false,"required":false,"index":false},{"name":"used_by","description":"URLs for containers using this network","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_received","description":"Number of bytes received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bytes_sent","description":"Number of bytes sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_received","description":"Number of packets received on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"packets_sent","description":"Number of packets sent on this network","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hwaddr","description":"Hardware address for this network","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Network status","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"MTU size","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"lxd_storage_pools","description":"LXD storage pool information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Name of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"Storage driver","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Storage pool source","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of the storage pool","type":"text","hidden":false,"required":false,"index":false},{"name":"space_used","description":"Storage space used in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"space_total","description":"Total available storage space in bytes for this storage pool","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_used","description":"Number of inodes used","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_total","description":"Total number of inodes available in this storage pool","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"magic","description":"Magic number recognition library table.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Absolute path to target file","type":"text","hidden":false,"required":true,"index":false},{"name":"magic_db_files","description":"Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Magic number data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_type","description":"MIME type data from libmagic","type":"text","hidden":false,"required":false,"index":false},{"name":"mime_encoding","description":"MIME encoding data from libmagic","type":"text","hidden":false,"required":false,"index":false}]},{"name":"managed_policies","description":"The managed configuration policies from AD, MDM, MCX, etc.","platforms":["darwin"],"columns":[{"name":"domain","description":"System or manager-chosen domain key","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Optional UUID assigned to policy set","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Policy key name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Policy value","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Policy applies only this user","type":"text","hidden":false,"required":false,"index":false},{"name":"manual","description":"1 if policy was loaded manually, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"md_devices","description":"Software RAID array settings.","platforms":["linux"],"columns":[{"name":"device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Current state of the array","type":"text","hidden":false,"required":false,"index":false},{"name":"raid_level","description":"Current raid level of the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"size of the array in blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"chunk_size","description":"chunk size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"raid_disks","description":"Number of configured RAID disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"nr_raid_disks","description":"Number of partitions or disk devices to comprise the array","type":"integer","hidden":false,"required":false,"index":false},{"name":"working_disks","description":"Number of working disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"active_disks","description":"Number of active disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"failed_disks","description":"Number of failed disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"spare_disks","description":"Number of idle disks in array","type":"integer","hidden":false,"required":false,"index":false},{"name":"superblock_state","description":"State of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_version","description":"Version of the superblock","type":"text","hidden":false,"required":false,"index":false},{"name":"superblock_update_time","description":"Unix timestamp of last update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"bitmap_on_mem","description":"Pages allocated in in-memory bitmap, if enabled","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_chunk_size","description":"Bitmap chunk size","type":"text","hidden":false,"required":false,"index":false},{"name":"bitmap_external_file","description":"External referenced bitmap file","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_progress","description":"Progress of the recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_finish","description":"Estimated duration of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"recovery_speed","description":"Speed of recovery activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_progress","description":"Progress of the resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_finish","description":"Estimated duration of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"resync_speed","description":"Speed of resync activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_progress","description":"Progress of the reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_finish","description":"Estimated duration of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"reshape_speed","description":"Speed of reshape activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_progress","description":"Progress of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_finish","description":"Estimated duration of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"check_array_speed","description":"Speed of the check array activity","type":"text","hidden":false,"required":false,"index":false},{"name":"unused_devices","description":"Unused devices","type":"text","hidden":false,"required":false,"index":false},{"name":"other","description":"Other information associated with array from /proc/mdstat","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_drives","description":"Drive devices used for Software RAID.","platforms":["linux"],"columns":[{"name":"md_device_name","description":"md device name","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_name","description":"Drive device name","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"Slot position of disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the drive","type":"text","hidden":false,"required":false,"index":false}]},{"name":"md_personalities","description":"Software RAID setting supported by the kernel.","platforms":["linux"],"columns":[{"name":"name","description":"Name of personality supported by kernel","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mdfind","description":"Run searches against the spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file returned from spotlight","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The query that was run to find the file","type":"text","hidden":false,"required":true,"index":false}]},{"name":"mdls","description":"Query file metadata in the Spotlight database.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of the file","type":"text","hidden":false,"required":true,"index":false},{"name":"key","description":"Name of the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value stored in the metadata key","type":"text","hidden":false,"required":false,"index":false},{"name":"valuetype","description":"CoreFoundation type of data stored in value","type":"text","hidden":true,"required":false,"index":false}]},{"name":"memory_array_mapped_addresses","description":"Data associated for address mapping of physical memory arrays.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_handle","description":"Handle of the memory array associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_width","description":"Number of memory devices that form a single row of memory for the address partition of this structure","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_arrays","description":"Data associated with collection of memory devices that operate to form a memory address.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the array","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Physical location of the memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"Function for which the array is used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_error_correction","description":"Primary hardware error correction or detection method supported","type":"text","hidden":false,"required":false,"index":false},{"name":"max_capacity","description":"Maximum capacity of array in gigabytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"memory_error_info_handle","description":"Handle, or instance number, associated with any error that was detected for the array","type":"text","hidden":false,"required":false,"index":false},{"name":"number_memory_devices","description":"Number of memory devices on array","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_device_mapped_addresses","description":"Data associated for address mapping of physical memory devices.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_device_handle","description":"Handle of the memory device structure associated with this structure","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_mapped_address_handle","description":"Handle of the memory array mapped address to which this device range is mapped to","type":"text","hidden":false,"required":false,"index":false},{"name":"starting_address","description":"Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"ending_address","description":"Physical ending address of last kilobyte of a range of memory mapped to physical memory array","type":"text","hidden":false,"required":false,"index":false},{"name":"partition_row_position","description":"Identifies the position of the referenced memory device in a row of the address partition","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_position","description":"The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.","type":"integer","hidden":false,"required":false,"index":false},{"name":"interleave_data_depth","description":"The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_devices","description":"Physical memory device (type 17) information retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure in SMBIOS","type":"text","hidden":false,"required":false,"index":false},{"name":"array_handle","description":"The memory array that the device is attached to","type":"text","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Implementation form factor for this memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"total_width","description":"Total width, in bits, of this memory device, including any check or error-correction bits","type":"integer","hidden":false,"required":false,"index":false},{"name":"data_width","description":"Data width, in bits, of this memory device","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Size of memory device in Megabyte","type":"integer","hidden":false,"required":false,"index":false},{"name":"set","description":"Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"device_locator","description":"String number of the string that identifies the physically-labeled socket or board position where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"bank_locator","description":"String number of the string that identifies the physically-labeled bank where the memory device is located","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type","description":"Type of memory used","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_type_details","description":"Additional details for memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"max_speed","description":"Max speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_clock_speed","description":"Configured speed of memory device in megatransfers per second (MT/s)","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"Manufacturer ID string","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"asset_tag","description":"Manufacturer specific asset tag of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"part_number","description":"Manufacturer specific serial number of memory device","type":"text","hidden":false,"required":false,"index":false},{"name":"min_voltage","description":"Minimum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_voltage","description":"Maximum operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false},{"name":"configured_voltage","description":"Configured operating voltage of device in millivolts","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"memory_error_info","description":"Data associated with errors of a physical memory array.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the structure","type":"text","hidden":false,"required":false,"index":false},{"name":"error_type","description":"type of error associated with current error status for array or device","type":"text","hidden":false,"required":false,"index":false},{"name":"error_granularity","description":"Granularity to which the error can be resolved","type":"text","hidden":false,"required":false,"index":false},{"name":"error_operation","description":"Memory access operation that caused the error","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_syndrome","description":"Vendor specific ECC syndrome or CRC data associated with the erroneous access","type":"text","hidden":false,"required":false,"index":false},{"name":"memory_array_error_address","description":"32 bit physical address of the error based on the addressing of the bus to which the memory array is connected","type":"text","hidden":false,"required":false,"index":false},{"name":"device_error_address","description":"32 bit physical address of the error relative to the start of the failing memory address, in bytes","type":"text","hidden":false,"required":false,"index":false},{"name":"error_resolution","description":"Range, in bytes, within which this error can be determined, when an error address is given","type":"text","hidden":false,"required":false,"index":false}]},{"name":"memory_info","description":"Main memory information in bytes.","platforms":["linux"],"columns":[{"name":"memory_total","description":"Total amount of physical RAM, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"memory_free","description":"The amount of physical RAM, in bytes, left unused by the system","type":"bigint","hidden":false,"required":false,"index":false},{"name":"buffers","description":"The amount of physical RAM, in bytes, used for file buffers","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cached","description":"The amount of physical RAM, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_cached","description":"The amount of swap, in bytes, used as cache memory","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"The total amount of buffer or page cache memory, in bytes, that is in active use","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"The total amount of buffer or page cache memory, in bytes, that are free and available","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_total","description":"The total amount of swap available, in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_free","description":"The total amount of swap free, in bytes","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"memory_map","description":"OS memory region map.","platforms":["linux"],"columns":[{"name":"name","description":"Region name","type":"text","hidden":false,"required":false,"index":false},{"name":"start","description":"Start address of memory region","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"End address of memory region","type":"text","hidden":false,"required":false,"index":false}]},{"name":"mounts","description":"System mounted devices and filesystems (not process specific).","platforms":["darwin","linux"],"columns":[{"name":"device","description":"Mounted device","type":"text","hidden":false,"required":false,"index":false},{"name":"device_alias","description":"Mounted device alias","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Mounted device path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Mounted device type","type":"text","hidden":false,"required":false,"index":false},{"name":"blocks_size","description":"Block size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks","description":"Mounted device used blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_free","description":"Mounted device free blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"blocks_available","description":"Mounted device available blocks","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes","description":"Mounted device used inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inodes_free","description":"Mounted device free inodes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flags","description":"Mounted device flags","type":"text","hidden":false,"required":false,"index":false}]},{"name":"msr","description":"Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.","platforms":["linux"],"columns":[{"name":"processor_number","description":"The processor number as reported in /proc/cpuinfo","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_disabled","description":"Whether the turbo feature is disabled.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"turbo_ratio_limit","description":"The turbo feature ratio limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"platform_info","description":"Platform information.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_ctl","description":"Performance setting for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"perf_status","description":"Performance status for the processor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"feature_control","description":"Bitfield controlling enabled features.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_limit","description":"Run Time Average Power Limiting power limit.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_energy_status","description":"Run Time Average Power Limiting energy status.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"rapl_power_units","description":"Run Time Average Power Limiting power units.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"nfs_shares","description":"NFS shares exported by the host.","platforms":["darwin"],"columns":[{"name":"share","description":"Filesystem path to the share","type":"text","hidden":false,"required":false,"index":false},{"name":"options","description":"Options string set on the export share","type":"text","hidden":false,"required":false,"index":false},{"name":"readonly","description":"1 if the share is exported readonly else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"npm_packages","description":"Lists all npm packages in a directory or globally installed in a system.","platforms":["linux"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Package supplied description","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Package author name","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License for package","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Module's package.json path","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Node module's directory where this package is located","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ntdomains","description":"Display basic NT domain information of a Windows machine.","platforms":["windows"],"columns":[{"name":"name","description":"The label by which the object is known.","type":"text","hidden":false,"required":false,"index":false},{"name":"client_site_name","description":"The name of the site where the domain controller is configured.","type":"text","hidden":false,"required":false,"index":false},{"name":"dc_site_name","description":"The name of the site where the domain controller is located.","type":"text","hidden":false,"required":false,"index":false},{"name":"dns_forest_name","description":"The name of the root of the DNS tree.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_address","description":"The IP Address of the discovered domain controller..","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_controller_name","description":"The name of the discovered domain controller.","type":"text","hidden":false,"required":false,"index":false},{"name":"domain_name","description":"The name of the domain.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"The current status of the domain object.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_acl_permissions","description":"Retrieve NTFS ACL permission information for files and directories.","platforms":["windows"],"columns":[{"name":"path","description":"Path to the file or directory.","type":"text","hidden":false,"required":true,"index":false},{"name":"type","description":"Type of access mode for the access control entry.","type":"text","hidden":false,"required":false,"index":false},{"name":"principal","description":"User or group to which the ACE applies.","type":"text","hidden":false,"required":false,"index":false},{"name":"access","description":"Specific permissions that indicate the rights described by the ACE.","type":"text","hidden":false,"required":false,"index":false},{"name":"inherited_from","description":"The inheritance policy of the ACE.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ntfs_journal_events","description":"Track time/action changes to files specified in configuration data.","platforms":["windows"],"columns":[{"name":"action","description":"Change action (Write, Delete, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category that the event originated from","type":"text","hidden":false,"required":false,"index":false},{"name":"old_path","description":"Old path (renames only)","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path","type":"text","hidden":false,"required":false,"index":false},{"name":"record_timestamp","description":"Journal record timestamp","type":"text","hidden":false,"required":false,"index":false},{"name":"record_usn","description":"The update sequence number that identifies the journal record","type":"text","hidden":false,"required":false,"index":false},{"name":"node_ref_number","description":"The ordinal that associates a journal record with a filename","type":"text","hidden":false,"required":false,"index":false},{"name":"parent_ref_number","description":"The ordinal that associates a journal record with a filename's parent directory","type":"text","hidden":false,"required":false,"index":false},{"name":"drive_letter","description":"The drive letter identifying the source journal","type":"text","hidden":false,"required":false,"index":false},{"name":"file_attributes","description":"File attributes","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"Set to 1 if either path or old_path only contains the file or folder name","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of file event","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"nvram","description":"Apple NVRAM variable listing.","platforms":["darwin"],"columns":[{"name":"name","description":"Variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type (CFData, CFString, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Raw variable data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"oem_strings","description":"OEM defined strings retrieved from SMBIOS.","platforms":["darwin","linux"],"columns":[{"name":"handle","description":"Handle, or instance number, associated with the Type 11 structure","type":"text","hidden":false,"required":false,"index":false},{"name":"number","description":"The string index of the structure","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"The value of the OEM string","type":"text","hidden":false,"required":false,"index":false}]},{"name":"office_mru","description":"View recently opened Office documents.","platforms":["windows"],"columns":[{"name":"application","description":"Associated Office application","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Office application version number","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path","type":"text","hidden":false,"required":false,"index":false},{"name":"last_opened_time","description":"Most recent opened time file was opened","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false}]},{"name":"os_version","description":"A single row containing the operating system name and version.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Distribution or product name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Pretty, suitable for presentation, OS version","type":"text","hidden":false,"required":false,"index":false},{"name":"major","description":"Major release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor","description":"Minor release version","type":"integer","hidden":false,"required":false,"index":false},{"name":"patch","description":"Optional patch release","type":"integer","hidden":false,"required":false,"index":false},{"name":"build","description":"Optional build-specific or variant string","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"OS Platform or ID","type":"text","hidden":false,"required":false,"index":false},{"name":"platform_like","description":"Closely related platforms","type":"text","hidden":false,"required":false,"index":false},{"name":"codename","description":"OS version codename","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"OS Architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"The install date of the OS.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"osquery_events","description":"Information about the event publishers and subscribers.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Event publisher or subscriber name","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the associated publisher","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either publisher or subscriber","type":"text","hidden":false,"required":false,"index":false},{"name":"subscriptions","description":"Number of subscriptions the publisher received or subscriber used","type":"integer","hidden":false,"required":false,"index":false},{"name":"events","description":"Number of events emitted or received since osquery started","type":"integer","hidden":false,"required":false,"index":false},{"name":"refreshes","description":"Publisher only: number of runloop restarts","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 if the publisher or subscriber is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_extensions","description":"List of active osquery extensions.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"uuid","description":"The transient ID assigned for communication","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension's name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension's version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk_version","description":"osquery SDK version used to build the extension","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the extension's Thrift connection or library path","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SDK extension type: extension or module","type":"text","hidden":false,"required":false,"index":false}]},{"name":"osquery_flags","description":"Configurable flags that modify osquery's behavior.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"Flag name","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Flag type","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Flag description","type":"text","hidden":false,"required":false,"index":false},{"name":"default_value","description":"Flag default value","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Flag value","type":"text","hidden":false,"required":false,"index":false},{"name":"shell_only","description":"Is the flag shell only?","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_info","description":"Top level information about the running version of osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"pid","description":"Process (or thread/handle) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"instance_id","description":"Unique, long-lived ID per instance of osquery","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"osquery toolkit version","type":"text","hidden":false,"required":false,"index":false},{"name":"config_hash","description":"Hash of the working configuration state","type":"text","hidden":false,"required":false,"index":false},{"name":"config_valid","description":"1 if the config was loaded and considered valid, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"extensions","description":"osquery extensions status","type":"text","hidden":false,"required":false,"index":false},{"name":"build_platform","description":"osquery toolkit build platform","type":"text","hidden":false,"required":false,"index":false},{"name":"build_distro","description":"osquery toolkit platform distribution name (os version)","type":"text","hidden":false,"required":false,"index":false},{"name":"start_time","description":"UNIX time in seconds when the process started","type":"integer","hidden":false,"required":false,"index":false},{"name":"watcher","description":"Process (or thread/handle) ID of optional watcher process","type":"integer","hidden":false,"required":false,"index":false},{"name":"platform_mask","description":"The osquery platform bitmask","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_packs","description":"Information about the current query packs that are loaded in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query pack","type":"text","hidden":false,"required":false,"index":false},{"name":"platform","description":"Platforms this query is supported on","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Minimum osquery version that this query will run on","type":"text","hidden":false,"required":false,"index":false},{"name":"shard","description":"Shard restriction limit, 1-100, 0 meaning no restriction","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_cache_hits","description":"The number of times that the discovery query used cached values since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"discovery_executions","description":"The number of times that the discovery queries have been executed since the last time the config was reloaded","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_registry","description":"List the osquery registry plugins.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"registry","description":"Name of the osquery registry","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the plugin item","type":"text","hidden":false,"required":false,"index":false},{"name":"owner_uuid","description":"Extension route UUID (0 for core)","type":"integer","hidden":false,"required":false,"index":false},{"name":"internal","description":"1 If the plugin is internal else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"active","description":"1 If this plugin is active else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"osquery_schedule","description":"Information about the current queries that are scheduled in osquery.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"name","description":"The given name for this query","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"The exact query to run","type":"text","hidden":false,"required":false,"index":false},{"name":"interval","description":"The interval in seconds to run this query, not an exact interval","type":"integer","hidden":false,"required":false,"index":false},{"name":"executions","description":"Number of times the query was executed","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_executed","description":"UNIX time stamp in seconds of the last completed execution","type":"bigint","hidden":false,"required":false,"index":false},{"name":"denylisted","description":"1 if the query is denylisted else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"output_size","description":"Total number of bytes generated by the query","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wall_time","description":"Total wall time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"Total user time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"Total system time spent executing","type":"bigint","hidden":false,"required":false,"index":false},{"name":"average_memory","description":"Average private memory left after executing","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"package_bom","description":"OS X package bill of materials (BOM) file list.","platforms":["darwin"],"columns":[{"name":"filepath","description":"Package file or directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Expected user of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"gid","description":"Expected group of file or directory","type":"integer","hidden":false,"required":false,"index":false},{"name":"mode","description":"Expected permissions","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Timestamp the file was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of package bom","type":"text","hidden":false,"required":true,"index":false}]},{"name":"package_install_history","description":"OS X package install history.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Label packageIdentifiers","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Label date as UNIX timestamp","type":"integer","hidden":false,"required":false,"index":false},{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package display version","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Install source: usually the installer process name","type":"text","hidden":false,"required":false,"index":false},{"name":"content_type","description":"Package content_type (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"package_receipts","description":"OS X package receipt details.","platforms":["darwin"],"columns":[{"name":"package_id","description":"Package domain identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"package_filename","description":"Filename of original .pkg file","type":"text","hidden":true,"required":false,"index":false},{"name":"version","description":"Installed package version","type":"text","hidden":false,"required":false,"index":false},{"name":"location","description":"Optional relative install path on volume","type":"text","hidden":false,"required":false,"index":false},{"name":"install_time","description":"Timestamp of install time","type":"double","hidden":false,"required":false,"index":false},{"name":"installer_name","description":"Name of installer process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of receipt plist","type":"text","hidden":false,"required":false,"index":false}]},{"name":"patches","description":"Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).","platforms":["windows"],"columns":[{"name":"csname","description":"The name of the host the patch is installed on.","type":"text","hidden":false,"required":false,"index":false},{"name":"hotfix_id","description":"The KB ID of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Short description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Fuller description of the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"fix_comments","description":"Additional comments about the patch.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_by","description":"The system context in which the patch as installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"installed_on","description":"The date when the patch was installed.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pci_devices","description":"PCI devices active on the host system.","platforms":["darwin","linux"],"columns":[{"name":"pci_slot","description":"PCI Device used slot","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class","description":"PCI Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"driver","description":"PCI Device used driver","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor","description":"PCI Device vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded PCI Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"PCI Device model","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded PCI Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"pci_class_id","description":"PCI Device class ID in hex format","type":"text","hidden":true,"required":false,"index":false},{"name":"pci_subclass_id","description":"PCI Device subclass in hex format","type":"text","hidden":true,"required":false,"index":false},{"name":"pci_subclass","description":"PCI Device subclass","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_vendor_id","description":"Vendor ID of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_vendor","description":"Vendor of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_model_id","description":"Model ID of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false},{"name":"subsystem_model","description":"Device description of PCI device subsystem","type":"text","hidden":true,"required":false,"index":false}]},{"name":"physical_disk_performance","description":"Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the physical disk","type":"text","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_read","description":"Average number of bytes transferred from the disk during read operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_bytes_per_write","description":"Average number of bytes transferred to the disk during write operations","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_read_queue_length","description":"Average number of read requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_write_queue_length","description":"Average number of write requests that were queued for the selected disk during the sample interval","type":"bigint","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_read","description":"Average time, in seconds, of a read operation of data from the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"avg_disk_sec_per_write","description":"Average time, in seconds, of a write operation of data to the disk","type":"integer","hidden":false,"required":false,"index":false},{"name":"current_disk_queue_length","description":"Number of requests outstanding on the disk at the time the performance data is collected","type":"integer","hidden":false,"required":false,"index":false},{"name":"percent_disk_read_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_write_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_disk_time","description":"Percentage of elapsed time that the selected disk drive is busy servicing read or write requests","type":"bigint","hidden":false,"required":false,"index":false},{"name":"percent_idle_time","description":"Percentage of time during the sample interval that the disk was idle","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"pipes","description":"Named and Anonymous pipes.","platforms":["windows"],"columns":[{"name":"pid","description":"Process ID of the process to which the pipe belongs","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the pipe","type":"text","hidden":false,"required":false,"index":false},{"name":"instances","description":"Number of instances of the named pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"max_instances","description":"The maximum number of instances creatable for this pipe","type":"integer","hidden":false,"required":false,"index":false},{"name":"flags","description":"The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes","type":"text","hidden":false,"required":false,"index":false}]},{"name":"pkg_packages","description":"pkgng packages that are currently installed on the host system.","platforms":["freebsd"],"columns":[{"name":"name","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"flatsize","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false}]},{"name":"platform_info","description":"Information about EFI/UEFI/ROM and platform/boot.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"vendor","description":"Platform code vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Platform code version","type":"text","hidden":false,"required":false,"index":false},{"name":"date","description":"Self-reported platform code update date","type":"text","hidden":false,"required":false,"index":false},{"name":"revision","description":"BIOS major and minor revision","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"Relative address of firmware mapping","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes of firmware","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_size","description":"(Optional) size of firmware volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"extra","description":"Platform-specific additional information","type":"text","hidden":false,"required":false,"index":false}]},{"name":"plist","description":"Read and parse a plist file.","platforms":["darwin"],"columns":[{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intermediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"(required) read preferences from a plist","type":"text","hidden":false,"required":true,"index":false}]},{"name":"portage_keywords","description":"A summary about portage configurations like keywords, mask and unmask.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"keyword","description":"The keyword applied to the package","type":"text","hidden":false,"required":false,"index":false},{"name":"mask","description":"If the package is masked","type":"integer","hidden":false,"required":false,"index":false},{"name":"unmask","description":"If the package is unmasked","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_packages","description":"List of currently installed packages.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version which are affected by the use flags, empty means all","type":"text","hidden":false,"required":false,"index":false},{"name":"slot","description":"The slot used by package","type":"text","hidden":false,"required":false,"index":false},{"name":"build_time","description":"Unix time when package was built","type":"bigint","hidden":false,"required":false,"index":false},{"name":"repository","description":"From which repository the ebuild was used","type":"text","hidden":false,"required":false,"index":false},{"name":"eapi","description":"The eapi for the ebuild","type":"bigint","hidden":false,"required":false,"index":false},{"name":"size","description":"The size of the package","type":"bigint","hidden":false,"required":false,"index":false},{"name":"world","description":"If package is in the world file","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"portage_use","description":"List of enabled portage USE values for specific package.","platforms":["linux"],"columns":[{"name":"package","description":"Package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"The version of the installed package","type":"text","hidden":false,"required":false,"index":false},{"name":"use","description":"USE flag which has been enabled for package","type":"text","hidden":false,"required":false,"index":false}]},{"name":"power_sensors","description":"Machine power (currents, voltages, wattages, etc) sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on OS X","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The sensor category: currents, voltage, wattage","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of power source","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Power in Watts","type":"text","hidden":false,"required":false,"index":false}]},{"name":"powershell_events","description":"Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received by the osquery event publisher","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the Powershell script event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_id","description":"The unique GUID of the powershell script to which this block belongs","type":"text","hidden":false,"required":false,"index":false},{"name":"script_block_count","description":"The total number of script blocks for this script","type":"integer","hidden":false,"required":false,"index":false},{"name":"script_text","description":"The text content of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_name","description":"The name of the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"script_path","description":"The path for the Powershell script","type":"text","hidden":false,"required":false,"index":false},{"name":"cosine_similarity","description":"How similar the Powershell script is to a provided 'normal' character frequency","type":"double","hidden":false,"required":false,"index":false}]},{"name":"preferences","description":"OS X defaults and managed preferences.","platforms":["darwin"],"columns":[{"name":"domain","description":"Application ID usually in com.name.product format","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Preference top-level key","type":"text","hidden":false,"required":false,"index":false},{"name":"subkey","description":"Intemediate key path, includes lists/dicts","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"String value of most CF types","type":"text","hidden":false,"required":false,"index":false},{"name":"forced","description":"1 if the value is forced/managed, else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"username","description":"(optional) read preferences for a specific user","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"'current' or 'any' host, where 'current' takes precedence","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prefetch","description":"Prefetch files show metadata related to file execution.","platforms":["windows"],"columns":[{"name":"path","description":"Prefetch file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Executable filename.","type":"text","hidden":false,"required":false,"index":false},{"name":"hash","description":"Prefetch CRC hash.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Most recent time application was run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"other_run_times","description":"Other execution times in prefetch file.","type":"text","hidden":false,"required":false,"index":false},{"name":"run_count","description":"Number of times the application has been run.","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Application file size.","type":"integer","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_creation","description":"Volume creation time.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_files_count","description":"Number of files accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_directories_count","description":"Number of directories accessed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"accessed_files","description":"Files accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false},{"name":"accessed_directories","description":"Directories accessed by application within ten seconds of launch.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_envs","description":"A key/value table of environment variables for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"key","description":"Environment variable name","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Environment variable value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_events","description":"Track time/action process executions.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File mode permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Command line arguments (argv)","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline_size","description":"Actual size (bytes) of command line arguments","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env","description":"Environment variables delimited by spaces","type":"text","hidden":true,"required":false,"index":false},{"name":"env_count","description":"Number of environment variables","type":"bigint","hidden":true,"required":false,"index":false},{"name":"env_size","description":"Actual size (bytes) of environment list","type":"bigint","hidden":true,"required":false,"index":false},{"name":"cwd","description":"The process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID at process start","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"File owner user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"owner_gid","description":"File owner group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"File last access in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mtime","description":"File modification in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"File last metadata change in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"btime","description":"File creation in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"overflows","description":"List of structures that overflowed","type":"text","hidden":true,"required":false,"index":false},{"name":"parent","description":"Process parent's PID, or -1 if cannot be determined.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"status","description":"OpenBSM Attribute: Status of the process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"suid","description":"Saved user ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"sgid","description":"Saved group ID at process start","type":"bigint","hidden":true,"required":false,"index":false},{"name":"syscall","description":"Syscall name: fork, vfork, clone, execve, execveat","type":"text","hidden":true,"required":false,"index":false}]},{"name":"process_file_events","description":"A File Integrity Monitor implementation using the audit service.","platforms":["linux"],"columns":[{"name":"operation","description":"Operation type","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ppid","description":"Parent process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"executable","description":"The executable path","type":"text","hidden":false,"required":false,"index":false},{"name":"partial","description":"True if this is a partial event (i.e.: this process existed before we started osquery)","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"The current working directory of the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"The path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"dest_path","description":"The canonical path associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"The uid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"gid","description":"The gid of the process performing the action","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"euid","description":"Effective user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"egid","description":"Effective group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsuid","description":"Filesystem user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"fsgid","description":"Filesystem group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"suid","description":"Saved user ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Saved group ID of the process using the file","type":"text","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"process_memory_map","description":"Process memory mapped files and pseudo device/regions.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"start","description":"Virtual start address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"end","description":"Virtual end address (hex)","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"r=read, w=write, x=execute, p=private (cow)","type":"text","hidden":false,"required":false,"index":false},{"name":"offset","description":"Offset into mapped path","type":"bigint","hidden":false,"required":false,"index":false},{"name":"device","description":"MA:MI Major/minor device ID","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Mapped path inode, 0 means uninitialized (BSS)","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to mapped file or mapped type","type":"text","hidden":false,"required":false,"index":false},{"name":"pseudo","description":"1 If path is a pseudo path, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"process_namespaces","description":"Linux namespaces for processes running on the host system.","platforms":["linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"cgroup_namespace","description":"cgroup namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"ipc_namespace","description":"ipc namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"mnt_namespace","description":"mnt namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"net namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_namespace","description":"pid namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"user_namespace","description":"user namespace inode","type":"text","hidden":false,"required":false,"index":false},{"name":"uts_namespace","description":"uts namespace inode","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_files","description":"File descriptors for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"Process-specific file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Filesystem path of descriptor","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_pipes","description":"Pipes and partner processes for each process.","platforms":["darwin","linux"],"columns":[{"name":"pid","description":"Process ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"fd","description":"File descriptor","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mode","description":"Pipe open mode (r/w)","type":"text","hidden":false,"required":false,"index":false},{"name":"inode","description":"Pipe inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"type","description":"Pipe Type: named vs unnamed/anonymous","type":"text","hidden":false,"required":false,"index":false},{"name":"partner_pid","description":"Process ID of partner process sharing a particular pipe","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_fd","description":"File descriptor of shared pipe at partner's end","type":"bigint","hidden":false,"required":false,"index":false},{"name":"partner_mode","description":"Mode of shared pipe at partner's end","type":"text","hidden":false,"required":false,"index":false}]},{"name":"process_open_sockets","description":"Processes which have open network sockets on the system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"fd","description":"Socket file descriptor number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"socket","description":"Socket handle or inode number","type":"bigint","hidden":false,"required":false,"index":false},{"name":"family","description":"Network protocol (IPv4, IPv6)","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"Transport protocol (TCP/UDP)","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_address","description":"Socket local address","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Socket remote address","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Socket local port","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Socket remote port","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"For UNIX sockets (family=AF_UNIX), the domain path","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"TCP socket state","type":"text","hidden":false,"required":false,"index":false},{"name":"net_namespace","description":"The inode number of the network namespace","type":"text","hidden":true,"required":false,"index":false}]},{"name":"processes","description":"All running processes on the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"The process path or shorthand argv[0]","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to executed binary","type":"text","hidden":false,"required":false,"index":false},{"name":"cmdline","description":"Complete argv","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Process state","type":"text","hidden":false,"required":false,"index":false},{"name":"cwd","description":"Process current working directory","type":"text","hidden":false,"required":false,"index":false},{"name":"root","description":"Process virtual root directory","type":"text","hidden":false,"required":false,"index":false},{"name":"uid","description":"Unsigned user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Unsigned group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"euid","description":"Unsigned effective user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"egid","description":"Unsigned effective group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"suid","description":"Unsigned saved user ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sgid","description":"Unsigned saved group ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"on_disk","description":"The process path exists yes=1, no=0, unknown=-1","type":"integer","hidden":false,"required":false,"index":false},{"name":"wired_size","description":"Bytes of unpageable memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"resident_size","description":"Bytes of private memory used by process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"total_size","description":"Total virtual memory size","type":"bigint","hidden":false,"required":false,"index":false},{"name":"user_time","description":"CPU time in milliseconds spent in user space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"system_time","description":"CPU time in milliseconds spent in kernel space","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_read","description":"Bytes read from disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"disk_bytes_written","description":"Bytes written to disk","type":"bigint","hidden":false,"required":false,"index":false},{"name":"start_time","description":"Process start time in seconds since Epoch, in case of error -1","type":"bigint","hidden":false,"required":false,"index":false},{"name":"parent","description":"Process parent's PID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pgroup","description":"Process group","type":"bigint","hidden":false,"required":false,"index":false},{"name":"threads","description":"Number of threads used by process","type":"integer","hidden":false,"required":false,"index":false},{"name":"nice","description":"Process nice level (-20 to 20, default 0)","type":"integer","hidden":false,"required":false,"index":false},{"name":"elevated_token","description":"Process uses elevated token yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"secure_process","description":"Process is secure (IUM) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"protection_type","description":"The protection type of the process","type":"text","hidden":true,"required":false,"index":false},{"name":"virtual_process","description":"Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0","type":"integer","hidden":true,"required":false,"index":false},{"name":"elapsed_time","description":"Elapsed time in seconds this process has been running.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"handle_count","description":"Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"percent_processor_time","description":"Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.","type":"bigint","hidden":true,"required":false,"index":false},{"name":"upid","description":"A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uppid","description":"The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"Indicates the specific processor designed for installation.","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"Indicates the specific processor on which an entry may be used.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"programs","description":"Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.","platforms":["windows"],"columns":[{"name":"name","description":"Commonly used product name.","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Product version information.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_location","description":"The installation location directory of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_source","description":"The installation source of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"language","description":"The language of the product.","type":"text","hidden":false,"required":false,"index":false},{"name":"publisher","description":"Name of the product supplier.","type":"text","hidden":false,"required":false,"index":false},{"name":"uninstall_string","description":"Path and filename of the uninstaller.","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Date that this product was installed on the system. ","type":"text","hidden":false,"required":false,"index":false},{"name":"identifying_number","description":"Product identification such as a serial number on software, or a die number on a hardware chip.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"prometheus_metrics","description":"Retrieve metrics from a Prometheus server.","platforms":["darwin","linux"],"columns":[{"name":"target_name","description":"Address of prometheus target","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_name","description":"Name of collected Prometheus metric","type":"text","hidden":false,"required":false,"index":false},{"name":"metric_value","description":"Value of collected Prometheus metric","type":"double","hidden":false,"required":false,"index":false},{"name":"timestamp_ms","description":"Unix timestamp of collected data in MS","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"python_packages","description":"Python packages installed in a system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Package display name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package-supplied version","type":"text","hidden":false,"required":false,"index":false},{"name":"summary","description":"Package-supplied summary","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional package author","type":"text","hidden":false,"required":false,"index":false},{"name":"license","description":"License under which package is launched","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path at which this module resides","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"Directory where Python modules are located","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"quicklook_cache","description":"Files and thumbnails within OS X's Quicklook Cache.","platforms":["darwin"],"columns":[{"name":"path","description":"Path of file","type":"text","hidden":false,"required":false,"index":false},{"name":"rowid","description":"Quicklook file rowid key","type":"integer","hidden":false,"required":false,"index":false},{"name":"fs_id","description":"Quicklook file fs_id key","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_id","description":"Parsed volume ID from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"inode","description":"Parsed file ID (inode) from fs_id","type":"integer","hidden":false,"required":false,"index":false},{"name":"mtime","description":"Parsed version date field","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Parsed version size field","type":"bigint","hidden":false,"required":false,"index":false},{"name":"label","description":"Parsed version 'gen' field","type":"text","hidden":false,"required":false,"index":false},{"name":"last_hit_date","description":"Apple date format for last thumbnail cache hit","type":"integer","hidden":false,"required":false,"index":false},{"name":"hit_count","description":"Number of cache hits on thumbnail","type":"text","hidden":false,"required":false,"index":false},{"name":"icon_mode","description":"Thumbnail icon mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"cache_path","description":"Path to cache data","type":"text","hidden":false,"required":false,"index":false}]},{"name":"registry","description":"All of the Windows registry hives.","platforms":["windows"],"columns":[{"name":"key","description":"Name of the key to search for","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Full path to the value","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the registry value entry","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of the registry value, or 'subkey' if item is a subkey","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data content of registry value","type":"text","hidden":false,"required":false,"index":false},{"name":"mtime","description":"timestamp of the most recent registry write","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"routes","description":"The active route table for the host system.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"destination","description":"Destination IP address","type":"text","hidden":false,"required":false,"index":false},{"name":"netmask","description":"Netmask length","type":"integer","hidden":false,"required":false,"index":false},{"name":"gateway","description":"Route gateway","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Route source","type":"text","hidden":false,"required":false,"index":false},{"name":"flags","description":"Flags to describe route","type":"integer","hidden":false,"required":false,"index":false},{"name":"interface","description":"Route local interface","type":"text","hidden":false,"required":false,"index":false},{"name":"mtu","description":"Maximum Transmission Unit for the route","type":"integer","hidden":false,"required":false,"index":false},{"name":"metric","description":"Cost of route. Lowest is preferred","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of route","type":"text","hidden":false,"required":false,"index":false},{"name":"hopcount","description":"Max hops expected","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"rpm_package_files","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"package","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"File path within the package","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"File default username from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"File default groupname from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"File permissions mode from info DB","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Expected file size in bytes from RPM info DB","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha256","description":"SHA256 file digest from RPM info DB","type":"text","hidden":false,"required":false,"index":false}]},{"name":"rpm_packages","description":"RPM packages that are currently installed on the host system.","platforms":["linux"],"columns":[{"name":"name","description":"RPM package name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Package version","type":"text","hidden":false,"required":false,"index":false},{"name":"release","description":"Package release","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source RPM package name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Package size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"sha1","description":"SHA1 hash of the package contents","type":"text","hidden":false,"required":false,"index":false},{"name":"arch","description":"Architecture(s) supported","type":"text","hidden":false,"required":false,"index":false},{"name":"epoch","description":"Package epoch value","type":"integer","hidden":false,"required":false,"index":false},{"name":"install_time","description":"When the package was installed","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"Package vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"package_group","description":"Package group","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false},{"name":"mount_namespace_id","description":"Mount namespace id","type":"text","hidden":true,"required":false,"index":false}]},{"name":"running_apps","description":"macOS applications currently running on the host system.","platforms":["darwin"],"columns":[{"name":"pid","description":"The pid of the application","type":"integer","hidden":false,"required":false,"index":false},{"name":"bundle_identifier","description":"The bundle identifier of the application","type":"text","hidden":false,"required":false,"index":false},{"name":"is_active","description":"1 if the application is in focus, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"safari_extensions","description":"Safari browser extension details for all users.","platforms":["darwin"],"columns":[{"name":"uid","description":"The local user that owns the extension","type":"bigint","hidden":false,"required":false,"index":false},{"name":"name","description":"Extension display name","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"Extension long version","type":"text","hidden":false,"required":false,"index":false},{"name":"sdk","description":"Bundle SDK used to compile extension","type":"text","hidden":false,"required":false,"index":false},{"name":"update_url","description":"Extension-supplied update URI","type":"text","hidden":false,"required":false,"index":false},{"name":"author","description":"Optional extension author","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Optional developer identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional extension description text","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to extension XAR bundle","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sandboxes","description":"OS X application sandboxes container details.","platforms":["darwin"],"columns":[{"name":"label","description":"UTI-format bundle or label ID","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"Sandbox owner","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Application sandboxings enabled on container","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_id","description":"Sandbox-specific identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"Application bundle used by the sandbox","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to sandbox container directory","type":"text","hidden":false,"required":false,"index":false}]},{"name":"scheduled_tasks","description":"Lists all of the tasks in the Windows task scheduler.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Actions executed by the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to the executable to be run","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether or not the scheduled task is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"state","description":"State of the scheduled task","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"Whether or not the task is visible in the UI","type":"integer","hidden":false,"required":false,"index":false},{"name":"last_run_time","description":"Timestamp the task last ran","type":"bigint","hidden":false,"required":false,"index":false},{"name":"next_run_time","description":"Timestamp the task is scheduled to run next","type":"bigint","hidden":false,"required":false,"index":false},{"name":"last_run_message","description":"Exit status message of the last task run","type":"text","hidden":false,"required":false,"index":false},{"name":"last_run_code","description":"Exit status code of the last task run","type":"text","hidden":false,"required":false,"index":false}]},{"name":"screenlock","description":"macOS screenlock status for the current logged in user context.","platforms":["darwin"],"columns":[{"name":"enabled","description":"1 If a password is required after sleep or the screensaver begins; else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"grace_period","description":"The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"seccomp_events","description":"A virtual table that tracks seccomp events.","platforms":["linux"],"columns":[{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit user ID (loginuid) of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"uid","description":"User ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID of the user who started the analyzed process","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"ses","description":"Session ID of the session from which the analyzed process was invoked","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID","type":"unsigned_bigint","hidden":false,"required":false,"index":false},{"name":"comm","description":"Command-line name of the command that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"exe","description":"The path to the executable that was used to invoke the analyzed process","type":"text","hidden":false,"required":false,"index":false},{"name":"sig","description":"Signal value sent to process by seccomp","type":"bigint","hidden":false,"required":false,"index":false},{"name":"arch","description":"Information about the CPU architecture","type":"text","hidden":false,"required":false,"index":false},{"name":"syscall","description":"Type of the system call","type":"text","hidden":false,"required":false,"index":false},{"name":"compat","description":"Is system call in compatibility mode","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ip","description":"Instruction pointer value","type":"text","hidden":false,"required":false,"index":false},{"name":"code","description":"The seccomp action","type":"text","hidden":false,"required":false,"index":false}]},{"name":"secureboot","description":"Secure Boot UEFI Settings.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"secure_boot","description":"Whether secure boot is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"setup_mode","description":"Whether setup mode is enabled","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"selinux_events","description":"Track SELinux events.","platforms":["linux"],"columns":[{"name":"type","description":"Event type","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"Message","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"selinux_settings","description":"Track active SELinux settings.","platforms":["linux"],"columns":[{"name":"scope","description":"Where the key is located inside the SELinuxFS mount point.","type":"text","hidden":false,"required":false,"index":false},{"name":"key","description":"Key or class name.","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Active value.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"services","description":"Lists all installed Windows services and their relevant data.","platforms":["windows"],"columns":[{"name":"name","description":"Service name","type":"text","hidden":false,"required":false,"index":false},{"name":"service_type","description":"Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)","type":"text","hidden":false,"required":false,"index":false},{"name":"display_name","description":"Service Display name","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"the Process ID of the service","type":"integer","hidden":false,"required":false,"index":false},{"name":"start_type","description":"Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED","type":"text","hidden":false,"required":false,"index":false},{"name":"win32_exit_code","description":"The error code that the service uses to report an error that occurs when it is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"service_exit_code","description":"The service-specific error code that the service returns when an error occurs while the service is starting or stopping","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to Service Executable","type":"text","hidden":false,"required":false,"index":false},{"name":"module_path","description":"Path to ServiceDll","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Service Description","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account","description":"The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\\UserName. If the account belongs to the built-in domain, the name can be of the form .\\UserName.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shadow","description":"Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.","platforms":["linux"],"columns":[{"name":"password_status","description":"Password status","type":"text","hidden":false,"required":false,"index":false},{"name":"hash_alg","description":"Password hashing algorithm","type":"text","hidden":false,"required":false,"index":false},{"name":"last_change","description":"Date of last password change (starting from UNIX epoch date)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"min","description":"Minimal number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"max","description":"Maximum number of days between password changes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"warning","description":"Number of days before password expires to warn user about it","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Number of days after password expires until account is blocked","type":"bigint","hidden":false,"required":false,"index":false},{"name":"expire","description":"Number of days since UNIX epoch date until account is disabled","type":"bigint","hidden":false,"required":false,"index":false},{"name":"flag","description":"Reserved","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_folders","description":"Folders available to others via SMB or AFP.","platforms":["darwin"],"columns":[{"name":"name","description":"The shared name of the folder as it appears to other users","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Absolute path of shared folder on the local system","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shared_memory","description":"OS shared memory regions.","platforms":["linux"],"columns":[{"name":"shmid","description":"Shared memory segment ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"owner_uid","description":"User ID of owning process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_uid","description":"User ID of creator process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID to last use the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"creator_pid","description":"Process ID that created the segment","type":"bigint","hidden":false,"required":false,"index":false},{"name":"atime","description":"Attached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"dtime","description":"Detached time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"ctime","description":"Changed time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Memory segment permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Size in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"attached","description":"Number of attached processes","type":"integer","hidden":false,"required":false,"index":false},{"name":"status","description":"Destination/attach status","type":"text","hidden":false,"required":false,"index":false},{"name":"locked","description":"1 if segment is locked else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shared_resources","description":"Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.","platforms":["windows"],"columns":[{"name":"description","description":"A textual description of the object","type":"text","hidden":false,"required":false,"index":false},{"name":"install_date","description":"Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"String that indicates the current status of the object.","type":"text","hidden":false,"required":false,"index":false},{"name":"allow_maximum","description":"Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.","type":"integer","hidden":false,"required":false,"index":false},{"name":"maximum_allowed","description":"Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.","type":"integer","hidden":false,"required":false,"index":false},{"name":"name","description":"Alias given to a path set up as a share on a computer system running Windows.","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Local path of the Windows share.","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"sharing_preferences","description":"OS X Sharing preferences.","platforms":["darwin"],"columns":[{"name":"screen_sharing","description":"1 If screen sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"file_sharing","description":"1 If file sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"printer_sharing","description":"1 If printer sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_login","description":"1 If remote login is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_management","description":"1 If remote management is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_apple_events","description":"1 If remote apple events are enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"internet_sharing","description":"1 If internet sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"bluetooth_sharing","description":"1 If bluetooth sharing is enabled for any user else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"disc_sharing","description":"1 If CD or DVD sharing is enabled else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"content_caching","description":"1 If content caching is enabled else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shell_history","description":"A line-delimited (command) table of per-user .*_history data.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"Shell history owner","type":"bigint","hidden":false,"required":false,"index":false},{"name":"time","description":"Entry timestamp. It could be absent, default value is 0.","type":"integer","hidden":false,"required":false,"index":false},{"name":"command","description":"Unparsed date/line/command history line","type":"text","hidden":false,"required":false,"index":false},{"name":"history_file","description":"Path to the .*_history for this user","type":"text","hidden":false,"required":false,"index":false}]},{"name":"shellbags","description":"Shows directories accessed via Windows Explorer.","platforms":["windows"],"columns":[{"name":"sid","description":"User SID","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Shellbags source Registry file","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Directory name.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"Directory Modified time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"created_time","description":"Directory Created time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"accessed_time","description":"Directory Accessed time.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Directory master file table entry.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Directory master file table sequence.","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shimcache","description":"Application Compatibility Cache, contains artifacts of execution.","platforms":["windows"],"columns":[{"name":"entry","description":"Execution order.","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"This is the path to the executed file.","type":"text","hidden":false,"required":false,"index":false},{"name":"modified_time","description":"File Modified time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"execution_flag","description":"Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"shortcut_files","description":"View data about Windows Shortcut files.","platforms":["windows"],"columns":[{"name":"path","description":"Directory name.","type":"text","hidden":false,"required":true,"index":false},{"name":"target_path","description":"Target file path","type":"text","hidden":false,"required":false,"index":false},{"name":"target_modified","description":"Target Modified time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_created","description":"Target Created time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_accessed","description":"Target Accessed time.","type":"integer","hidden":false,"required":false,"index":false},{"name":"target_size","description":"Size of target file.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to target file from lnk file.","type":"text","hidden":false,"required":false,"index":false},{"name":"local_path","description":"Local system path to target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"working_path","description":"Target file directory.","type":"text","hidden":false,"required":false,"index":false},{"name":"icon_path","description":"Lnk file icon location.","type":"text","hidden":false,"required":false,"index":false},{"name":"common_path","description":"Common system path to target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"command_args","description":"Command args passed to lnk file.","type":"text","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Optional hostname of the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"share_name","description":"Share name of the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"device_type","description":"Device containing the target file.","type":"text","hidden":false,"required":false,"index":false},{"name":"volume_serial","description":"Volume serial number.","type":"text","hidden":false,"required":false,"index":false},{"name":"mft_entry","description":"Target mft entry.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"mft_sequence","description":"Target mft sequence.","type":"integer","hidden":false,"required":false,"index":false},{"name":"description","description":"Lnk file description.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"signature","description":"File (executable, bundle, installer, disk) code signing status.","platforms":["darwin"],"columns":[{"name":"path","description":"Must provide a path or directory","type":"text","hidden":false,"required":true,"index":false},{"name":"hash_resources","description":"Set to 1 to also hash resources, or 0 otherwise. Default is 1","type":"integer","hidden":false,"required":false,"index":false},{"name":"arch","description":"If applicable, the arch of the signed code","type":"text","hidden":false,"required":false,"index":false},{"name":"signed","description":"1 If the file is signed else 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"identifier","description":"The signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"cdhash","description":"Hash of the application Code Directory","type":"text","hidden":false,"required":false,"index":false},{"name":"team_identifier","description":"The team signing identifier sealed into the signature","type":"text","hidden":false,"required":false,"index":false},{"name":"authority","description":"Certificate Common Name","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sip_config","description":"Apple's System Integrity Protection (rootless) status.","platforms":["darwin"],"columns":[{"name":"config_flag","description":"The System Integrity Protection config flag","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false},{"name":"enabled_nvram","description":"1 if this configuration is enabled, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"smart_drive_info","description":"Drive information read by SMART controller utilizing autodetect.","platforms":["darwin","linux"],"columns":[{"name":"device_name","description":"Name of block device","type":"text","hidden":false,"required":false,"index":false},{"name":"disk_id","description":"Physical slot number of device, only exists when hardware storage controller exists","type":"integer","hidden":false,"required":false,"index":false},{"name":"driver_type","description":"The explicit device type used to retrieve the SMART information","type":"text","hidden":false,"required":false,"index":false},{"name":"model_family","description":"Drive model family","type":"text","hidden":false,"required":false,"index":false},{"name":"device_model","description":"Device Model","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_number","description":"Device serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"lu_wwn_device_id","description":"Device Identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"additional_product_id","description":"An additional drive identifier if any","type":"text","hidden":false,"required":false,"index":false},{"name":"firmware_version","description":"Drive firmware version","type":"text","hidden":false,"required":false,"index":false},{"name":"user_capacity","description":"Bytes of drive capacity","type":"text","hidden":false,"required":false,"index":false},{"name":"sector_sizes","description":"Bytes of drive sector sizes","type":"text","hidden":false,"required":false,"index":false},{"name":"rotation_rate","description":"Drive RPM","type":"text","hidden":false,"required":false,"index":false},{"name":"form_factor","description":"Form factor if reported","type":"text","hidden":false,"required":false,"index":false},{"name":"in_smartctl_db","description":"Boolean value for if drive is recognized","type":"integer","hidden":false,"required":false,"index":false},{"name":"ata_version","description":"ATA version of drive","type":"text","hidden":false,"required":false,"index":false},{"name":"transport_type","description":"Drive transport type","type":"text","hidden":false,"required":false,"index":false},{"name":"sata_version","description":"SATA version, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"read_device_identity_failure","description":"Error string for device id read, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"smart_supported","description":"SMART support status","type":"text","hidden":false,"required":false,"index":false},{"name":"smart_enabled","description":"SMART enabled status","type":"text","hidden":false,"required":false,"index":false},{"name":"packet_device_type","description":"Packet device type","type":"text","hidden":false,"required":false,"index":false},{"name":"power_mode","description":"Device power mode","type":"text","hidden":false,"required":false,"index":false},{"name":"warnings","description":"Warning messages from SMART controller","type":"text","hidden":false,"required":false,"index":false}]},{"name":"smbios_tables","description":"BIOS (DMI) structure common details and content.","platforms":["darwin","linux"],"columns":[{"name":"number","description":"Table entry number","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Table entry type","type":"integer","hidden":false,"required":false,"index":false},{"name":"description","description":"Table entry description","type":"text","hidden":false,"required":false,"index":false},{"name":"handle","description":"Table entry handle","type":"integer","hidden":false,"required":false,"index":false},{"name":"header_size","description":"Header size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"size","description":"Table entry size in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"md5","description":"MD5 hash of table entry","type":"text","hidden":false,"required":false,"index":false}]},{"name":"smc_keys","description":"Apple's system management controller keys.","platforms":["darwin"],"columns":[{"name":"key","description":"4-character key","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"SMC-reported type literal type","type":"text","hidden":false,"required":false,"index":false},{"name":"size","description":"Reported size of data in bytes","type":"integer","hidden":false,"required":false,"index":false},{"name":"value","description":"A type-encoded representation of the key value","type":"text","hidden":false,"required":false,"index":false},{"name":"hidden","description":"1 if this key is normally hidden, otherwise 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"socket_events","description":"Track network socket opens and closes.","platforms":["darwin","linux"],"columns":[{"name":"action","description":"The socket action (bind, listen, close)","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of executed file","type":"text","hidden":false,"required":false,"index":false},{"name":"fd","description":"The file description for the process socket","type":"text","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"status","description":"Either 'succeeded', 'failed', 'in_progress' (connect() on non-blocking socket) or 'no_client' (null accept() on non-blocking socket)","type":"text","hidden":false,"required":false,"index":false},{"name":"family","description":"The Internet protocol family ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"protocol","description":"The network protocol ID","type":"integer","hidden":true,"required":false,"index":false},{"name":"local_address","description":"Local address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"remote_address","description":"Remote address associated with socket","type":"text","hidden":false,"required":false,"index":false},{"name":"local_port","description":"Local network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"remote_port","description":"Remote network protocol port number","type":"integer","hidden":false,"required":false,"index":false},{"name":"socket","description":"The local path (UNIX domain socket only)","type":"text","hidden":true,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false},{"name":"success","description":"Deprecated. Use the 'status' column instead","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"ssh_configs","description":"A table of parsed ssh_configs.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local owner of the ssh_config file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"block","description":"The host or match block","type":"text","hidden":false,"required":false,"index":false},{"name":"option","description":"The option and value","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_config_file","description":"Path to the ssh_config file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"startup_items","description":"Applications and binaries set as user/login startup items.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"name","description":"Name of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"args","description":"Arguments provided to startup executable","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Startup Item or Login Item","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Directory or plist containing startup item","type":"text","hidden":false,"required":false,"index":false},{"name":"status","description":"Startup status; either enabled or disabled","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"The user associated with the startup item","type":"text","hidden":false,"required":false,"index":false}]},{"name":"sudoers","description":"Rules for running commands as other users via sudo.","platforms":["darwin","linux"],"columns":[{"name":"source","description":"Source file containing the given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"header","description":"Symbol for given rule","type":"text","hidden":false,"required":false,"index":false},{"name":"rule_details","description":"Rule definition","type":"text","hidden":false,"required":false,"index":false}]},{"name":"suid_bin","description":"suid binaries in common locations.","platforms":["darwin","linux"],"columns":[{"name":"path","description":"Binary path","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Binary owner username","type":"text","hidden":false,"required":false,"index":false},{"name":"groupname","description":"Binary owner group","type":"text","hidden":false,"required":false,"index":false},{"name":"permissions","description":"Binary permissions","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"syslog_events","description":"","platforms":["linux"],"columns":[{"name":"time","description":"Current unix epoch time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Time known to syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"host","description":"Hostname configured for syslog","type":"text","hidden":false,"required":false,"index":false},{"name":"severity","description":"Syslog severity","type":"integer","hidden":false,"required":false,"index":false},{"name":"facility","description":"Syslog facility","type":"text","hidden":false,"required":false,"index":false},{"name":"tag","description":"The syslog tag","type":"text","hidden":false,"required":false,"index":false},{"name":"message","description":"The syslog message","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"system_controls","description":"sysctl names, values, and settings information.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Full sysctl MIB name","type":"text","hidden":false,"required":false,"index":false},{"name":"oid","description":"Control MIB","type":"text","hidden":false,"required":false,"index":false},{"name":"subsystem","description":"Subsystem ID, control type","type":"text","hidden":false,"required":false,"index":false},{"name":"current_value","description":"Value of setting","type":"text","hidden":false,"required":false,"index":false},{"name":"config_value","description":"The MIB value set in /etc/sysctl.conf","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Data type","type":"text","hidden":false,"required":false,"index":false},{"name":"field_name","description":"Specific attribute of opaque type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"system_extensions","description":"macOS (>= 10.15) system extension table.","platforms":["darwin"],"columns":[{"name":"path","description":"Original path of system extension","type":"text","hidden":false,"required":false,"index":false},{"name":"UUID","description":"Extension unique id","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"System extension state","type":"text","hidden":false,"required":false,"index":false},{"name":"identifier","description":"Identifier name","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"System extension version","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"System extension category","type":"text","hidden":false,"required":false,"index":false},{"name":"bundle_path","description":"System extension bundle path","type":"text","hidden":false,"required":false,"index":false},{"name":"team","description":"Signing team ID","type":"text","hidden":false,"required":false,"index":false},{"name":"mdm_managed","description":"1 if managed by MDM system extension payload configuration, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"system_info","description":"System information for identification.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"hostname","description":"Network hostname including domain","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"Unique ID provided by the system","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_type","description":"CPU type","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_subtype","description":"CPU subtype","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_brand","description":"CPU brand string, contains vendor and model","type":"text","hidden":false,"required":false,"index":false},{"name":"cpu_physical_cores","description":"Number of physical CPU cores in to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_logical_cores","description":"Number of logical CPU cores available to the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"cpu_microcode","description":"Microcode version","type":"text","hidden":false,"required":false,"index":false},{"name":"physical_memory","description":"Total physical memory in bytes","type":"bigint","hidden":false,"required":false,"index":false},{"name":"hardware_vendor","description":"Hardware vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_model","description":"Hardware model","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_version","description":"Hardware version","type":"text","hidden":false,"required":false,"index":false},{"name":"hardware_serial","description":"Device serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"board_vendor","description":"Board vendor","type":"text","hidden":false,"required":false,"index":false},{"name":"board_model","description":"Board model","type":"text","hidden":false,"required":false,"index":false},{"name":"board_version","description":"Board version","type":"text","hidden":false,"required":false,"index":false},{"name":"board_serial","description":"Board serial number","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Friendly computer name (optional)","type":"text","hidden":false,"required":false,"index":false},{"name":"local_hostname","description":"Local hostname (optional)","type":"text","hidden":false,"required":false,"index":false}]},{"name":"systemd_units","description":"Track systemd units.","platforms":["linux"],"columns":[{"name":"id","description":"Unique unit identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Unit description","type":"text","hidden":false,"required":false,"index":false},{"name":"load_state","description":"Reflects whether the unit definition was properly loaded","type":"text","hidden":false,"required":false,"index":false},{"name":"active_state","description":"The high-level unit activation state, i.e. generalization of SUB","type":"text","hidden":false,"required":false,"index":false},{"name":"sub_state","description":"The low-level unit activation state, values depend on unit type","type":"text","hidden":false,"required":false,"index":false},{"name":"following","description":"The name of another unit that this unit follows in state","type":"text","hidden":false,"required":false,"index":false},{"name":"object_path","description":"The object path for this unit","type":"text","hidden":false,"required":false,"index":false},{"name":"job_id","description":"Next queued job id","type":"bigint","hidden":false,"required":false,"index":false},{"name":"job_type","description":"Job type","type":"text","hidden":false,"required":false,"index":false},{"name":"job_path","description":"The object path for the job","type":"text","hidden":false,"required":false,"index":false},{"name":"fragment_path","description":"The unit file path this unit was read from, if there is any","type":"text","hidden":false,"required":false,"index":false},{"name":"user","description":"The configured user, if any","type":"text","hidden":false,"required":false,"index":false},{"name":"source_path","description":"Path to the (possibly generated) unit configuration file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"temperature_sensors","description":"Machine's temperature sensors.","platforms":["darwin"],"columns":[{"name":"key","description":"The SMC key on OS X","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of temperature source","type":"text","hidden":false,"required":false,"index":false},{"name":"celsius","description":"Temperature in Celsius","type":"double","hidden":false,"required":false,"index":false},{"name":"fahrenheit","description":"Temperature in Fahrenheit","type":"double","hidden":false,"required":false,"index":false}]},{"name":"time","description":"Track current date and time in the system.","platforms":["darwin","linux","freebsd","windows"],"columns":[{"name":"weekday","description":"Current weekday in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"year","description":"Current year in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"month","description":"Current month in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"day","description":"Current day in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"hour","description":"Current hour in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Current minutes in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Current seconds in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"timezone","description":"Current timezone in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"local_time","description":"Current local UNIX time in the system","type":"integer","hidden":false,"required":false,"index":false},{"name":"local_timezone","description":"Current local timezone in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"unix_time","description":"Current UNIX time in the system, converted to UTC if --utc enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"timestamp","description":"Current timestamp (log format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"datetime","description":"Current date and time (ISO format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"iso_8601","description":"Current time (ISO format) in the system","type":"text","hidden":false,"required":false,"index":false},{"name":"win_timestamp","description":"Timestamp value in 100 nanosecond units.","type":"bigint","hidden":true,"required":false,"index":false}]},{"name":"time_machine_backups","description":"Backups to drives using TimeMachine.","platforms":["darwin"],"columns":[{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"backup_date","description":"Backup Date","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"time_machine_destinations","description":"Locations backed up to using Time Machine.","platforms":["darwin"],"columns":[{"name":"alias","description":"Human readable name of drive","type":"text","hidden":false,"required":false,"index":false},{"name":"destination_id","description":"Time Machine destination ID","type":"text","hidden":false,"required":false,"index":false},{"name":"consistency_scan_date","description":"Consistency scan date","type":"integer","hidden":false,"required":false,"index":false},{"name":"root_volume_uuid","description":"Root UUID of backup volume","type":"text","hidden":false,"required":false,"index":false},{"name":"bytes_available","description":"Bytes available on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"bytes_used","description":"Bytes used on volume","type":"integer","hidden":false,"required":false,"index":false},{"name":"encryption","description":"Last known encrypted state","type":"text","hidden":false,"required":false,"index":false}]},{"name":"tpm_info","description":"A table that lists the TPM related information.","platforms":["windows"],"columns":[{"name":"activated","description":"TPM is activated","type":"integer","hidden":false,"required":false,"index":false},{"name":"enabled","description":"TPM is enabled","type":"integer","hidden":false,"required":false,"index":false},{"name":"owned","description":"TPM is ownned","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer_version","description":"TPM version","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer_id","description":"TPM manufacturers ID","type":"integer","hidden":false,"required":false,"index":false},{"name":"manufacturer_name","description":"TPM manufacturers name","type":"text","hidden":false,"required":false,"index":false},{"name":"product_name","description":"Product name of the TPM","type":"text","hidden":false,"required":false,"index":false},{"name":"physical_presence_version","description":"Version of the Physical Presence Interface","type":"text","hidden":false,"required":false,"index":false},{"name":"spec_version","description":"Trusted Computing Group specification that the TPM supports","type":"text","hidden":false,"required":false,"index":false}]},{"name":"ulimit_info","description":"System resource usage limits.","platforms":["darwin","linux"],"columns":[{"name":"type","description":"System resource to be limited","type":"text","hidden":false,"required":false,"index":false},{"name":"soft_limit","description":"Current limit value","type":"text","hidden":false,"required":false,"index":false},{"name":"hard_limit","description":"Maximum limit value","type":"text","hidden":false,"required":false,"index":false}]},{"name":"uptime","description":"Track time passed since last boot. Some systems track this as calendar time, some as runtime.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"days","description":"Days of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"hours","description":"Hours of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"minutes","description":"Minutes of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"seconds","description":"Seconds of uptime","type":"integer","hidden":false,"required":false,"index":false},{"name":"total_seconds","description":"Total uptime seconds","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"usb_devices","description":"USB devices that are actively plugged into the host system.","platforms":["darwin","linux"],"columns":[{"name":"usb_address","description":"USB Device used address","type":"integer","hidden":false,"required":false,"index":false},{"name":"usb_port","description":"USB Device used port","type":"integer","hidden":false,"required":false,"index":false},{"name":"vendor","description":"USB Device vendor string","type":"text","hidden":false,"required":false,"index":false},{"name":"vendor_id","description":"Hex encoded USB Device vendor identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"version","description":"USB Device version number","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"USB Device model string","type":"text","hidden":false,"required":false,"index":false},{"name":"model_id","description":"Hex encoded USB Device model identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"serial","description":"USB Device serial connection","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"USB Device class","type":"text","hidden":false,"required":false,"index":false},{"name":"subclass","description":"USB Device subclass","type":"text","hidden":false,"required":false,"index":false},{"name":"protocol","description":"USB Device protocol","type":"text","hidden":false,"required":false,"index":false},{"name":"removable","description":"1 If USB device is removable else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"user_events","description":"Track user events from the audit framework.","platforms":["darwin","linux"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"auid","description":"Audit User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process (or thread) ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"message","description":"Message from the event","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"The file description for the process socket","type":"integer","hidden":false,"required":false,"index":false},{"name":"path","description":"Supplied path from event","type":"text","hidden":false,"required":false,"index":false},{"name":"address","description":"The Internet protocol address or family ID","type":"text","hidden":false,"required":false,"index":false},{"name":"terminal","description":"The network protocol ID","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of execution in UNIX time","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uptime","description":"Time of execution in system uptime","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"user_groups","description":"Local system user group relationships.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_interaction_events","description":"Track user interaction events from macOS' event tapping framework.","platforms":["darwin"],"columns":[{"name":"time","description":"Time","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"user_ssh_keys","description":"Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"The local user that owns the key file","type":"bigint","hidden":false,"required":false,"index":false},{"name":"path","description":"Path to key file","type":"text","hidden":false,"required":false,"index":false},{"name":"encrypted","description":"1 if key is encrypted, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"key_type","description":"The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"userassist","description":"UserAssist Registry Key tracks when a user executes an application from Windows Explorer.","platforms":["windows"],"columns":[{"name":"path","description":"Application file path.","type":"text","hidden":false,"required":false,"index":false},{"name":"last_execution_time","description":"Most recent time application was executed.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of times the application has been executed.","type":"integer","hidden":false,"required":false,"index":false},{"name":"sid","description":"User SID.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"users","description":"Local user accounts (including domain accounts that have logged on locally (Windows)).","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"uid","description":"User ID","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid","description":"Group ID (unsigned)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uid_signed","description":"User ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"gid_signed","description":"Default group ID as int64 signed (Apple)","type":"bigint","hidden":false,"required":false,"index":false},{"name":"username","description":"Username","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Optional user description","type":"text","hidden":false,"required":false,"index":false},{"name":"directory","description":"User's home directory","type":"text","hidden":false,"required":false,"index":false},{"name":"shell","description":"User's configured default shell","type":"text","hidden":false,"required":false,"index":false},{"name":"uuid","description":"User's UUID (Apple) or SID (Windows)","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Whether the account is roaming (domain), local, or a system profile","type":"text","hidden":true,"required":false,"index":false},{"name":"is_hidden","description":"IsHidden attribute set in OpenDirectory","type":"integer","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]},{"name":"video_info","description":"Retrieve video card information of the machine.","platforms":["windows"],"columns":[{"name":"color_depth","description":"The amount of bits per pixel to represent color.","type":"integer","hidden":false,"required":false,"index":false},{"name":"driver","description":"The driver of the device.","type":"text","hidden":false,"required":false,"index":false},{"name":"driver_date","description":"The date listed on the installed driver.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"driver_version","description":"The version of the installed driver.","type":"text","hidden":false,"required":false,"index":false},{"name":"manufacturer","description":"The manufacturer of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"model","description":"The model of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"series","description":"The series of the gpu.","type":"text","hidden":false,"required":false,"index":false},{"name":"video_mode","description":"The current resolution of the display.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"virtual_memory_info","description":"Darwin Virtual Memory statistics.","platforms":["darwin"],"columns":[{"name":"free","description":"Total number of free pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"active","description":"Total number of active pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"inactive","description":"Total number of inactive pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"speculative","description":"Total number of speculative pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"throttled","description":"Total number of throttled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"wired","description":"Total number of wired down pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purgeable","description":"Total number of purgeable pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"faults","description":"Total number of calls to vm_faults.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"copy","description":"Total number of copy-on-write pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"zero_fill","description":"Total number of zero filled pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"reactivated","description":"Total number of reactivated pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"purged","description":"Total number of purged pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"file_backed","description":"Total number of file backed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"anonymous","description":"Total number of anonymous pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"uncompressed","description":"Total number of uncompressed pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressor","description":"The number of pages used to store compressed VM pages.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"decompressed","description":"The total number of pages that have been decompressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"compressed","description":"The total number of pages that have been compressed by the VM compressor.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_ins","description":"The total number of requests for pages from a pager.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"page_outs","description":"Total number of pages paged out.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_ins","description":"The total number of compressed pages that have been swapped out to disk.","type":"bigint","hidden":false,"required":false,"index":false},{"name":"swap_outs","description":"The total number of compressed pages that have been swapped back in from disk.","type":"bigint","hidden":false,"required":false,"index":false}]},{"name":"wifi_networks","description":"OS X known/remembered Wi-Fi networks list.","platforms":["darwin"],"columns":[{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"last_connected","description":"Last time this netword was connected to as a unix_time","type":"integer","hidden":false,"required":false,"index":false},{"name":"passpoint","description":"1 if Passpoint is supported, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"possibly_hidden","description":"1 if network is possibly a hidden network, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"roaming","description":"1 if roaming is supported, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"roaming_profile","description":"Describe the roaming profile, usually one of Single, Dual or Multi","type":"text","hidden":false,"required":false,"index":false},{"name":"captive_portal","description":"1 if this network has a captive portal, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"auto_login","description":"1 if auto login is enabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"temporarily_disabled","description":"1 if this network is temporarily disabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false},{"name":"disabled","description":"1 if this network is disabled, 0 otherwise","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"wifi_status","description":"OS X current WiFi status.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"security_type","description":"Type of security on this network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false},{"name":"transmit_rate","description":"The current transmit rate","type":"text","hidden":false,"required":false,"index":false},{"name":"mode","description":"The current operating mode for the Wi-Fi interface","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wifi_survey","description":"Scan for nearby WiFi networks.","platforms":["darwin"],"columns":[{"name":"interface","description":"Name of the interface","type":"text","hidden":false,"required":false,"index":false},{"name":"ssid","description":"SSID octets of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"bssid","description":"The current basic service set identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"network_name","description":"Name of the network","type":"text","hidden":false,"required":false,"index":false},{"name":"country_code","description":"The country code (ISO/IEC 3166-1:1997) for the network","type":"text","hidden":false,"required":false,"index":false},{"name":"rssi","description":"The current received signal strength indication (dbm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"noise","description":"The current noise measurement (dBm)","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel","description":"Channel number","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_width","description":"Channel width","type":"integer","hidden":false,"required":false,"index":false},{"name":"channel_band","description":"Channel band","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"winbaseobj","description":"Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.","platforms":["windows"],"columns":[{"name":"session_id","description":"Terminal Services Session Id","type":"integer","hidden":false,"required":false,"index":false},{"name":"object_name","description":"Object Name","type":"text","hidden":false,"required":false,"index":false},{"name":"object_type","description":"Object Type","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_crashes","description":"Extracted information from Windows crash logs (Minidumps).","platforms":["windows"],"columns":[{"name":"datetime","description":"Timestamp (log format) of the crash","type":"text","hidden":false,"required":false,"index":false},{"name":"module","description":"Path of the crashed module within the process","type":"text","hidden":false,"required":false,"index":false},{"name":"path","description":"Path of the executable file for the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID of the crashed process","type":"bigint","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID of the crashed thread","type":"bigint","hidden":false,"required":false,"index":false},{"name":"version","description":"File version info of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"process_uptime","description":"Uptime of the process in seconds","type":"bigint","hidden":false,"required":false,"index":false},{"name":"stack_trace","description":"Multiple stack frames from the stack trace","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_code","description":"The Windows exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_message","description":"The NTSTATUS error message associated with the exception code","type":"text","hidden":false,"required":false,"index":false},{"name":"exception_address","description":"Address (in hex) where the exception occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"registers","description":"The values of the system registers","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line","description":"Command-line string passed to the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"current_directory","description":"Current working directory of the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"username","description":"Username of the user who ran the crashed process","type":"text","hidden":false,"required":false,"index":false},{"name":"machine_name","description":"Name of the machine where the crash happened","type":"text","hidden":false,"required":false,"index":false},{"name":"major_version","description":"Windows major version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"minor_version","description":"Windows minor version of the machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"build_number","description":"Windows build number of the crashing machine","type":"integer","hidden":false,"required":false,"index":false},{"name":"type","description":"Type of crash log","type":"text","hidden":false,"required":false,"index":false},{"name":"crash_path","description":"Path of the log file","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_eventlog","description":"Table for querying all recorded Windows event logs.","platforms":["windows"],"columns":[{"name":"channel","description":"Source or channel of the event","type":"text","hidden":false,"required":true,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"Severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"pid","description":"Process ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"tid","description":"Thread ID which emitted the event record","type":"integer","hidden":false,"required":false,"index":false},{"name":"time_range","description":"System time to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"timestamp","description":"Timestamp to selectively filter the events","type":"text","hidden":true,"required":false,"index":false},{"name":"xpath","description":"The custom query to filter events","type":"text","hidden":true,"required":true,"index":false}]},{"name":"windows_events","description":"Windows Event logs.","platforms":["windows"],"columns":[{"name":"time","description":"Timestamp the event was received","type":"bigint","hidden":false,"required":false,"index":false},{"name":"datetime","description":"System time at which the event occurred","type":"text","hidden":false,"required":false,"index":false},{"name":"source","description":"Source or channel of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_name","description":"Provider name of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"provider_guid","description":"Provider guid of the event","type":"text","hidden":false,"required":false,"index":false},{"name":"computer_name","description":"Hostname of system where event was generated","type":"text","hidden":false,"required":false,"index":false},{"name":"eventid","description":"Event ID of the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"task","description":"Task value associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"level","description":"The severity level associated with the event","type":"integer","hidden":false,"required":false,"index":false},{"name":"keywords","description":"A bitmask of the keywords defined in the event","type":"text","hidden":false,"required":false,"index":false},{"name":"data","description":"Data associated with the event","type":"text","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"windows_optional_features","description":"Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the feature","type":"text","hidden":false,"required":false,"index":false},{"name":"caption","description":"Caption of feature in settings UI","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent","type":"integer","hidden":false,"required":false,"index":false},{"name":"statename","description":"Installation state name. 'Enabled','Disabled','Absent'","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_center","description":"The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".","platforms":["windows"],"columns":[{"name":"firewall","description":"The health of the monitored Firewall (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"autoupdate","description":"The health of the Windows Autoupdate feature","type":"text","hidden":false,"required":false,"index":false},{"name":"antivirus","description":"The health of the monitored Antivirus solution (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"antispyware","description":"The health of the monitored Antispyware solution (see windows_security_products)","type":"text","hidden":false,"required":false,"index":false},{"name":"internet_settings","description":"The health of the Internet Settings","type":"text","hidden":false,"required":false,"index":false},{"name":"windows_security_center_service","description":"The health of the Windows Security Center Service","type":"text","hidden":false,"required":false,"index":false},{"name":"user_account_control","description":"The health of the User Account Control (UAC) capability in Windows","type":"text","hidden":false,"required":false,"index":false}]},{"name":"windows_security_products","description":"Enumeration of registered Windows security products.","platforms":["windows"],"columns":[{"name":"type","description":"Type of security product","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of product","type":"text","hidden":false,"required":false,"index":false},{"name":"state","description":"State of protection","type":"text","hidden":false,"required":false,"index":false},{"name":"state_timestamp","description":"Timestamp for the product state","type":"text","hidden":false,"required":false,"index":false},{"name":"remediation_path","description":"Remediation path","type":"text","hidden":false,"required":false,"index":false},{"name":"signatures_up_to_date","description":"1 if product signatures are up to date, else 0","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"wmi_bios_info","description":"Lists important information from the system bios.","platforms":["windows"],"columns":[{"name":"name","description":"Name of the Bios setting","type":"text","hidden":false,"required":false,"index":false},{"name":"value","description":"Value of the Bios setting","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_cli_event_consumers","description":"WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique name of a consumer.","type":"text","hidden":false,"required":false,"index":false},{"name":"command_line_template","description":"Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.","type":"text","hidden":false,"required":false,"index":false},{"name":"executable_path","description":"Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_event_filters","description":"Lists WMI event filters.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier of an event filter.","type":"text","hidden":false,"required":false,"index":false},{"name":"query","description":"Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.","type":"text","hidden":false,"required":false,"index":false},{"name":"query_language","description":"Query language that the query is written in.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_filter_consumer_binding","description":"Lists the relationship between event consumers and filters.","platforms":["windows"],"columns":[{"name":"consumer","description":"Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.","type":"text","hidden":false,"required":false,"index":false},{"name":"filter","description":"Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"wmi_script_event_consumers","description":"WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.","platforms":["windows"],"columns":[{"name":"name","description":"Unique identifier for the event consumer. ","type":"text","hidden":false,"required":false,"index":false},{"name":"scripting_engine","description":"Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_file_name","description":"Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.","type":"text","hidden":false,"required":false,"index":false},{"name":"script_text","description":"Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.","type":"text","hidden":false,"required":false,"index":false},{"name":"class","description":"The name of the class.","type":"text","hidden":false,"required":false,"index":false},{"name":"relative_path","description":"Relative path to the class or instance.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_entries","description":"Database of the machine's XProtect signatures.","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"launch_type","description":"Launch services content type","type":"text","hidden":false,"required":false,"index":false},{"name":"identity","description":"XProtect identity (SHA1) of content","type":"text","hidden":false,"required":false,"index":false},{"name":"filename","description":"Use this file name to match","type":"text","hidden":false,"required":false,"index":false},{"name":"filetype","description":"Use this file type to match","type":"text","hidden":false,"required":false,"index":false},{"name":"optional","description":"Match any of the identities/patterns for this XProtect name","type":"integer","hidden":false,"required":false,"index":false},{"name":"uses_pattern","description":"Uses a match pattern instead of identity","type":"integer","hidden":false,"required":false,"index":false}]},{"name":"xprotect_meta","description":"Database of the machine's XProtect browser-related signatures.","platforms":["darwin"],"columns":[{"name":"identifier","description":"Browser plugin or extension identifier","type":"text","hidden":false,"required":false,"index":false},{"name":"type","description":"Either plugin or extension","type":"text","hidden":false,"required":false,"index":false},{"name":"developer_id","description":"Developer identity (SHA1) of extension","type":"text","hidden":false,"required":false,"index":false},{"name":"min_version","description":"The minimum allowed plugin version.","type":"text","hidden":false,"required":false,"index":false}]},{"name":"xprotect_reports","description":"Database of XProtect matches (if user generated/sent an XProtect report).","platforms":["darwin"],"columns":[{"name":"name","description":"Description of XProtected malware","type":"text","hidden":false,"required":false,"index":false},{"name":"user_action","description":"Action taken by user after prompted","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Quarantine alert time","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yara","description":"Track YARA matches for files or PIDs.","platforms":["darwin","linux","windows"],"columns":[{"name":"path","description":"The path scanned","type":"text","hidden":false,"required":true,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"sig_group","description":"Signature group used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigfile","description":"Signature file used","type":"text","hidden":false,"required":false,"index":false},{"name":"sigrule","description":"Signature strings used","type":"text","hidden":true,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"sigurl","description":"Signature url","type":"text","hidden":true,"required":false,"index":false}]},{"name":"yara_events","description":"Track YARA matches for files specified in configuration data.","platforms":["darwin","linux","windows"],"columns":[{"name":"target_path","description":"The path scanned","type":"text","hidden":false,"required":false,"index":false},{"name":"category","description":"The category of the file","type":"text","hidden":false,"required":false,"index":false},{"name":"action","description":"Change action (UPDATE, REMOVE, etc)","type":"text","hidden":false,"required":false,"index":false},{"name":"transaction_id","description":"ID used during bulk update","type":"bigint","hidden":false,"required":false,"index":false},{"name":"matches","description":"List of YARA matches","type":"text","hidden":false,"required":false,"index":false},{"name":"count","description":"Number of YARA matches","type":"integer","hidden":false,"required":false,"index":false},{"name":"strings","description":"Matching strings","type":"text","hidden":false,"required":false,"index":false},{"name":"tags","description":"Matching tags","type":"text","hidden":false,"required":false,"index":false},{"name":"time","description":"Time of the scan","type":"bigint","hidden":false,"required":false,"index":false},{"name":"eid","description":"Event ID","type":"text","hidden":true,"required":false,"index":false}]},{"name":"ycloud_instance_metadata","description":"Yandex.Cloud instance metadata.","platforms":["darwin","linux","windows","freebsd"],"columns":[{"name":"instance_id","description":"Unique identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"folder_id","description":"Folder identifier for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"name","description":"Name of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"description","description":"Description of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"hostname","description":"Hostname of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"zone","description":"Availability zone of the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"ssh_public_key","description":"SSH public key. Only available if supplied at instance launch time","type":"text","hidden":false,"required":false,"index":false},{"name":"serial_port_enabled","description":"Indicates if serial port is enabled for the VM","type":"text","hidden":false,"required":false,"index":false},{"name":"metadata_endpoint","description":"Endpoint used to fetch VM metadata","type":"text","hidden":false,"required":false,"index":false}]},{"name":"yum_sources","description":"Current list of Yum repositories or software channels.","platforms":["darwin","linux"],"columns":[{"name":"name","description":"Repository name","type":"text","hidden":false,"required":false,"index":false},{"name":"baseurl","description":"Repository base URL","type":"text","hidden":false,"required":false,"index":false},{"name":"enabled","description":"Whether the repository is used","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgcheck","description":"Whether packages are GPG checked","type":"text","hidden":false,"required":false,"index":false},{"name":"gpgkey","description":"URL to GPG key","type":"text","hidden":false,"required":false,"index":false},{"name":"pid_with_namespace","description":"Pids that contain a namespace","type":"integer","hidden":true,"required":false,"index":false}]}] \ No newline at end of file diff --git a/x-pack/plugins/osquery/public/common/validations.ts b/x-pack/plugins/osquery/public/common/validations.ts index 7ab9de52e35ad..09c43c16b12a3 100644 --- a/x-pack/plugins/osquery/public/common/validations.ts +++ b/x-pack/plugins/osquery/public/common/validations.ts @@ -11,7 +11,7 @@ import { ValidationFunc, fieldValidators } from '../shared_imports'; // eslint-disable-next-line @typescript-eslint/no-explicit-any export const queryFieldValidation: ValidationFunc = fieldValidators.emptyField( - i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyQueryError', { + i18n.translate('xpack.osquery.pack.queryFlyoutForm.emptyQueryError', { defaultMessage: 'Query is a required field', }) ); diff --git a/x-pack/plugins/osquery/public/components/app.tsx b/x-pack/plugins/osquery/public/components/app.tsx index 33fb6ac6a2adf..ea1f9698795aa 100644 --- a/x-pack/plugins/osquery/public/components/app.tsx +++ b/x-pack/plugins/osquery/public/components/app.tsx @@ -44,13 +44,10 @@ const OsqueryAppComponent = () => { defaultMessage="Live queries" /> - + { application: { getUrlForApp, navigateToApp }, } = useKibana().services; - const integrationHref = useMemo(() => { - return getUrlForApp(INTEGRATIONS_PLUGIN_ID, { - path: pagePathGetters.integration_details_overview({ - pkgkey: OSQUERY_INTEGRATION_NAME, - })[1], - }); - }, [getUrlForApp]); + const integrationHref = useMemo( + () => + getUrlForApp(INTEGRATIONS_PLUGIN_ID, { + path: pagePathGetters.integration_details_overview({ + pkgkey: OSQUERY_INTEGRATION_NAME, + })[1], + }), + [getUrlForApp] + ); const integrationClick = useCallback( (event) => { diff --git a/x-pack/plugins/osquery/public/components/manage_integration_link.tsx b/x-pack/plugins/osquery/public/components/manage_integration_link.tsx index 32779ded46c50..208d8e3f28172 100644 --- a/x-pack/plugins/osquery/public/components/manage_integration_link.tsx +++ b/x-pack/plugins/osquery/public/components/manage_integration_link.tsx @@ -11,40 +11,36 @@ import { EuiButtonEmpty, EuiFlexItem } from '@elastic/eui'; import { INTEGRATIONS_PLUGIN_ID } from '../../../fleet/common'; import { pagePathGetters } from '../../../fleet/public'; - import { useKibana, isModifiedEvent, isLeftClickEvent } from '../common/lib/kibana'; -import { useOsqueryIntegrationStatus } from '../common/hooks'; +import { OSQUERY_INTEGRATION_NAME } from '../../common'; const ManageIntegrationLinkComponent = () => { const { application: { getUrlForApp, navigateToApp }, } = useKibana().services; - const { data: osqueryIntegration } = useOsqueryIntegrationStatus(); - const integrationHref = useMemo(() => { - if (osqueryIntegration) { - return getUrlForApp(INTEGRATIONS_PLUGIN_ID, { + const integrationHref = useMemo( + () => + getUrlForApp(INTEGRATIONS_PLUGIN_ID, { path: pagePathGetters.integration_details_policies({ - pkgkey: `${osqueryIntegration.name}-${osqueryIntegration.version}`, + pkgkey: OSQUERY_INTEGRATION_NAME, })[1], - }); - } - }, [getUrlForApp, osqueryIntegration]); + }), + [getUrlForApp] + ); const integrationClick = useCallback( (event) => { if (!isModifiedEvent(event) && isLeftClickEvent(event)) { event.preventDefault(); - if (osqueryIntegration) { - return navigateToApp(INTEGRATIONS_PLUGIN_ID, { - path: pagePathGetters.integration_details_policies({ - pkgkey: `${osqueryIntegration.name}-${osqueryIntegration.version}`, - })[1], - }); - } + return navigateToApp(INTEGRATIONS_PLUGIN_ID, { + path: pagePathGetters.integration_details_policies({ + pkgkey: OSQUERY_INTEGRATION_NAME, + })[1], + }); } }, - [navigateToApp, osqueryIntegration] + [navigateToApp] ); return integrationHref ? ( diff --git a/x-pack/plugins/osquery/public/components/osquery_schema_link.tsx b/x-pack/plugins/osquery/public/components/osquery_schema_link.tsx index 2ce1b4d933f60..77af34b405876 100644 --- a/x-pack/plugins/osquery/public/components/osquery_schema_link.tsx +++ b/x-pack/plugins/osquery/public/components/osquery_schema_link.tsx @@ -11,7 +11,7 @@ import React from 'react'; export const OsquerySchemaLink = React.memo(() => ( - + diff --git a/x-pack/plugins/osquery/public/editor/index.tsx b/x-pack/plugins/osquery/public/editor/index.tsx index 09e0ccbf7a45c..7d6823acec2cd 100644 --- a/x-pack/plugins/osquery/public/editor/index.tsx +++ b/x-pack/plugins/osquery/public/editor/index.tsx @@ -44,7 +44,7 @@ const OsqueryEditorComponent: React.FC = ({ defaultValue, on name="osquery_editor" setOptions={EDITOR_SET_OPTIONS} editorProps={EDITOR_PROPS} - height="150px" + height="100px" width="100%" /> ); diff --git a/x-pack/plugins/osquery/public/editor/osquery_highlight_rules.ts b/x-pack/plugins/osquery/public/editor/osquery_highlight_rules.ts index eda9401efd3a2..c14899b902e2e 100644 --- a/x-pack/plugins/osquery/public/editor/osquery_highlight_rules.ts +++ b/x-pack/plugins/osquery/public/editor/osquery_highlight_rules.ts @@ -108,6 +108,7 @@ const dataTypes = [ (ace as unknown as AceInterface).define( 'ace/mode/osquery_highlight_rules', ['require', 'exports', 'ace/mode/sql_highlight_rules'], + // eslint-disable-next-line prefer-arrow-callback function (acequire, exports) { 'use strict'; diff --git a/x-pack/plugins/osquery/public/editor/osquery_mode.ts b/x-pack/plugins/osquery/public/editor/osquery_mode.ts index d417d6b5137bf..85da6fb0fa5c4 100644 --- a/x-pack/plugins/osquery/public/editor/osquery_mode.ts +++ b/x-pack/plugins/osquery/public/editor/osquery_mode.ts @@ -14,6 +14,7 @@ import './osquery_highlight_rules'; (ace as unknown as AceInterface).define( 'ace/mode/osquery', ['require', 'exports', 'ace/mode/sql', 'ace/mode/osquery_highlight_rules'], + // eslint-disable-next-line prefer-arrow-callback function (acequire, exports) { const TextMode = acequire('./sql').Mode; const OsqueryHighlightRules = acequire('./osquery_highlight_rules').OsqueryHighlightRules; diff --git a/x-pack/plugins/osquery/public/editor/osquery_tables.ts b/x-pack/plugins/osquery/public/editor/osquery_tables.ts index 584a70391f0f2..1320407984618 100644 --- a/x-pack/plugins/osquery/public/editor/osquery_tables.ts +++ b/x-pack/plugins/osquery/public/editor/osquery_tables.ts @@ -10,18 +10,14 @@ import { flatMap, sortBy } from 'lodash'; type TablesJSON = Array<{ name: string; }>; -export const normalizeTables = (tablesJSON: TablesJSON) => { - return sortBy(tablesJSON, (table) => { - return table.name; - }); -}; +export const normalizeTables = (tablesJSON: TablesJSON) => sortBy(tablesJSON, 'name'); let osqueryTables: TablesJSON | null = null; export const getOsqueryTables = () => { if (!osqueryTables) { // eslint-disable-next-line @typescript-eslint/no-var-requires - osqueryTables = normalizeTables(require('../common/schemas/osquery/v4.9.0.json')); + osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.0.1.json')); } return osqueryTables; }; -export const getOsqueryTableNames = () => flatMap(getOsqueryTables(), (table) => table.name); +export const getOsqueryTableNames = () => flatMap(getOsqueryTables(), 'name'); diff --git a/x-pack/plugins/osquery/public/fleet_integration/navigation_buttons.tsx b/x-pack/plugins/osquery/public/fleet_integration/navigation_buttons.tsx index d8169c25ad929..b6a90541d26c6 100644 --- a/x-pack/plugins/osquery/public/fleet_integration/navigation_buttons.tsx +++ b/x-pack/plugins/osquery/public/fleet_integration/navigation_buttons.tsx @@ -51,20 +51,16 @@ const NavigationButtonsComponent: React.FC = ({ [agentPolicyId, navigateToApp] ); - const scheduleQueryGroupsHref = getUrlForApp(PLUGIN_ID, { - path: integrationPolicyId - ? `/scheduled_query_groups/${integrationPolicyId}/edit` - : `/scheduled_query_groups`, + const packsHref = getUrlForApp(PLUGIN_ID, { + path: integrationPolicyId ? `/packs/${integrationPolicyId}/edit` : `/packs`, }); - const scheduleQueryGroupsClick = useCallback( + const packsClick = useCallback( (event) => { if (!isModifiedEvent(event) && isLeftClickEvent(event)) { event.preventDefault(); navigateToApp(PLUGIN_ID, { - path: integrationPolicyId - ? `/scheduled_query_groups/${integrationPolicyId}/edit` - : `/scheduled_query_groups`, + path: integrationPolicyId ? `/packs/${integrationPolicyId}/edit` : `/packs`, }); } }, @@ -88,13 +84,13 @@ const NavigationButtonsComponent: React.FC = ({ } - title={i18n.translate('xpack.osquery.fleetIntegration.scheduleQueryGroupsButtonText', { - defaultMessage: 'Schedule query groups', + title={i18n.translate('xpack.osquery.fleetIntegration.packsButtonText', { + defaultMessage: 'Packs', })} description={''} isDisabled={isDisabled} - href={scheduleQueryGroupsHref} - onClick={scheduleQueryGroupsClick} + href={packsHref} + onClick={packsClick} /> diff --git a/x-pack/plugins/osquery/public/fleet_integration/osquery_managed_policy_create_import_extension.tsx b/x-pack/plugins/osquery/public/fleet_integration/osquery_managed_policy_create_import_extension.tsx index 4578c159e809e..752e95b70efac 100644 --- a/x-pack/plugins/osquery/public/fleet_integration/osquery_managed_policy_create_import_extension.tsx +++ b/x-pack/plugins/osquery/public/fleet_integration/osquery_managed_policy_create_import_extension.tsx @@ -5,29 +5,45 @@ * 2.0. */ -import { filter } from 'lodash/fp'; -import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiCallOut, EuiLink } from '@elastic/eui'; +import { get, isEmpty, unset, set } from 'lodash'; +import satisfies from 'semver/functions/satisfies'; +import { + EuiFlexGroup, + EuiFlexItem, + EuiSpacer, + EuiCallOut, + EuiLink, + EuiAccordion, +} from '@elastic/eui'; import React, { useEffect, useMemo, useState } from 'react'; -import { useHistory, useLocation } from 'react-router-dom'; import { produce } from 'immer'; +import { i18n } from '@kbn/i18n'; +import useDebounce from 'react-use/lib/useDebounce'; +import styled from 'styled-components'; import { agentRouteService, agentPolicyRouteService, AgentPolicy, PLUGIN_ID, - NewPackagePolicy, } from '../../../fleet/common'; import { pagePathGetters, PackagePolicyCreateExtensionComponentProps, PackagePolicyEditExtensionComponentProps, } from '../../../fleet/public'; -import { ScheduledQueryGroupQueriesTable } from '../scheduled_query_groups/scheduled_query_group_queries_table'; import { useKibana } from '../common/lib/kibana'; import { NavigationButtons } from './navigation_buttons'; import { DisabledCallout } from './disabled_callout'; -import { OsqueryManagerPackagePolicy } from '../../common/types'; +import { Form, useForm, Field, getUseField, FIELD_TYPES, fieldValidators } from '../shared_imports'; + +const CommonUseField = getUseField({ component: Field }); + +const StyledEuiAccordion = styled(EuiAccordion)` + .euiAccordion__button { + color: ${({ theme }) => theme.eui.euiColorPrimary}; + } +`; /** * Exports Osquery-specific package policy instructions @@ -46,8 +62,32 @@ export const OsqueryManagedPolicyCreateImportExtension = React.memo< application: { getUrlForApp }, http, } = useKibana().services; - const { state: locationState } = useLocation(); - const { go } = useHistory(); + + const { form: configForm } = useForm({ + defaultValue: { + config: JSON.stringify(get(newPolicy, 'inputs[0].config.osquery.value', {}), null, 2), + }, + schema: { + config: { + label: i18n.translate('xpack.osquery.fleetIntegration.osqueryConfig.configFieldLabel', { + defaultMessage: 'Osquery config', + }), + type: FIELD_TYPES.JSON, + validations: [ + { + validator: fieldValidators.isJsonField( + i18n.translate('xpack.osquery.fleetIntegration.osqueryConfig.configFieldError', { + defaultMessage: 'Invalid JSON', + }), + { allowEmptyString: true } + ), + }, + ], + }, + }, + }); + + const { isValid, getFormData } = configForm; const agentsLinkHref = useMemo(() => { if (!policy?.policy_id) return '#'; @@ -60,6 +100,27 @@ export const OsqueryManagedPolicyCreateImportExtension = React.memo< }); }, [getUrlForApp, policy?.policy_id]); + useDebounce( + () => { + // if undefined it means that config was not modified + if (isValid === undefined) return; + const configData = getFormData().config; + + const updatedPolicy = produce(newPolicy, (draft) => { + if (isEmpty(configData)) { + unset(draft, 'inputs[0].config'); + } else { + set(draft, 'inputs[0].config.osquery.value', configData); + } + return draft; + }); + + onChange({ isValid: !!isValid, updatedPolicy: isValid ? updatedPolicy : newPolicy }); + }, + 500, + [isValid] + ); + useEffect(() => { if (editMode && policyAgentsCount === null) { const fetchAgentsCount = async () => { @@ -95,70 +156,44 @@ export const OsqueryManagedPolicyCreateImportExtension = React.memo< } }, [editMode, http, policy?.policy_id, policyAgentsCount]); - useEffect(() => { - /* - in order to enable Osquery side nav we need to refresh the whole Kibana - TODO: Find a better solution - */ - if (editMode && locationState?.forceRefresh) { - go(0); - } - }, [editMode, go, locationState]); - useEffect(() => { /* by default Fleet set up streams with an empty scheduled query, this code removes that, so the user can schedule queries in the next step */ - if (!editMode) { - const updatedPolicy = produce(newPolicy, (draft) => { - draft.inputs[0].streams = []; - return draft; - }); - onChange({ - isValid: true, - updatedPolicy, - }); + if (newPolicy?.package?.version) { + if (!editMode && satisfies(newPolicy?.package?.version, '<0.6.0')) { + const updatedPolicy = produce(newPolicy, (draft) => { + set(draft, 'inputs[0].streams', []); + }); + onChange({ + isValid: true, + updatedPolicy, + }); + } + + /* From 0.6.0 we don't provide an input template, so we have to set it here */ + if (satisfies(newPolicy?.package?.version, '>=0.6.0')) { + const updatedPolicy = produce(newPolicy, (draft) => { + if (!draft.inputs.length) { + set(draft, 'inputs[0]', { + type: 'osquery', + enabled: true, + streams: [], + policy_template: 'osquery_manager', + }); + } + }); + onChange({ + isValid: true, + updatedPolicy, + }); + } } // eslint-disable-next-line react-hooks/exhaustive-deps }, []); - // TODO: Find a better solution - // useEffect(() => { - // if (!editMode) { - // replace({ - // state: { - // onSaveNavigateTo: (newPackagePolicy) => [ - // INTEGRATIONS_PLUGIN_ID, - // { - // path: - // '#' + - // pagePathGetters.integration_policy_edit({ - // packagePolicyId: newPackagePolicy.id, - // })[1], - // state: { - // forceRefresh: true, - // }, - // }, - // ], - // } as CreatePackagePolicyRouteState, - // }); - // } - // }, [editMode, replace]); - - const scheduledQueryGroupTableData = useMemo(() => { - const policyWithoutEmptyQueries = produce( - newPolicy, - (draft) => { - draft.inputs[0].streams = filter(['compiled_stream.id', null], draft.inputs[0].streams); - return draft; - } - ); - - return policyWithoutEmptyQueries; - }, [newPolicy]); - return ( <> {!editMode ? : null} @@ -191,18 +226,20 @@ export const OsqueryManagedPolicyCreateImportExtension = React.memo< agentPolicyId={policy?.policy_id} /> - - - {editMode && scheduledQueryGroupTableData.inputs[0].streams.length ? ( - - - - - - ) : null} + + +
+ + +
); }); diff --git a/x-pack/plugins/osquery/public/live_queries/form/index.tsx b/x-pack/plugins/osquery/public/live_queries/form/index.tsx index 4e569d4cf58d8..86323b7ab4315 100644 --- a/x-pack/plugins/osquery/public/live_queries/form/index.tsx +++ b/x-pack/plugins/osquery/public/live_queries/form/index.tsx @@ -12,14 +12,18 @@ import { EuiSpacer, EuiFlexGroup, EuiFlexItem, + EuiAccordion, + EuiAccordionProps, } from '@elastic/eui'; import { EuiContainedStepProps } from '@elastic/eui/src/components/steps/steps'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import React, { useCallback, useEffect, useMemo, useState, useRef } from 'react'; import { useMutation } from 'react-query'; import deepMerge from 'deepmerge'; +import styled from 'styled-components'; +import { pickBy, isEmpty } from 'lodash'; import { UseField, Form, FormData, useForm, useFormData, FIELD_TYPES } from '../../shared_imports'; import { AgentsTableField } from './agents_table_field'; import { LiveQueryQueryField } from './live_query_query_field'; @@ -29,26 +33,51 @@ import { queryFieldValidation } from '../../common/validations'; import { fieldValidators } from '../../shared_imports'; import { SavedQueryFlyout } from '../../saved_queries'; import { useErrorToast } from '../../common/hooks/use_error_toast'; +import { + ECSMappingEditorField, + ECSMappingEditorFieldRef, +} from '../../packs/queries/lazy_ecs_mapping_editor_field'; +import { SavedQueriesDropdown } from '../../saved_queries/saved_queries_dropdown'; const FORM_ID = 'liveQueryForm'; +const StyledEuiAccordion = styled(EuiAccordion)` + ${({ isDisabled }: { isDisabled: boolean }) => isDisabled && 'display: none;'} + .euiAccordion__button { + color: ${({ theme }) => theme.eui.euiColorPrimary}; + } +`; + export const MAX_QUERY_LENGTH = 2000; const GhostFormField = () => <>; +type FormType = 'simple' | 'steps'; + interface LiveQueryFormProps { defaultValue?: Partial | undefined; onSuccess?: () => void; - singleAgentMode?: boolean; + agentsField?: boolean; + queryField?: boolean; + ecsMappingField?: boolean; + formType?: FormType; + enabled?: boolean; } const LiveQueryFormComponent: React.FC = ({ defaultValue, onSuccess, - singleAgentMode, + agentsField = true, + queryField = true, + ecsMappingField = true, + formType = 'steps', + enabled = true, }) => { + const ecsFieldRef = useRef(); const permissions = useKibana().services.application.capabilities.osquery; const { http } = useKibana().services; + const [advancedContentState, setAdvancedContentState] = + useState('closed'); const [showSavedQueryFlyout, setShowSavedQueryFlyout] = useState(false); const setErrorToast = useErrorToast(); @@ -74,6 +103,20 @@ const LiveQueryFormComponent: React.FC = ({ ); const formSchema = { + agentSelection: { + defaultValue: { + agents: [], + allAgentsSelected: false, + platformsSelected: [], + policiesSelected: [], + }, + type: FIELD_TYPES.JSON, + validations: [], + }, + savedQueryId: { + type: FIELD_TYPES.TEXT, + validations: [], + }, query: { type: FIELD_TYPES.TEXT, validations: [ @@ -89,17 +132,41 @@ const LiveQueryFormComponent: React.FC = ({ { validator: queryFieldValidation }, ], }, + ecs_mapping: { + defaultValue: {}, + type: FIELD_TYPES.JSON, + validations: [], + }, + hidden: { + defaultValue: false, + type: FIELD_TYPES.TOGGLE, + validations: [], + }, }; const { form } = useForm({ id: FORM_ID, schema: formSchema, - onSubmit: (payload) => { - return mutateAsync(payload); + onSubmit: async (formData, isValid) => { + const ecsFieldValue = await ecsFieldRef?.current?.validate(); + + if (isValid) { + try { + await mutateAsync({ + ...formData, + ...(isEmpty(ecsFieldValue) ? {} : { ecs_mapping: ecsFieldValue }), + }); + // eslint-disable-next-line no-empty + } catch (e) {} + } }, options: { stripEmptyFields: false, }, + serializer: ({ savedQueryId, hidden, ...formData }) => ({ + ...pickBy({ ...formData, saved_query_id: savedQueryId }), + ...(hidden != null && hidden ? { hidden } : {}), + }), defaultValue: deepMerge( { agentSelection: { @@ -109,6 +176,8 @@ const LiveQueryFormComponent: React.FC = ({ policiesSelected: [], }, query: '', + savedQueryId: null, + hidden: false, }, defaultValue ?? {} ), @@ -118,7 +187,11 @@ const LiveQueryFormComponent: React.FC = ({ const actionId = useMemo(() => data?.actions[0].action_id, [data?.actions]); const agentIds = useMemo(() => data?.actions[0].agents, [data?.actions]); - const [{ agentSelection, query }] = useFormData({ form, watch: ['agentSelection', 'query'] }); + // eslint-disable-next-line @typescript-eslint/naming-convention + const [{ agentSelection, ecs_mapping, query, savedQueryId }] = useFormData({ + form, + watch: ['agentSelection', 'ecs_mapping', 'query', 'savedQueryId'], + }); const agentSelected = useMemo( () => @@ -148,6 +221,22 @@ const LiveQueryFormComponent: React.FC = ({ [queryStatus] ); + const handleSavedQueryChange = useCallback( + (savedQuery) => { + if (savedQuery) { + setFieldValue('query', savedQuery.query); + setFieldValue('savedQueryId', savedQuery.savedQueryId); + if (!isEmpty(savedQuery.ecs_mapping)) { + setFieldValue('ecs_mapping', savedQuery.ecs_mapping); + setAdvancedContentState('open'); + } + } else { + setFieldValue('savedQueryId', null); + } + }, + [setFieldValue] + ); + const queryComponentProps = useMemo( () => ({ disabled: queryStatus === 'disabled', @@ -155,19 +244,71 @@ const LiveQueryFormComponent: React.FC = ({ [queryStatus] ); - const flyoutFormDefaultValue = useMemo(() => ({ query }), [query]); + const flyoutFormDefaultValue = useMemo( + () => ({ savedQueryId, query, ecs_mapping }), + [savedQueryId, ecs_mapping, query] + ); + + const handleToggle = useCallback((isOpen) => { + const newState = isOpen ? 'open' : 'closed'; + setAdvancedContentState(newState); + }, []); + + const ecsFieldProps = useMemo( + () => ({ + isDisabled: !permissions.writeSavedQueries, + }), + [permissions.writeSavedQueries] + ); const queryFieldStepContent = useMemo( () => ( <> - + {queryField ? ( + <> + + + + + ) : ( + <> + + + + )} + {ecsMappingField ? ( + <> + + + + + + + ) : ( + + )} - {!singleAgentMode && ( + {formType === 'steps' && ( = ({ )} = ({ ), [ + queryField, queryComponentProps, - singleAgentMode, + permissions.runSavedQueries, permissions.writeSavedQueries, + handleSavedQueryChange, + ecsMappingField, + advancedContentState, + handleToggle, + query, + ecsFieldProps, + formType, agentSelected, queryValueProvided, resultsStatus, handleShowSaveQueryFlout, + enabled, isSubmitting, submit, ] @@ -247,15 +397,18 @@ const LiveQueryFormComponent: React.FC = ({ [agentSelected, queryFieldStepContent, queryStatus, resultsStepContent, resultsStatus] ); - const singleAgentForm = useMemo( + const simpleForm = useMemo( () => ( - + {queryFieldStepContent} {resultsStepContent} ), - [queryFieldStepContent, resultsStepContent] + [agentsField, queryFieldStepContent, resultsStepContent] ); useEffect(() => { @@ -265,11 +418,25 @@ const LiveQueryFormComponent: React.FC = ({ if (defaultValue?.query) { setFieldValue('query', defaultValue?.query); } + if (defaultValue?.hidden) { + setFieldValue('hidden', defaultValue?.hidden); + } + // TODO: Set query and ECS mapping from savedQueryId object + if (defaultValue?.savedQueryId) { + setFieldValue('savedQueryId', defaultValue?.savedQueryId); + } + if (!isEmpty(defaultValue?.ecs_mapping)) { + setFieldValue('ecs_mapping', defaultValue?.ecs_mapping); + } }, [defaultValue, setFieldValue]); return ( <> -
{singleAgentMode ? singleAgentForm : } +
+ {formType === 'steps' ? : simpleForm} + + + {showSavedQueryFlyout ? ( = ({ disa const permissions = useKibana().services.application.capabilities.osquery; const { value, setValue, errors } = field; const error = errors[0]?.message; - const savedQueriesDropdownRef = useRef(null); - - const handleSavedQueryChange = useCallback( - (savedQuery) => { - setValue(savedQuery?.query ?? ''); - }, - [setValue] - ); const handleEditorChange = useCallback( (newValue) => { - savedQueriesDropdownRef.current?.clearSelection(); setValue(newValue); }, [setValue] ); return ( - - <> - - - }> - {!permissions.writeLiveQueries || disabled ? ( - - {value} - - ) : ( - - )} - - + } + isDisabled={!permissions.writeLiveQueries || disabled} + > + {!permissions.writeLiveQueries || disabled ? ( + + {value} + + ) : ( + + )} ); }; diff --git a/x-pack/plugins/osquery/public/live_queries/index.tsx b/x-pack/plugins/osquery/public/live_queries/index.tsx index 8d87d59828ee3..93459260a7333 100644 --- a/x-pack/plugins/osquery/public/live_queries/index.tsx +++ b/x-pack/plugins/osquery/public/live_queries/index.tsx @@ -5,6 +5,7 @@ * 2.0. */ +import { castArray } from 'lodash'; import { EuiCode, EuiLoadingContent, EuiEmptyPrompt } from '@elastic/eui'; import React, { useMemo } from 'react'; import { FormattedMessage } from '@kbn/i18n/react'; @@ -16,34 +17,53 @@ import { OsqueryIcon } from '../components/osquery_icon'; interface LiveQueryProps { agentId?: string; - agentPolicyId?: string; + agentIds?: string[]; + agentPolicyIds?: string[]; onSuccess?: () => void; query?: string; + savedQueryId?: string; + ecs_mapping?: unknown; + agentsField?: boolean; + queryField?: boolean; + ecsMappingField?: boolean; + enabled?: boolean; + formType?: 'steps' | 'simple'; } const LiveQueryComponent: React.FC = ({ agentId, - agentPolicyId, + agentIds, + agentPolicyIds, onSuccess, query, + savedQueryId, + // eslint-disable-next-line @typescript-eslint/naming-convention + ecs_mapping, + agentsField, + queryField, + ecsMappingField, + formType, + enabled, }) => { const { data: hasActionResultsPrivileges, isFetched } = useActionResultsPrivileges(); const defaultValue = useMemo(() => { - if (agentId || agentPolicyId || query) { + if (agentId || agentPolicyIds || query) { return { agentSelection: { allAgentsSelected: false, - agents: agentId ? [agentId] : [], + agents: castArray(agentId ?? agentIds ?? []), platformsSelected: [], - policiesSelected: agentPolicyId ? [agentPolicyId] : [], + policiesSelected: agentPolicyIds ?? [], }, query, + savedQueryId, + ecs_mapping, }; } return undefined; - }, [agentId, agentPolicyId, query]); + }, [agentId, agentIds, agentPolicyIds, ecs_mapping, query, savedQueryId]); if (!isFetched) { return ; @@ -80,7 +100,15 @@ const LiveQueryComponent: React.FC = ({ } return ( - + ); }; diff --git a/x-pack/plugins/osquery/public/packs/active_state_switch.tsx b/x-pack/plugins/osquery/public/packs/active_state_switch.tsx new file mode 100644 index 0000000000000..da1581f5f7bfe --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/active_state_switch.tsx @@ -0,0 +1,120 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiSwitch, EuiLoadingSpinner } from '@elastic/eui'; +import React, { useCallback, useMemo, useState } from 'react'; +import { useQueryClient } from 'react-query'; +import styled from 'styled-components'; +import { i18n } from '@kbn/i18n'; + +import { PackagePolicy } from '../../../fleet/common'; +import { useKibana } from '../common/lib/kibana'; +import { useAgentPolicies } from '../agent_policies/use_agent_policies'; +import { ConfirmDeployAgentPolicyModal } from './form/confirmation_modal'; +import { useErrorToast } from '../common/hooks/use_error_toast'; +import { useUpdatePack } from './use_update_pack'; + +const StyledEuiLoadingSpinner = styled(EuiLoadingSpinner)` + margin-right: ${({ theme }) => theme.eui.paddingSizes.s}; +`; + +interface ActiveStateSwitchProps { + disabled?: boolean; + item: PackagePolicy & { policy_ids: string[] }; +} + +const ActiveStateSwitchComponent: React.FC = ({ item }) => { + const queryClient = useQueryClient(); + const { + application: { + capabilities: { osquery: permissions }, + }, + notifications: { toasts }, + } = useKibana().services; + const setErrorToast = useErrorToast(); + const [confirmationModal, setConfirmationModal] = useState(false); + + const hideConfirmationModal = useCallback(() => setConfirmationModal(false), []); + + const { data } = useAgentPolicies(); + + const agentCount = useMemo( + () => + item.policy_ids.reduce( + (acc, policyId) => acc + (data?.agentPoliciesById[policyId]?.agents || 0), + 0 + ), + [data?.agentPoliciesById, item.policy_ids] + ); + + const { isLoading, mutateAsync } = useUpdatePack({ + options: { + // @ts-expect-error update types + onSuccess: (response) => { + queryClient.invalidateQueries('packList'); + setErrorToast(); + toasts.addSuccess( + response.attributes.enabled + ? i18n.translate('xpack.osquery.pack.table.activatedSuccessToastMessageText', { + defaultMessage: 'Successfully activated "{packName}" pack', + values: { + packName: response.attributes.name, + }, + }) + : i18n.translate('xpack.osquery.pack.table.deactivatedSuccessToastMessageText', { + defaultMessage: 'Successfully deactivated "{packName}" pack', + values: { + packName: response.attributes.name, + }, + }) + ); + }, + // @ts-expect-error update types + onError: (error) => { + setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + }, + }, + }); + + const handleToggleActive = useCallback(() => { + // @ts-expect-error update types + mutateAsync({ id: item.id, enabled: !item.attributes.enabled }); + hideConfirmationModal(); + }, [hideConfirmationModal, item, mutateAsync]); + + const handleToggleActiveClick = useCallback(() => { + if (agentCount) { + return setConfirmationModal(true); + } + + handleToggleActive(); + }, [agentCount, handleToggleActive]); + + return ( + <> + {isLoading && } + + {confirmationModal && agentCount && ( + + )} + + ); +}; + +export const ActiveStateSwitch = React.memo(ActiveStateSwitchComponent); diff --git a/x-pack/plugins/osquery/public/packs/common/add_new_pack_query_flyout.tsx b/x-pack/plugins/osquery/public/packs/common/add_new_pack_query_flyout.tsx deleted file mode 100644 index 85578564b1eb2..0000000000000 --- a/x-pack/plugins/osquery/public/packs/common/add_new_pack_query_flyout.tsx +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiFlyout, EuiFlyoutBody, EuiFlyoutHeader, EuiTitle } from '@elastic/eui'; -import React from 'react'; - -import { SavedQueryForm } from '../../saved_queries/form'; - -// @ts-expect-error update types -const AddNewPackQueryFlyoutComponent = ({ handleClose, handleSubmit }) => ( - - - -

{'Add new Saved Query'}

-
-
- - { - // @ts-expect-error update types - - } - -
-); - -export const AddNewPackQueryFlyout = React.memo(AddNewPackQueryFlyoutComponent); diff --git a/x-pack/plugins/osquery/public/packs/common/add_pack_query.tsx b/x-pack/plugins/osquery/public/packs/common/add_pack_query.tsx deleted file mode 100644 index d1115898b4e40..0000000000000 --- a/x-pack/plugins/osquery/public/packs/common/add_pack_query.tsx +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* eslint-disable react-perf/jsx-no-new-object-as-prop */ - -import { EuiButton, EuiCodeBlock, EuiSpacer, EuiText, EuiLink, EuiPortal } from '@elastic/eui'; -import React, { useCallback, useMemo, useState } from 'react'; -import { useQuery, useMutation, useQueryClient } from 'react-query'; - -import { getUseField, useForm, Field, Form, FIELD_TYPES } from '../../shared_imports'; -import { useKibana } from '../../common/lib/kibana'; -import { AddNewPackQueryFlyout } from './add_new_pack_query_flyout'; - -const CommonUseField = getUseField({ component: Field }); - -// @ts-expect-error update types -const AddPackQueryFormComponent = ({ handleSubmit }) => { - const queryClient = useQueryClient(); - const [showAddQueryFlyout, setShowAddQueryFlyout] = useState(false); - - const { http } = useKibana().services; - const { data } = useQuery('savedQueryList', () => - http.get('/internal/osquery/saved_query', { - query: { - pageIndex: 0, - pageSize: 100, - sortField: 'updated_at', - sortDirection: 'desc', - }, - }) - ); - - const { form } = useForm({ - id: 'addPackQueryForm', - onSubmit: handleSubmit, - defaultValue: { - query: {}, - }, - schema: { - query: { - type: FIELD_TYPES.SUPER_SELECT, - label: 'Pick from Saved Queries', - }, - interval: { - type: FIELD_TYPES.NUMBER, - label: 'Interval in seconds', - }, - }, - }); - const { submit, isSubmitting } = form; - - const createSavedQueryMutation = useMutation( - (payload) => http.post(`/internal/osquery/saved_query`, { body: JSON.stringify(payload) }), - { - onSuccess: () => { - queryClient.invalidateQueries('savedQueryList'); - setShowAddQueryFlyout(false); - }, - } - ); - - const queryOptions = useMemo( - () => - // @ts-expect-error update types - data?.saved_objects.map((savedQuery) => ({ - value: { - id: savedQuery.id, - attributes: savedQuery.attributes, - type: savedQuery.type, - }, - inputDisplay: savedQuery.attributes.name, - dropdownDisplay: ( - <> - {savedQuery.attributes.name} - -

{savedQuery.attributes.description}

-
- - {savedQuery.attributes.query} - - - ), - })) ?? [], - [data?.saved_objects] - ); - - const handleShowFlyout = useCallback(() => setShowAddQueryFlyout(true), []); - const handleCloseFlyout = useCallback(() => setShowAddQueryFlyout(false), []); - - return ( - <> -
- - {'Add new saved query'} - - } - euiFieldProps={{ - options: queryOptions, - }} - /> - - - - - {'Add query'} - - - {showAddQueryFlyout && ( - - - - )} - - ); -}; - -export const AddPackQueryForm = React.memo(AddPackQueryFormComponent); diff --git a/x-pack/plugins/osquery/public/packs/common/pack_form.tsx b/x-pack/plugins/osquery/public/packs/common/pack_form.tsx deleted file mode 100644 index ab0984e808943..0000000000000 --- a/x-pack/plugins/osquery/public/packs/common/pack_form.tsx +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiButton, EuiSpacer } from '@elastic/eui'; -import React from 'react'; - -import { getUseField, useForm, Field, Form, FIELD_TYPES } from '../../shared_imports'; -import { PackQueriesField } from './pack_queries_field'; - -const CommonUseField = getUseField({ component: Field }); - -// @ts-expect-error update types -const PackFormComponent = ({ data, handleSubmit }) => { - const { form } = useForm({ - id: 'addPackForm', - onSubmit: (payload) => { - return handleSubmit(payload); - }, - defaultValue: data ?? { - name: '', - description: '', - queries: [], - }, - schema: { - name: { - type: FIELD_TYPES.TEXT, - label: 'Pack name', - }, - description: { - type: FIELD_TYPES.TEXTAREA, - label: 'Description', - }, - queries: { - type: FIELD_TYPES.MULTI_SELECT, - label: 'Queries', - }, - }, - }); - const { submit, isSubmitting } = form; - - return ( -
- - - - - - - - {'Save pack'} - - - ); -}; - -export const PackForm = React.memo(PackFormComponent); diff --git a/x-pack/plugins/osquery/public/packs/common/pack_queries_field.tsx b/x-pack/plugins/osquery/public/packs/common/pack_queries_field.tsx deleted file mode 100644 index 6b3c1a001bd06..0000000000000 --- a/x-pack/plugins/osquery/public/packs/common/pack_queries_field.tsx +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { reject } from 'lodash/fp'; -import { produce } from 'immer'; -import { EuiSpacer } from '@elastic/eui'; -import React, { useCallback, useMemo } from 'react'; -import { useQueries } from 'react-query'; - -import { useKibana } from '../../common/lib/kibana'; -import { PackQueriesTable } from '../common/pack_queries_table'; -import { AddPackQueryForm } from '../common/add_pack_query'; - -// @ts-expect-error update types -const PackQueriesFieldComponent = ({ field }) => { - const { value, setValue } = field; - const { http } = useKibana().services; - - const packQueriesData = useQueries( - // @ts-expect-error update types - value.map((query) => ({ - queryKey: ['savedQuery', { id: query.id }], - queryFn: () => http.get(`/internal/osquery/saved_query/${query.id}`), - })) ?? [] - ); - - const packQueries = useMemo( - () => - // @ts-expect-error update types - packQueriesData.reduce((acc, packQueryData) => { - if (packQueryData.data) { - return [...acc, packQueryData.data]; - } - return acc; - }, []) ?? [], - [packQueriesData] - ); - - const handleAddQuery = useCallback( - (newQuery) => - setValue( - produce((draft) => { - // @ts-expect-error update - draft.push({ - interval: newQuery.interval, - query: newQuery.query.attributes.query, - id: newQuery.query.id, - name: newQuery.query.attributes.name, - }); - }) - ), - [setValue] - ); - - const handleRemoveQuery = useCallback( - // @ts-expect-error update - (query) => setValue(produce((draft) => reject(['id', query.id], draft))), - [setValue] - ); - - return ( - <> - - - - - ); -}; - -export const PackQueriesField = React.memo(PackQueriesFieldComponent); diff --git a/x-pack/plugins/osquery/public/packs/common/pack_queries_table.tsx b/x-pack/plugins/osquery/public/packs/common/pack_queries_table.tsx deleted file mode 100644 index bf57f818dc3d9..0000000000000 --- a/x-pack/plugins/osquery/public/packs/common/pack_queries_table.tsx +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* eslint-disable @typescript-eslint/no-shadow, react-perf/jsx-no-new-object-as-prop, react/jsx-no-bind, react-perf/jsx-no-new-function-as-prop, react-perf/jsx-no-new-array-as-prop */ - -import { find } from 'lodash/fp'; -import React, { useState } from 'react'; -import { - EuiBasicTable, - EuiButtonIcon, - EuiHealth, - EuiDescriptionList, - RIGHT_ALIGNMENT, -} from '@elastic/eui'; - -// @ts-expect-error update types -const PackQueriesTableComponent = ({ items, config, handleRemoveQuery }) => { - const [pageIndex, setPageIndex] = useState(0); - const [pageSize, setPageSize] = useState(10); - const [sortField, setSortField] = useState('firstName'); - const [sortDirection, setSortDirection] = useState('asc'); - const [itemIdToExpandedRowMap, setItemIdToExpandedRowMap] = useState({}); - const totalItemCount = 100; - - const onTableChange = ({ page = {}, sort = {} }) => { - // @ts-expect-error update types - const { index: pageIndex, size: pageSize } = page; - - // @ts-expect-error update types - const { field: sortField, direction: sortDirection } = sort; - - setPageIndex(pageIndex); - setPageSize(pageSize); - setSortField(sortField); - setSortDirection(sortDirection); - }; - - // @ts-expect-error update types - const toggleDetails = (item) => { - const itemIdToExpandedRowMapValues = { ...itemIdToExpandedRowMap }; - // @ts-expect-error update types - if (itemIdToExpandedRowMapValues[item.id]) { - // @ts-expect-error update types - delete itemIdToExpandedRowMapValues[item.id]; - } else { - const { online } = item; - const color = online ? 'success' : 'danger'; - const label = online ? 'Online' : 'Offline'; - const listItems = [ - { - title: 'Nationality', - description: `aa`, - }, - { - title: 'Online', - description: {label}, - }, - ]; - // @ts-expect-error update types - itemIdToExpandedRowMapValues[item.id] = ; - } - setItemIdToExpandedRowMap(itemIdToExpandedRowMapValues); - }; - - const columns = [ - { - field: 'name', - name: 'Query Name', - }, - { - name: 'Interval', - // @ts-expect-error update types - render: (query) => find(['name', query.name], config).interval, - }, - { - name: 'Actions', - actions: [ - { - name: 'Remove', - description: 'Remove this query', - type: 'icon', - icon: 'trash', - onClick: handleRemoveQuery, - }, - ], - }, - { - align: RIGHT_ALIGNMENT, - width: '40px', - isExpander: true, - // @ts-expect-error update types - render: (item) => ( - toggleDetails(item)} - // @ts-expect-error update types - aria-label={itemIdToExpandedRowMap[item.id] ? 'Collapse' : 'Expand'} - // @ts-expect-error update types - iconType={itemIdToExpandedRowMap[item.id] ? 'arrowUp' : 'arrowDown'} - /> - ), - }, - ]; - - const pagination = { - pageIndex, - pageSize, - totalItemCount, - pageSizeOptions: [3, 5, 8], - }; - - const sorting = { - sort: { - field: sortField, - direction: sortDirection, - }, - }; - - return ( - - ); -}; - -export const PackQueriesTable = React.memo(PackQueriesTableComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/index.tsx b/x-pack/plugins/osquery/public/packs/constants.ts similarity index 84% rename from x-pack/plugins/osquery/public/scheduled_query_groups/index.tsx rename to x-pack/plugins/osquery/public/packs/constants.ts index f97127a946558..509a2d9c5fde9 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/index.tsx +++ b/x-pack/plugins/osquery/public/packs/constants.ts @@ -5,4 +5,4 @@ * 2.0. */ -export * from './scheduled_query_groups_table'; +export const PACKS_ID = 'packList'; diff --git a/x-pack/plugins/osquery/public/packs/edit/index.tsx b/x-pack/plugins/osquery/public/packs/edit/index.tsx deleted file mode 100644 index 3cbd80c9f4db0..0000000000000 --- a/x-pack/plugins/osquery/public/packs/edit/index.tsx +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* eslint-disable react-perf/jsx-no-new-object-as-prop */ - -import React from 'react'; -import { useMutation, useQuery } from 'react-query'; - -import { PackForm } from '../common/pack_form'; -import { useKibana } from '../../common/lib/kibana'; - -interface EditPackPageProps { - onSuccess: () => void; - packId: string; -} - -const EditPackPageComponent: React.FC = ({ onSuccess, packId }) => { - const { http } = useKibana().services; - - const { - data = { - queries: [], - }, - } = useQuery(['pack', { id: packId }], ({ queryKey }) => { - // @ts-expect-error update types - return http.get(`/internal/osquery/pack/${queryKey[1].id}`); - }); - - const updatePackMutation = useMutation( - (payload) => - http.put(`/internal/osquery/pack/${packId}`, { - body: JSON.stringify({ - ...data, - // @ts-expect-error update types - ...payload, - }), - }), - { - onSuccess, - } - ); - - if (!data.id) { - return <>{'Loading...'}; - } - - return ; -}; - -export const EditPackPage = React.memo(EditPackPageComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/confirmation_modal.tsx b/x-pack/plugins/osquery/public/packs/form/confirmation_modal.tsx similarity index 87% rename from x-pack/plugins/osquery/public/scheduled_query_groups/form/confirmation_modal.tsx rename to x-pack/plugins/osquery/public/packs/form/confirmation_modal.tsx index 65379c9e23626..bd0d083098473 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/form/confirmation_modal.tsx +++ b/x-pack/plugins/osquery/public/packs/form/confirmation_modal.tsx @@ -10,20 +10,18 @@ import { EuiCallOut, EuiConfirmModal, EuiSpacer } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; import { i18n } from '@kbn/i18n'; -import { AgentPolicy } from '../../../../fleet/common'; - interface ConfirmDeployAgentPolicyModalProps { onConfirm: () => void; onCancel: () => void; agentCount: number; - agentPolicy: AgentPolicy; + agentPolicyCount: number; } const ConfirmDeployAgentPolicyModalComponent: React.FC = ({ onConfirm, onCancel, agentCount, - agentPolicy, + agentPolicyCount, }) => ( {agentPolicy.name}, + agentPolicyCount, }} /> diff --git a/x-pack/plugins/osquery/public/packs/form/index.tsx b/x-pack/plugins/osquery/public/packs/form/index.tsx new file mode 100644 index 0000000000000..f20a26f2791dd --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/form/index.tsx @@ -0,0 +1,270 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { isEmpty, reduce } from 'lodash'; +import { + EuiFlexGroup, + EuiFlexItem, + EuiButtonEmpty, + EuiButton, + EuiSpacer, + EuiBottomBar, + EuiHorizontalRule, +} from '@elastic/eui'; +import React, { useCallback, useMemo, useState } from 'react'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n/react'; + +import { OsqueryManagerPackagePolicy } from '../../../common/types'; +import { + Form, + useForm, + useFormData, + getUseField, + Field, + FIELD_TYPES, + fieldValidators, +} from '../../shared_imports'; +import { useRouterNavigate } from '../../common/lib/kibana'; +import { PolicyIdComboBoxField } from './policy_id_combobox_field'; +import { QueriesField } from './queries_field'; +import { ConfirmDeployAgentPolicyModal } from './confirmation_modal'; +import { useAgentPolicies } from '../../agent_policies'; +import { useCreatePack } from '../use_create_pack'; +import { useUpdatePack } from '../use_update_pack'; +import { convertPackQueriesToSO, convertSOQueriesToPack } from './utils'; +import { idSchemaValidation } from '../queries/validations'; + +const GhostFormField = () => <>; + +const FORM_ID = 'scheduledQueryForm'; + +const CommonUseField = getUseField({ component: Field }); + +interface PackFormProps { + defaultValue?: OsqueryManagerPackagePolicy; + editMode?: boolean; +} + +const PackFormComponent: React.FC = ({ defaultValue, editMode = false }) => { + const [showConfirmationModal, setShowConfirmationModal] = useState(false); + const handleHideConfirmationModal = useCallback(() => setShowConfirmationModal(false), []); + + const { data: { agentPoliciesById } = {} } = useAgentPolicies(); + + const cancelButtonProps = useRouterNavigate(`packs/${editMode ? defaultValue?.id : ''}`); + + const { mutateAsync: createAsync } = useCreatePack({ + withRedirect: true, + }); + const { mutateAsync: updateAsync } = useUpdatePack({ + withRedirect: true, + }); + + const { form } = useForm< + Omit & { + queries: {}; + policy_ids: string[]; + }, + Omit & { + queries: {}; + policy_ids: string[]; + } + >({ + id: FORM_ID, + schema: { + name: { + type: FIELD_TYPES.TEXT, + label: i18n.translate('xpack.osquery.pack.form.nameFieldLabel', { + defaultMessage: 'Name', + }), + validations: [ + { + validator: idSchemaValidation, + }, + { + validator: fieldValidators.emptyField( + i18n.translate('xpack.osquery.pack.form.nameFieldRequiredErrorMessage', { + defaultMessage: 'Name is a required field', + }) + ), + }, + ], + }, + description: { + type: FIELD_TYPES.TEXT, + label: i18n.translate('xpack.osquery.pack.form.descriptionFieldLabel', { + defaultMessage: 'Description', + }), + }, + policy_ids: { + defaultValue: [], + type: FIELD_TYPES.COMBO_BOX, + label: i18n.translate('xpack.osquery.pack.form.agentPoliciesFieldLabel', { + defaultMessage: 'Agent policies', + }), + }, + enabled: { + defaultValue: true, + }, + queries: { + defaultValue: [], + }, + }, + onSubmit: async (formData, isValid) => { + if (isValid) { + try { + if (editMode) { + // @ts-expect-error update types + await updateAsync({ id: defaultValue?.id, ...formData }); + } else { + // @ts-expect-error update types + await createAsync(formData); + } + // eslint-disable-next-line no-empty + } catch (e) {} + } + }, + deserializer: (payload) => ({ + ...payload, + policy_ids: payload.policy_ids ?? [], + queries: convertPackQueriesToSO(payload.queries), + }), + serializer: (payload) => ({ + ...payload, + queries: convertSOQueriesToPack(payload.queries), + }), + defaultValue, + }); + + const { setFieldValue, submit, isSubmitting } = form; + + const [{ name: queryName, policy_ids: policyIds }] = useFormData({ + form, + watch: ['name', 'policy_ids'], + }); + + const agentCount = useMemo( + () => + reduce( + policyIds, + (acc, policyId) => { + const agentPolicy = agentPoliciesById && agentPoliciesById[policyId]; + return acc + (agentPolicy?.agents ?? 0); + }, + 0 + ), + [policyIds, agentPoliciesById] + ); + + const handleNameChange = useCallback( + (newName: string) => isEmpty(queryName) && setFieldValue('name', newName), + [queryName, setFieldValue] + ); + + const handleSaveClick = useCallback(() => { + if (agentCount) { + setShowConfirmationModal(true); + return; + } + + submit(); + }, [agentCount, submit]); + + const handleConfirmConfirmationClick = useCallback(() => { + submit(); + setShowConfirmationModal(false); + }, [submit]); + + return ( + <> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {editMode ? ( + + ) : ( + + )} + + + + + + + {showConfirmationModal && ( + + )} + + ); +}; + +export const PackForm = React.memo(PackFormComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/pack_uploader.tsx b/x-pack/plugins/osquery/public/packs/form/pack_uploader.tsx similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/form/pack_uploader.tsx rename to x-pack/plugins/osquery/public/packs/form/pack_uploader.tsx diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/policy_id_combobox_field.tsx b/x-pack/plugins/osquery/public/packs/form/policy_id_combobox_field.tsx similarity index 77% rename from x-pack/plugins/osquery/public/scheduled_query_groups/form/policy_id_combobox_field.tsx rename to x-pack/plugins/osquery/public/packs/form/policy_id_combobox_field.tsx index 75bb95b198f54..10149e8655d35 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/form/policy_id_combobox_field.tsx +++ b/x-pack/plugins/osquery/public/packs/form/policy_id_combobox_field.tsx @@ -5,6 +5,7 @@ * 2.0. */ +import { reduce } from 'lodash'; import { FormattedMessage } from '@kbn/i18n/react'; import { EuiFlexGroup, EuiFlexItem, EuiTextColor, EuiComboBoxOptionOption } from '@elastic/eui'; import React, { useCallback, useMemo } from 'react'; @@ -39,7 +40,32 @@ const PolicyIdComboBoxFieldComponent: React.FC = ({ field, agentPoliciesById, }) => { - const { value } = field; + const { value, setValue } = field; + + const options = useMemo( + () => + Object.entries(agentPoliciesById).map(([agentPolicyId, agentPolicy]) => ({ + key: agentPolicyId, + label: agentPolicy.name, + })), + [agentPoliciesById] + ); + + const selectedOptions = useMemo( + () => + value.map((policyId) => ({ + key: policyId, + label: agentPoliciesById[policyId]?.name ?? policyId, + })), + [agentPoliciesById, value] + ); + + const onChange = useCallback( + (newOptions: EuiComboBoxOptionOption[]) => { + setValue(newOptions.map((option) => option.key || option.label)); + }, + [setValue] + ); const renderOption = useCallback( (option: EuiComboBoxOptionOption) => ( @@ -71,17 +97,19 @@ const PolicyIdComboBoxFieldComponent: React.FC = ({ [agentPoliciesById] ); - const selectedOptions = useMemo(() => { - if (!value?.length || !value[0].length) return []; - - return value.map((policyId) => ({ - label: agentPoliciesById[policyId]?.name ?? policyId, - })); - }, [agentPoliciesById, value]); - const helpText = useMemo(() => { - if (!value?.length || !value[0].length || !agentPoliciesById || !agentPoliciesById[value[0]]) + if (!value?.length || !value[0].length || !agentPoliciesById) { return; + } + + const agentCount = reduce( + value, + (acc, policyId) => { + const agentPolicy = agentPoliciesById && agentPoliciesById[policyId]; + return acc + (agentPolicy?.agents ?? 0); + }, + 0 + ); return ( = ({ defaultMessage="{count, plural, one {# agent} other {# agents}} enrolled" // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop values={{ - count: agentPoliciesById[value[0]].agents ?? 0, + count: agentCount, }} /> ); @@ -98,14 +126,15 @@ const PolicyIdComboBoxFieldComponent: React.FC = ({ const mergedEuiFieldProps = useMemo( () => ({ onCreateOption: null, - singleSelection: { asPlainText: true }, noSuggestions: false, - isClearable: false, + isClearable: true, selectedOptions, + options, renderOption, + onChange, ...euiFieldProps, }), - [euiFieldProps, renderOption, selectedOptions] + [euiFieldProps, onChange, options, renderOption, selectedOptions] ); return ( diff --git a/x-pack/plugins/osquery/public/packs/form/queries_field.tsx b/x-pack/plugins/osquery/public/packs/form/queries_field.tsx new file mode 100644 index 0000000000000..03993bf35371c --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/form/queries_field.tsx @@ -0,0 +1,230 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { findIndex, forEach, pullAt, pullAllBy, pickBy } from 'lodash'; +import { EuiFlexGroup, EuiFlexItem, EuiButton, EuiSpacer } from '@elastic/eui'; +import { produce } from 'immer'; +import React, { useCallback, useMemo, useState } from 'react'; +import { FormattedMessage } from '@kbn/i18n/react'; + +import { OsqueryManagerPackagePolicyInputStream } from '../../../common/types'; +import { FieldHook } from '../../shared_imports'; +import { PackQueriesTable } from '../pack_queries_table'; +import { QueryFlyout } from '../queries/query_flyout'; +import { OsqueryPackUploader } from './pack_uploader'; +import { getSupportedPlatforms } from '../queries/platforms/helpers'; + +interface QueriesFieldProps { + handleNameChange: (name: string) => void; + field: FieldHook>>; +} + +const QueriesFieldComponent: React.FC = ({ field, handleNameChange }) => { + const [showAddQueryFlyout, setShowAddQueryFlyout] = useState(false); + const [showEditQueryFlyout, setShowEditQueryFlyout] = useState(-1); + const [tableSelectedItems, setTableSelectedItems] = useState< + OsqueryManagerPackagePolicyInputStream[] + >([]); + + const handleShowAddFlyout = useCallback(() => setShowAddQueryFlyout(true), []); + const handleHideAddFlyout = useCallback(() => setShowAddQueryFlyout(false), []); + const handleHideEditFlyout = useCallback(() => setShowEditQueryFlyout(-1), []); + + const { setValue } = field; + + const handleDeleteClick = useCallback( + (query) => { + const streamIndex = findIndex(field.value, ['id', query.id]); + + if (streamIndex > -1) { + setValue( + produce((draft) => { + pullAt(draft, [streamIndex]); + + return draft; + }) + ); + } + }, + [field.value, setValue] + ); + + const handleEditClick = useCallback( + (query) => { + const streamIndex = findIndex(field.value, ['id', query.id]); + + setShowEditQueryFlyout(streamIndex); + }, + [field.value] + ); + + const handleEditQuery = useCallback( + (updatedQuery) => + new Promise((resolve) => { + if (showEditQueryFlyout >= 0) { + setValue( + produce((draft) => { + draft[showEditQueryFlyout].id = updatedQuery.id; + draft[showEditQueryFlyout].interval = updatedQuery.interval; + draft[showEditQueryFlyout].query = updatedQuery.query; + + if (updatedQuery.platform?.length) { + draft[showEditQueryFlyout].platform = updatedQuery.platform; + } else { + delete draft[showEditQueryFlyout].platform; + } + + if (updatedQuery.version?.length) { + draft[showEditQueryFlyout].version = updatedQuery.version; + } else { + delete draft[showEditQueryFlyout].version; + } + + if (updatedQuery.ecs_mapping) { + draft[showEditQueryFlyout].ecs_mapping = updatedQuery.ecs_mapping; + } else { + delete draft[showEditQueryFlyout].ecs_mapping; + } + + return draft; + }) + ); + } + + handleHideEditFlyout(); + resolve(); + }), + [handleHideEditFlyout, setValue, showEditQueryFlyout] + ); + + const handleAddQuery = useCallback( + (newQuery) => + new Promise((resolve) => { + setValue( + produce((draft) => { + draft.push(newQuery); + return draft; + }) + ); + handleHideAddFlyout(); + resolve(); + }), + [handleHideAddFlyout, setValue] + ); + + const handleDeleteQueries = useCallback(() => { + setValue( + produce((draft) => { + pullAllBy(draft, tableSelectedItems, 'id'); + + return draft; + }) + ); + setTableSelectedItems([]); + }, [setValue, tableSelectedItems]); + + const handlePackUpload = useCallback( + (parsedContent, packName) => { + setValue( + produce((draft) => { + forEach(parsedContent.queries, (newQuery, newQueryId) => { + draft.push( + pickBy({ + id: newQueryId, + interval: newQuery.interval ?? parsedContent.interval, + query: newQuery.query, + version: newQuery.version ?? parsedContent.version, + platform: getSupportedPlatforms(newQuery.platform ?? parsedContent.platform), + }) + ); + }); + + return draft; + }) + ); + + handleNameChange(packName); + }, + [handleNameChange, setValue] + ); + + const tableData = useMemo(() => (field.value?.length ? field.value : []), [field.value]); + + const uniqueQueryIds = useMemo( + () => + field.value && field.value.length + ? field.value.reduce((acc, query) => { + if (query?.id) { + // @ts-expect-error update types + acc.push(query.id); + } + + return acc; + }, [] as string[]) + : [], + [field.value] + ); + + return ( + <> + + + {!tableSelectedItems.length ? ( + + + + ) : ( + + + + )} + + + + {field.value?.length ? ( + + ) : null} + + {} + {showAddQueryFlyout && ( + + )} + {showEditQueryFlyout != null && showEditQueryFlyout >= 0 && ( + + )} + + ); +}; + +export const QueriesField = React.memo(QueriesFieldComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/translations.ts b/x-pack/plugins/osquery/public/packs/form/translations.ts similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/form/translations.ts rename to x-pack/plugins/osquery/public/packs/form/translations.ts diff --git a/x-pack/plugins/osquery/public/packs/form/utils.ts b/x-pack/plugins/osquery/public/packs/form/utils.ts new file mode 100644 index 0000000000000..5a4ff8ec13bb1 --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/form/utils.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { pick, reduce } from 'lodash'; + +// @ts-expect-error update types +export const convertPackQueriesToSO = (queries) => + reduce( + queries, + (acc, value, key) => { + acc.push({ + // @ts-expect-error update types + id: key, + ...pick(value, ['query', 'interval', 'platform', 'version', 'ecs_mapping']), + }); + return acc; + }, + [] + ); + +// @ts-expect-error update types +export const convertSOQueriesToPack = (queries) => + reduce( + queries, + (acc, { id: queryId, ...query }) => { + acc[queryId] = query; + return acc; + }, + // eslint-disable-next-line @typescript-eslint/no-explicit-any + {} as Record + ); diff --git a/x-pack/plugins/osquery/public/packs/index.tsx b/x-pack/plugins/osquery/public/packs/index.tsx index afd44f1b88955..9f89e5151e41b 100644 --- a/x-pack/plugins/osquery/public/packs/index.tsx +++ b/x-pack/plugins/osquery/public/packs/index.tsx @@ -5,32 +5,4 @@ * 2.0. */ -import React, { useCallback, useState } from 'react'; - -import { PacksPage } from './list'; -import { NewPackPage } from './new'; -import { EditPackPage } from './edit'; - -const PacksComponent = () => { - const [showNewPackForm, setShowNewPackForm] = useState(false); - const [editPackId, setEditPackId] = useState(null); - - const goBack = useCallback(() => { - setShowNewPackForm(false); - setEditPackId(null); - }, []); - - const handleNewQueryClick = useCallback(() => setShowNewPackForm(true), []); - - if (showNewPackForm) { - return ; - } - - if (editPackId?.length) { - return ; - } - - return ; -}; - -export const Packs = React.memo(PacksComponent); +export * from './packs_table'; diff --git a/x-pack/plugins/osquery/public/packs/list/index.tsx b/x-pack/plugins/osquery/public/packs/list/index.tsx deleted file mode 100644 index d7a80cb295496..0000000000000 --- a/x-pack/plugins/osquery/public/packs/list/index.tsx +++ /dev/null @@ -1,226 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { map } from 'lodash/fp'; -import { - EuiBasicTable, - EuiButton, - EuiButtonIcon, - EuiFlexGroup, - EuiFlexItem, - EuiSpacer, - RIGHT_ALIGNMENT, -} from '@elastic/eui'; -import React, { useCallback, useMemo, useState } from 'react'; -import { useQuery, useQueryClient, useMutation } from 'react-query'; - -import { PackTableQueriesTable } from './pack_table_queries_table'; -import { useKibana } from '../../common/lib/kibana'; - -interface PacksPageProps { - onEditClick: (packId: string) => void; - onNewClick: () => void; -} - -const PacksPageComponent: React.FC = ({ onNewClick, onEditClick }) => { - const queryClient = useQueryClient(); - const [pageIndex, setPageIndex] = useState(0); - const [pageSize, setPageSize] = useState(5); - const [sortField, setSortField] = useState('updated_at'); - const [sortDirection, setSortDirection] = useState('desc'); - const [selectedItems, setSelectedItems] = useState([]); - const [itemIdToExpandedRowMap, setItemIdToExpandedRowMap] = useState>({}); - const { http } = useKibana().services; - - const deletePacksMutation = useMutation( - (payload) => http.delete(`/internal/osquery/pack`, { body: JSON.stringify(payload) }), - { - onSuccess: () => queryClient.invalidateQueries('packList'), - } - ); - - const { data = {} } = useQuery( - ['packList', { pageIndex, pageSize, sortField, sortDirection }], - () => - http.get('/internal/osquery/pack', { - query: { - pageIndex, - pageSize, - sortField, - sortDirection, - }, - }), - { - keepPreviousData: true, - // Refetch the data every 10 seconds - refetchInterval: 5000, - } - ); - const { total = 0, saved_objects: packs } = data; - - const toggleDetails = useCallback( - (item) => () => { - const itemIdToExpandedRowMapValues = { ...itemIdToExpandedRowMap }; - if (itemIdToExpandedRowMapValues[item.id]) { - delete itemIdToExpandedRowMapValues[item.id]; - } else { - itemIdToExpandedRowMapValues[item.id] = ( - <> - - - - ); - } - setItemIdToExpandedRowMap(itemIdToExpandedRowMapValues); - }, - [itemIdToExpandedRowMap] - ); - - const renderExtendedItemToggle = useCallback( - (item) => ( - - ), - [itemIdToExpandedRowMap, toggleDetails] - ); - - const handleEditClick = useCallback((item) => onEditClick(item.id), [onEditClick]); - - const columns = useMemo( - () => [ - { - field: 'name', - name: 'Pack name', - sortable: true, - truncateText: true, - }, - { - field: 'description', - name: 'Description', - sortable: true, - truncateText: true, - }, - { - field: 'queries', - name: 'Queries', - sortable: false, - // @ts-expect-error update types - render: (queries) => queries.length, - }, - { - field: 'updated_at', - name: 'Last updated at', - sortable: true, - truncateText: true, - }, - { - name: 'Actions', - actions: [ - { - name: 'Edit', - description: 'Edit or run this query', - type: 'icon', - icon: 'documentEdit', - onClick: handleEditClick, - }, - ], - }, - { - align: RIGHT_ALIGNMENT, - width: '40px', - isExpander: true, - render: renderExtendedItemToggle, - }, - ], - [handleEditClick, renderExtendedItemToggle] - ); - - const onTableChange = useCallback(({ page = {}, sort = {} }) => { - setPageIndex(page.index); - setPageSize(page.size); - setSortField(sort.field); - setSortDirection(sort.direction); - }, []); - - const pagination = useMemo( - () => ({ - pageIndex, - pageSize, - totalItemCount: total, - pageSizeOptions: [3, 5, 8], - }), - [total, pageIndex, pageSize] - ); - - const sorting = useMemo( - () => ({ - sort: { - field: sortField, - direction: sortDirection, - }, - }), - [sortDirection, sortField] - ); - - const selection = useMemo( - () => ({ - selectable: () => true, - onSelectionChange: setSelectedItems, - initialSelected: [], - }), - [] - ); - - const handleDeleteClick = useCallback(() => { - const selectedItemsIds = map('id', selectedItems); - // @ts-expect-error update types - deletePacksMutation.mutate({ packIds: selectedItemsIds }); - }, [deletePacksMutation, selectedItems]); - - return ( -
- - - {!selectedItems.length ? ( - - {'New pack'} - - ) : ( - - {`Delete ${selectedItems.length} packs`} - - )} - - - - - - {packs && ( - - )} -
- ); -}; - -export const PacksPage = React.memo(PacksPageComponent); diff --git a/x-pack/plugins/osquery/public/packs/list/pack_table_queries_table.tsx b/x-pack/plugins/osquery/public/packs/list/pack_table_queries_table.tsx deleted file mode 100644 index 14110275b9cb4..0000000000000 --- a/x-pack/plugins/osquery/public/packs/list/pack_table_queries_table.tsx +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiBasicTable, EuiCodeBlock } from '@elastic/eui'; -import React from 'react'; - -const columns = [ - { - field: 'id', - name: 'ID', - }, - { - field: 'name', - name: 'Query name', - }, - { - field: 'interval', - name: 'Query interval', - }, - { - field: 'query', - name: 'Query', - render: (query: string) => ( - - {query} - - ), - }, -]; - -// @ts-expect-error update types -const PackTableQueriesTableComponent = ({ items }) => { - return ; -}; - -export const PackTableQueriesTable = React.memo(PackTableQueriesTableComponent); diff --git a/x-pack/plugins/osquery/public/packs/new/index.tsx b/x-pack/plugins/osquery/public/packs/new/index.tsx deleted file mode 100644 index 2b60e8942bbf9..0000000000000 --- a/x-pack/plugins/osquery/public/packs/new/index.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { useMutation } from 'react-query'; - -import { PackForm } from '../common/pack_form'; -import { useKibana } from '../../common/lib/kibana'; - -interface NewPackPageProps { - onSuccess: () => void; -} - -const NewPackPageComponent: React.FC = ({ onSuccess }) => { - const { http } = useKibana().services; - - const addPackMutation = useMutation( - (payload) => - http.post(`/internal/osquery/pack`, { - body: JSON.stringify(payload), - }), - { - onSuccess, - } - ); - - // @ts-expect-error update types - return ; -}; - -export const NewPackPage = React.memo(NewPackPageComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_status_table.tsx b/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx similarity index 71% rename from x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_status_table.tsx rename to x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx index 15547b2a4cca9..a32f369922958 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_status_table.tsx +++ b/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx @@ -32,18 +32,18 @@ import { FilterStateStore, IndexPattern } from '../../../../../src/plugins/data/ import { useKibana, isModifiedEvent, isLeftClickEvent } from '../common/lib/kibana'; import { OsqueryManagerPackagePolicyInputStream } from '../../common/types'; import { ScheduledQueryErrorsTable } from './scheduled_query_errors_table'; -import { useScheduledQueryGroupQueryLastResults } from './use_scheduled_query_group_query_last_results'; -import { useScheduledQueryGroupQueryErrors } from './use_scheduled_query_group_query_errors'; +import { usePackQueryLastResults } from './use_pack_query_last_results'; +import { usePackQueryErrors } from './use_pack_query_errors'; const VIEW_IN_DISCOVER = i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.viewDiscoverResultsActionAriaLabel', + 'xpack.osquery.pack.queriesTable.viewDiscoverResultsActionAriaLabel', { defaultMessage: 'View in Discover', } ); const VIEW_IN_LENS = i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.viewLensResultsActionAriaLabel', + 'xpack.osquery.pack.queriesTable.viewLensResultsActionAriaLabel', { defaultMessage: 'View in Lens', } @@ -376,7 +376,6 @@ ScheduledQueryExpandedContent.displayName = 'ScheduledQueryExpandedContent'; interface ScheduledQueryLastResultsProps { actionId: string; - agentIds: string[]; queryId: string; interval: number; toggleErrors: (payload: { queryId: string; interval: number }) => void; @@ -385,7 +384,6 @@ interface ScheduledQueryLastResultsProps { const ScheduledQueryLastResults: React.FC = ({ actionId, - agentIds, queryId, interval, toggleErrors, @@ -394,16 +392,14 @@ const ScheduledQueryLastResults: React.FC = ({ const data = useKibana().services.data; const [logsIndexPattern, setLogsIndexPattern] = useState(undefined); - const { data: lastResultsData, isFetched } = useScheduledQueryGroupQueryLastResults({ + const { data: lastResultsData, isFetched } = usePackQueryLastResults({ actionId, - agentIds, interval, logsIndexPattern, }); - const { data: errorsData, isFetched: errorsFetched } = useScheduledQueryGroupQueryErrors({ + const { data: errorsData, isFetched: errorsFetched } = usePackQueryErrors({ actionId, - agentIds, interval, logsIndexPattern, }); @@ -483,7 +479,7 @@ const ScheduledQueryLastResults: React.FC = ({ id="xpack.osquery.queriesStatusTable.agentsLabelText" defaultMessage="{count, plural, one {Agent} other {Agents}}" // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop - values={{ count: agentIds?.length }} + values={{ count: lastResultsData?.uniqueAgentsCount ?? 0 }} />
@@ -522,178 +518,169 @@ const ScheduledQueryLastResults: React.FC = ({ const getPackActionId = (actionId: string, packName: string) => `pack_${packName}_${actionId}`; -interface ScheduledQueryGroupQueriesStatusTableProps { +interface PackQueriesStatusTableProps { agentIds?: string[]; data: OsqueryManagerPackagePolicyInputStream[]; - scheduledQueryGroupName: string; + packName: string; } -const ScheduledQueryGroupQueriesStatusTableComponent: React.FC = - ({ agentIds, data, scheduledQueryGroupName }) => { - const [itemIdToExpandedRowMap, setItemIdToExpandedRowMap] = useState< - Record> - >({}); - - const renderQueryColumn = useCallback( - (query: string) => ( - - {query} - - ), - [] - ); +const PackQueriesStatusTableComponent: React.FC = ({ + agentIds, + data, + packName, +}) => { + const [itemIdToExpandedRowMap, setItemIdToExpandedRowMap] = useState< + Record> + >({}); + + const renderQueryColumn = useCallback( + (query: string) => ( + + {query} + + ), + [] + ); - const toggleErrors = useCallback( - ({ queryId, interval }: { queryId: string; interval: number }) => { - const itemIdToExpandedRowMapValues = { ...itemIdToExpandedRowMap }; - if (itemIdToExpandedRowMapValues[queryId]) { - delete itemIdToExpandedRowMapValues[queryId]; - } else { - itemIdToExpandedRowMapValues[queryId] = ( - - ); - } - setItemIdToExpandedRowMap(itemIdToExpandedRowMapValues); - }, - [agentIds, itemIdToExpandedRowMap, scheduledQueryGroupName] - ); + const toggleErrors = useCallback( + ({ queryId, interval }: { queryId: string; interval: number }) => { + const itemIdToExpandedRowMapValues = { ...itemIdToExpandedRowMap }; + if (itemIdToExpandedRowMapValues[queryId]) { + delete itemIdToExpandedRowMapValues[queryId]; + } else { + itemIdToExpandedRowMapValues[queryId] = ( + + ); + } + setItemIdToExpandedRowMap(itemIdToExpandedRowMapValues); + }, + [agentIds, itemIdToExpandedRowMap, packName] + ); - const renderLastResultsColumn = useCallback( - (item) => ( - - ), - [agentIds, itemIdToExpandedRowMap, scheduledQueryGroupName, toggleErrors] - ); + const renderLastResultsColumn = useCallback( + (item) => ( + + ), + [itemIdToExpandedRowMap, packName, toggleErrors] + ); - const renderDiscoverResultsAction = useCallback( - (item) => ( - - ), - [agentIds, scheduledQueryGroupName] - ); + const renderDiscoverResultsAction = useCallback( + (item) => ( + + ), + [agentIds, packName] + ); - const renderLensResultsAction = useCallback( - (item) => ( - - ), - [agentIds, scheduledQueryGroupName] - ); + const renderLensResultsAction = useCallback( + (item) => ( + + ), + [agentIds, packName] + ); - const getItemId = useCallback( - (item: OsqueryManagerPackagePolicyInputStream) => get('vars.id.value', item), - [] - ); + const getItemId = useCallback( + (item: OsqueryManagerPackagePolicyInputStream) => get('id', item), + [] + ); - const columns = useMemo( - () => [ - { - field: 'vars.id.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.idColumnTitle', { - defaultMessage: 'ID', - }), - width: '15%', - }, - { - field: 'vars.interval.value', - name: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.intervalColumnTitle', - { - defaultMessage: 'Interval (s)', - } - ), - width: '80px', - }, - { - field: 'vars.query.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.queryColumnTitle', { - defaultMessage: 'Query', - }), - render: renderQueryColumn, - width: '20%', - }, - { - name: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.lastResultsColumnTitle', - { - defaultMessage: 'Last results', - } - ), - render: renderLastResultsColumn, - }, - { - name: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.viewResultsColumnTitle', - { - defaultMessage: 'View results', - } - ), - width: '90px', - actions: [ - { - render: renderDiscoverResultsAction, - }, - { - render: renderLensResultsAction, - }, - ], - }, - ], - [ - renderQueryColumn, - renderLastResultsColumn, - renderDiscoverResultsAction, - renderLensResultsAction, - ] - ); + const columns = useMemo( + () => [ + { + field: 'id', + name: i18n.translate('xpack.osquery.pack.queriesTable.idColumnTitle', { + defaultMessage: 'ID', + }), + width: '15%', + }, + { + field: 'interval', + name: i18n.translate('xpack.osquery.pack.queriesTable.intervalColumnTitle', { + defaultMessage: 'Interval (s)', + }), + width: '80px', + }, + { + field: 'query', + name: i18n.translate('xpack.osquery.pack.queriesTable.queryColumnTitle', { + defaultMessage: 'Query', + }), + render: renderQueryColumn, + width: '20%', + }, + { + name: i18n.translate('xpack.osquery.pack.queriesTable.lastResultsColumnTitle', { + defaultMessage: 'Last results', + }), + render: renderLastResultsColumn, + }, + { + name: i18n.translate('xpack.osquery.pack.queriesTable.viewResultsColumnTitle', { + defaultMessage: 'View results', + }), + width: '90px', + actions: [ + { + render: renderDiscoverResultsAction, + }, + { + render: renderLensResultsAction, + }, + ], + }, + ], + [ + renderQueryColumn, + renderLastResultsColumn, + renderDiscoverResultsAction, + renderLensResultsAction, + ] + ); - const sorting = useMemo( - () => ({ - sort: { - field: 'vars.id.value' as keyof OsqueryManagerPackagePolicyInputStream, - direction: 'asc' as const, - }, - }), - [] - ); + const sorting = useMemo( + () => ({ + sort: { + field: 'id' as keyof OsqueryManagerPackagePolicyInputStream, + direction: 'asc' as const, + }, + }), + [] + ); - return ( - - items={data} - itemId={getItemId} - columns={columns} - sorting={sorting} - itemIdToExpandedRowMap={itemIdToExpandedRowMap} - isExpandable - /> - ); - }; + return ( + + // eslint-disable-next-line react-perf/jsx-no-new-array-as-prop + items={data ?? []} + itemId={getItemId} + columns={columns} + sorting={sorting} + itemIdToExpandedRowMap={itemIdToExpandedRowMap} + isExpandable + /> + ); +}; -export const ScheduledQueryGroupQueriesStatusTable = React.memo( - ScheduledQueryGroupQueriesStatusTableComponent -); +export const PackQueriesStatusTable = React.memo(PackQueriesStatusTableComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_table.tsx b/x-pack/plugins/osquery/public/packs/pack_queries_table.tsx similarity index 66% rename from x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_table.tsx rename to x-pack/plugins/osquery/public/packs/pack_queries_table.tsx index fb3839a716720..d23d5f6ffb06a 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_group_queries_table.tsx +++ b/x-pack/plugins/osquery/public/packs/pack_queries_table.tsx @@ -13,7 +13,7 @@ import { i18n } from '@kbn/i18n'; import { PlatformIcons } from './queries/platforms'; import { OsqueryManagerPackagePolicyInputStream } from '../../common/types'; -interface ScheduledQueryGroupQueriesTableProps { +interface PackQueriesTableProps { data: OsqueryManagerPackagePolicyInputStream[]; onDeleteClick?: (item: OsqueryManagerPackagePolicyInputStream) => void; onEditClick?: (item: OsqueryManagerPackagePolicyInputStream) => void; @@ -21,7 +21,7 @@ interface ScheduledQueryGroupQueriesTableProps { setSelectedItems?: (selection: OsqueryManagerPackagePolicyInputStream[]) => void; } -const ScheduledQueryGroupQueriesTableComponent: React.FC = ({ +const PackQueriesTableComponent: React.FC = ({ data, onDeleteClick, onEditClick, @@ -36,15 +36,12 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC onDeleteClick(item)} iconType="trash" - aria-label={i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.deleteActionAriaLabel', - { - defaultMessage: 'Delete {queryName}', - values: { - queryName: item.vars?.id.value, - }, - } - )} + aria-label={i18n.translate('xpack.osquery.pack.queriesTable.deleteActionAriaLabel', { + defaultMessage: 'Delete {queryName}', + values: { + queryName: item.id, + }, + })} /> ), [onDeleteClick] @@ -58,15 +55,12 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC onEditClick(item)} iconType="pencil" - aria-label={i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.editActionAriaLabel', - { - defaultMessage: 'Edit {queryName}', - values: { - queryName: item.vars?.id.value, - }, - } - )} + aria-label={i18n.translate('xpack.osquery.pack.queriesTable.editActionAriaLabel', { + defaultMessage: 'Edit {queryName}', + values: { + queryName: item.id, + }, + })} /> ), [onEditClick] @@ -90,7 +84,7 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC version ? `${version}` - : i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.osqueryVersionAllLabel', { + : i18n.translate('xpack.osquery.pack.queriesTable.osqueryVersionAllLabel', { defaultMessage: 'ALL', }), [] @@ -99,42 +93,42 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC [ { - field: 'vars.id.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.idColumnTitle', { + field: 'id', + name: i18n.translate('xpack.osquery.pack.queriesTable.idColumnTitle', { defaultMessage: 'ID', }), width: '20%', }, { - field: 'vars.interval.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.intervalColumnTitle', { + field: 'interval', + name: i18n.translate('xpack.osquery.pack.queriesTable.intervalColumnTitle', { defaultMessage: 'Interval (s)', }), width: '100px', }, { - field: 'vars.query.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.queryColumnTitle', { + field: 'query', + name: i18n.translate('xpack.osquery.pack.queriesTable.queryColumnTitle', { defaultMessage: 'Query', }), render: renderQueryColumn, }, { - field: 'vars.platform.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.platformColumnTitle', { + field: 'platform', + name: i18n.translate('xpack.osquery.pack.queriesTable.platformColumnTitle', { defaultMessage: 'Platform', }), render: renderPlatformColumn, }, { - field: 'vars.version.value', - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.versionColumnTitle', { + field: 'version', + name: i18n.translate('xpack.osquery.pack.queriesTable.versionColumnTitle', { defaultMessage: 'Min Osquery version', }), render: renderVersionColumn, }, { - name: i18n.translate('xpack.osquery.scheduledQueryGroup.queriesTable.actionsColumnTitle', { + name: i18n.translate('xpack.osquery.pack.queriesTable.actionsColumnTitle', { defaultMessage: 'Actions', }), width: '120px', @@ -160,17 +154,14 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC ({ sort: { - field: 'vars.id.value' as keyof OsqueryManagerPackagePolicyInputStream, + field: 'id' as keyof OsqueryManagerPackagePolicyInputStream, direction: 'asc' as const, }, }), [] ); - const itemId = useCallback( - (item: OsqueryManagerPackagePolicyInputStream) => get('vars.id.value', item), - [] - ); + const itemId = useCallback((item: OsqueryManagerPackagePolicyInputStream) => get('id', item), []); const selection = useMemo( () => ({ @@ -192,4 +183,4 @@ const ScheduledQueryGroupQueriesTableComponent: React.FC ( - {name} + {name} ); const ScheduledQueryName = React.memo(ScheduledQueryNameComponent); -const renderName = (_: unknown, item: PackagePolicy) => ( - +const renderName = (_: unknown, item: { id: string; attributes: { name: string } }) => ( + ); -const ScheduledQueryGroupsTableComponent = () => { - const { data } = useScheduledQueryGroups(); +const PacksTableComponent = () => { + const { data } = usePacks({}); - const renderAgentPolicy = useCallback((policyId) => , []); + const renderAgentPolicy = useCallback((policyIds) => <>{policyIds?.length ?? 0}, []); const renderQueries = useCallback( - (streams: PackagePolicy['inputs'][0]['streams']) => <>{streams.length}, + (queries) => <>{(queries && Object.keys(queries).length) ?? 0}, [] ); @@ -41,57 +47,64 @@ const ScheduledQueryGroupsTableComponent = () => { const renderUpdatedAt = useCallback((updatedAt, item) => { if (!updatedAt) return '-'; - const updatedBy = item.updated_by !== item.created_by ? ` @ ${item.updated_by}` : ''; - return updatedAt ? `${moment(updatedAt).fromNow()}${updatedBy}` : '-'; + const updatedBy = + item.attributes.updated_by !== item.attributes.created_by + ? ` @ ${item.attributes.updated_by}` + : ''; + return updatedAt ? ( + + {`${moment(updatedAt).fromNow()}${updatedBy}`} + + ) : ( + '-' + ); }, []); + // @ts-expect-error update types const columns: Array> = useMemo( () => [ { - field: 'name', - name: i18n.translate('xpack.osquery.scheduledQueryGroups.table.nameColumnTitle', { + field: 'attributes.name', + name: i18n.translate('xpack.osquery.packs.table.nameColumnTitle', { defaultMessage: 'Name', }), sortable: true, render: renderName, }, { - field: 'policy_id', - name: i18n.translate('xpack.osquery.scheduledQueryGroups.table.policyColumnTitle', { - defaultMessage: 'Policy', + field: 'policy_ids', + name: i18n.translate('xpack.osquery.packs.table.policyColumnTitle', { + defaultMessage: 'Policies', }), truncateText: true, render: renderAgentPolicy, }, { - field: 'inputs[0].streams', - name: i18n.translate( - 'xpack.osquery.scheduledQueryGroups.table.numberOfQueriesColumnTitle', - { - defaultMessage: 'Number of queries', - } - ), + field: 'attributes.queries', + name: i18n.translate('xpack.osquery.packs.table.numberOfQueriesColumnTitle', { + defaultMessage: 'Number of queries', + }), render: renderQueries, width: '150px', }, { - field: 'created_by', - name: i18n.translate('xpack.osquery.scheduledQueryGroups.table.createdByColumnTitle', { + field: 'attributes.created_by', + name: i18n.translate('xpack.osquery.packs.table.createdByColumnTitle', { defaultMessage: 'Created by', }), sortable: true, truncateText: true, }, { - field: 'updated_at', + field: 'attributes.updated_at', name: 'Last updated', sortable: (item) => (item.updated_at ? Date.parse(item.updated_at) : 0), truncateText: true, render: renderUpdatedAt, }, { - field: 'enabled', - name: i18n.translate('xpack.osquery.scheduledQueryGroups.table.activeColumnTitle', { + field: 'attributes.enabled', + name: i18n.translate('xpack.osquery.packs.table.activeColumnTitle', { defaultMessage: 'Active', }), sortable: true, @@ -106,7 +119,7 @@ const ScheduledQueryGroupsTableComponent = () => { const sorting = useMemo( () => ({ sort: { - field: 'name', + field: 'attributes.name', direction: 'asc' as const, }, }), @@ -116,7 +129,7 @@ const ScheduledQueryGroupsTableComponent = () => { return ( // eslint-disable-next-line react-perf/jsx-no-new-array-as-prop - items={data?.items ?? []} + items={data?.saved_objects ?? []} columns={columns} pagination={true} sorting={sorting} @@ -124,4 +137,4 @@ const ScheduledQueryGroupsTableComponent = () => { ); }; -export const ScheduledQueryGroupsTable = React.memo(ScheduledQueryGroupsTableComponent); +export const PacksTable = React.memo(PacksTableComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/constants.ts b/x-pack/plugins/osquery/public/packs/queries/constants.ts similarity index 97% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/constants.ts rename to x-pack/plugins/osquery/public/packs/queries/constants.ts index cbd52fb418853..128f037da89e9 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/constants.ts +++ b/x-pack/plugins/osquery/public/packs/queries/constants.ts @@ -6,6 +6,9 @@ */ export const ALL_OSQUERY_VERSIONS_OPTIONS = [ + { + label: '5.0.1', + }, { label: '4.9.0', }, diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/ecs_mapping_editor_field.tsx b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx similarity index 83% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/ecs_mapping_editor_field.tsx rename to x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx index 8a5fa0e2066f2..4d7776bdb2954 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/ecs_mapping_editor_field.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx @@ -18,6 +18,7 @@ import React, { MutableRefObject, } from 'react'; import { + EuiFormLabel, EuiButtonIcon, EuiFlexGroup, EuiFlexItem, @@ -37,8 +38,8 @@ import styled from 'styled-components'; import deepEqual from 'fast-deep-equal'; import deepmerge from 'deepmerge'; -import ECSSchema from '../../common/schemas/ecs/v1.11.0.json'; -import osquerySchema from '../../common/schemas/osquery/v4.9.0.json'; +import ECSSchema from '../../common/schemas/ecs/v1.12.1.json'; +import osquerySchema from '../../common/schemas/osquery/v5.0.1.json'; import { FieldIcon } from '../../common/lib/kibana'; import { @@ -91,15 +92,11 @@ const StyledFieldSpan = styled.span` // align the icon to the inputs const StyledButtonWrapper = styled.div` - margin-top: 30px; -`; - -const ECSFieldColumn = styled(EuiFlexGroup)` - max-width: 100%; + margin-top: 11px; `; const ECSFieldWrapper = styled(EuiFlexItem)` - max-width: calc(100% - 66px); + max-width: 100%; `; const singleSelection = { asPlainText: true }; @@ -195,11 +192,13 @@ export const ECSComboboxField: React.FC = ({ return ( = ({ return ( >; query: string; fieldRef: MutableRefObject; + euiFieldProps: EuiComboBoxProps<{}>; } interface ECSMappingEditorFormProps { + isDisabled?: boolean; osquerySchemaOptions: OsquerySchemaOption[]; defaultValue?: FormData; onAdd?: (payload: FormData) => void; @@ -334,12 +337,9 @@ const getEcsFieldValidator = (editForm: boolean) => (args: ValidationFuncArg) => { const fieldRequiredError = fieldValidators.emptyField( - i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldRequiredErrorMessage', - { - defaultMessage: 'ECS field is required.', - } - ) + i18n.translate('xpack.osquery.pack.queryFlyoutForm.ecsFieldRequiredErrorMessage', { + defaultMessage: 'ECS field is required.', + }) )(args); // @ts-expect-error update types @@ -356,12 +356,9 @@ const getOsqueryResultFieldValidator = args: ValidationFuncArg ) => { const fieldRequiredError = fieldValidators.emptyField( - i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldRequiredErrorMessage', - { - defaultMessage: 'Osquery result is required.', - } - ) + i18n.translate('xpack.osquery.pack.queryFlyoutForm.osqueryResultFieldRequiredErrorMessage', { + defaultMessage: 'Osquery result is required.', + }) )(args); if (fieldRequiredError && ((!editForm && args.formData.key.length) || editForm)) { @@ -377,7 +374,7 @@ const getOsqueryResultFieldValidator = code: 'ERR_FIELD_FORMAT', path: args.path, message: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldValueMissingErrorMessage', + 'xpack.osquery.pack.queryFlyoutForm.osqueryResultFieldValueMissingErrorMessage', { defaultMessage: 'The current query does not return a {columnName} field', values: { @@ -409,14 +406,11 @@ interface ECSMappingEditorFormRef { } export const ECSMappingEditorForm = forwardRef( - ({ osquerySchemaOptions, defaultValue, onAdd, onChange, onDelete }, ref) => { + ({ isDisabled, osquerySchemaOptions, defaultValue, onAdd, onChange, onDelete }, ref) => { const editForm = !!defaultValue; const currentFormData = useRef(defaultValue); const formSchema = { key: { - label: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldLabel', { - defaultMessage: 'ECS field', - }), type: FIELD_TYPES.COMBO_BOX, fieldsToValidateOnChange: ['value.field'], validations: [ @@ -426,12 +420,6 @@ export const ECSMappingEditorForm = forwardRef - - - - + + + + + + + + - + - - - {defaultValue ? ( - - ) : ( - - )} - - - + {!isDisabled && ( + + + {defaultValue ? ( + + ) : ( + + )} + + + )} + @@ -583,7 +582,12 @@ interface OsqueryColumn { index: boolean; } -export const ECSMappingEditorField = ({ field, query, fieldRef }: ECSMappingEditorFieldProps) => { +export const ECSMappingEditorField = ({ + field, + query, + fieldRef, + euiFieldProps, +}: ECSMappingEditorFieldProps) => { const { setValue, value = {} } = field; const [osquerySchemaOptions, setOsquerySchemaOptions] = useState([]); const formRefs = useRef>({}); @@ -851,20 +855,39 @@ export const ECSMappingEditorField = ({ field, query, fieldRef }: ECSMappingEdit
- + + + + + + + + + + + + + + {Object.entries(value).map(([ecsKey, ecsValue]) => ( ))} - { - if (formRef) { - formRefs.current.new = formRef; - } - }} - osquerySchemaOptions={osquerySchemaOptions} - onAdd={handleAddRow} - /> + {!euiFieldProps?.isDisabled && ( + { + if (formRef) { + formRefs.current.new = formRef; + } + }} + osquerySchemaOptions={osquerySchemaOptions} + onAdd={handleAddRow} + /> + )} ); }; diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/lazy_ecs_mapping_editor_field.tsx b/x-pack/plugins/osquery/public/packs/queries/lazy_ecs_mapping_editor_field.tsx similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/lazy_ecs_mapping_editor_field.tsx rename to x-pack/plugins/osquery/public/packs/queries/lazy_ecs_mapping_editor_field.tsx diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platform_checkbox_group_field.tsx b/x-pack/plugins/osquery/public/packs/queries/platform_checkbox_group_field.tsx similarity index 93% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platform_checkbox_group_field.tsx rename to x-pack/plugins/osquery/public/packs/queries/platform_checkbox_group_field.tsx index 0d455486bfa25..35f866ac6cffe 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platform_checkbox_group_field.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/platform_checkbox_group_field.tsx @@ -43,7 +43,7 @@ export const PlatformCheckBoxGroupField = ({ @@ -59,7 +59,7 @@ export const PlatformCheckBoxGroupField = ({ @@ -75,7 +75,7 @@ export const PlatformCheckBoxGroupField = ({ diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/constants.ts b/x-pack/plugins/osquery/public/packs/queries/platforms/constants.ts similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/constants.ts rename to x-pack/plugins/osquery/public/packs/queries/platforms/constants.ts diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/helpers.tsx b/x-pack/plugins/osquery/public/packs/queries/platforms/helpers.tsx similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/helpers.tsx rename to x-pack/plugins/osquery/public/packs/queries/platforms/helpers.tsx diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/index.tsx b/x-pack/plugins/osquery/public/packs/queries/platforms/index.tsx similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/index.tsx rename to x-pack/plugins/osquery/public/packs/queries/platforms/index.tsx diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/linux.svg b/x-pack/plugins/osquery/public/packs/queries/platforms/logos/linux.svg similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/linux.svg rename to x-pack/plugins/osquery/public/packs/queries/platforms/logos/linux.svg diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/macos.svg b/x-pack/plugins/osquery/public/packs/queries/platforms/logos/macos.svg similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/macos.svg rename to x-pack/plugins/osquery/public/packs/queries/platforms/logos/macos.svg diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/windows.svg b/x-pack/plugins/osquery/public/packs/queries/platforms/logos/windows.svg similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/logos/windows.svg rename to x-pack/plugins/osquery/public/packs/queries/platforms/logos/windows.svg diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/platform_icon.tsx b/x-pack/plugins/osquery/public/packs/queries/platforms/platform_icon.tsx similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/platform_icon.tsx rename to x-pack/plugins/osquery/public/packs/queries/platforms/platform_icon.tsx diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/types.ts b/x-pack/plugins/osquery/public/packs/queries/platforms/types.ts similarity index 100% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/platforms/types.ts rename to x-pack/plugins/osquery/public/packs/queries/platforms/types.ts diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/query_flyout.tsx b/x-pack/plugins/osquery/public/packs/queries/query_flyout.tsx similarity index 68% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/query_flyout.tsx rename to x-pack/plugins/osquery/public/packs/queries/query_flyout.tsx index d38c1b2118f24..0c08e781c9f2c 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/query_flyout.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/query_flyout.tsx @@ -7,7 +7,6 @@ import { isEmpty } from 'lodash'; import { - EuiCallOut, EuiFlyout, EuiTitle, EuiSpacer, @@ -23,18 +22,12 @@ import { import React, { useCallback, useMemo, useState, useRef } from 'react'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { satisfies } from 'semver'; import { CodeEditorField } from '../../saved_queries/form/code_editor_field'; import { Form, getUseField, Field, useFormData } from '../../shared_imports'; import { PlatformCheckBoxGroupField } from './platform_checkbox_group_field'; import { ALL_OSQUERY_VERSIONS_OPTIONS } from './constants'; -import { - UseScheduledQueryGroupQueryFormProps, - ScheduledQueryGroupFormData, - useScheduledQueryGroupQueryForm, -} from './use_scheduled_query_group_query_form'; -import { ManageIntegrationLink } from '../../components/manage_integration_link'; +import { UsePackQueryFormProps, PackFormData, usePackQueryForm } from './use_pack_query_form'; import { SavedQueriesDropdown } from '../../saved_queries/saved_queries_dropdown'; import { ECSMappingEditorField, ECSMappingEditorFieldRef } from './lazy_ecs_mapping_editor_field'; @@ -42,22 +35,20 @@ const CommonUseField = getUseField({ component: Field }); interface QueryFlyoutProps { uniqueQueryIds: string[]; - defaultValue?: UseScheduledQueryGroupQueryFormProps['defaultValue'] | undefined; - integrationPackageVersion?: string | undefined; - onSave: (payload: ScheduledQueryGroupFormData) => Promise; + defaultValue?: UsePackQueryFormProps['defaultValue'] | undefined; + onSave: (payload: PackFormData) => Promise; onClose: () => void; } const QueryFlyoutComponent: React.FC = ({ uniqueQueryIds, defaultValue, - integrationPackageVersion, onSave, onClose, }) => { const ecsFieldRef = useRef(); const [isEditMode] = useState(!!defaultValue); - const { form } = useScheduledQueryGroupQueryForm({ + const { form } = usePackQueryForm({ uniqueQueryIds, defaultValue, handleSubmit: async (payload, isValid) => { @@ -76,12 +67,6 @@ const QueryFlyoutComponent: React.FC = ({ }, }); - /* Platform and version fields are supported since osquery_manager@0.3.0 */ - const isFieldSupported = useMemo( - () => (integrationPackageVersion ? satisfies(integrationPackageVersion, '>=0.3.0') : false), - [integrationPackageVersion] - ); - const { submit, setFieldValue, reset, isSubmitting } = form; const [{ query }] = useFormData({ @@ -106,15 +91,19 @@ const QueryFlyoutComponent: React.FC = ({ setFieldValue('interval', savedQuery.interval); } - if (isFieldSupported && savedQuery.platform) { + if (savedQuery.platform) { setFieldValue('platform', savedQuery.platform); } - if (isFieldSupported && savedQuery.version) { + if (savedQuery.version) { setFieldValue('version', [savedQuery.version]); } + + if (savedQuery.ecs_mapping) { + setFieldValue('ecs_mapping', savedQuery.ecs_mapping); + } }, - [isFieldSupported, setFieldValue, reset] + [setFieldValue, reset] ); /* Avoids accidental closing of the flyout when the user clicks outside of the flyout */ @@ -133,12 +122,12 @@ const QueryFlyoutComponent: React.FC = ({

{isEditMode ? ( ) : ( )} @@ -171,7 +160,7 @@ const QueryFlyoutComponent: React.FC = ({ @@ -179,27 +168,18 @@ const QueryFlyoutComponent: React.FC = ({ } // eslint-disable-next-line react-perf/jsx-no-new-object-as-prop euiFieldProps={{ - isDisabled: !isFieldSupported, noSuggestions: false, singleSelection: { asPlainText: true }, - placeholder: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.osqueryVersionAllLabel', - { - defaultMessage: 'ALL', - } - ), + placeholder: i18n.translate('xpack.osquery.queriesTable.osqueryVersionAllLabel', { + defaultMessage: 'ALL', + }), options: ALL_OSQUERY_VERSIONS_OPTIONS, onCreateOption: undefined, }} /> - + @@ -214,33 +194,13 @@ const QueryFlyoutComponent: React.FC = ({ - {!isFieldSupported ? ( - - } - iconType="pin" - > - - - - - - - ) : null} @@ -248,7 +208,7 @@ const QueryFlyoutComponent: React.FC = ({ diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/schema.tsx b/x-pack/plugins/osquery/public/packs/queries/schema.tsx similarity index 71% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/schema.tsx rename to x-pack/plugins/osquery/public/packs/queries/schema.tsx index f3bd150c8d3c3..596b65a518b0a 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/schema.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/schema.tsx @@ -21,24 +21,21 @@ import { export const createFormSchema = (ids: Set) => ({ id: { type: FIELD_TYPES.TEXT, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.idFieldLabel', { + label: i18n.translate('xpack.osquery.pack.queryFlyoutForm.idFieldLabel', { defaultMessage: 'ID', }), validations: createIdFieldValidations(ids).map((validator) => ({ validator })), }, description: { type: FIELD_TYPES.TEXT, - label: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queryFlyoutForm.descriptionFieldLabel', - { - defaultMessage: 'Description', - } - ), + label: i18n.translate('xpack.osquery.pack.queryFlyoutForm.descriptionFieldLabel', { + defaultMessage: 'Description', + }), validations: [], }, query: { type: FIELD_TYPES.TEXT, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.queryFieldLabel', { + label: i18n.translate('xpack.osquery.pack.queryFlyoutForm.queryFieldLabel', { defaultMessage: 'Query', }), validations: [{ validator: queryFieldValidation }], @@ -46,14 +43,14 @@ export const createFormSchema = (ids: Set) => ({ interval: { defaultValue: 3600, type: FIELD_TYPES.NUMBER, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.intervalFieldLabel', { + label: i18n.translate('xpack.osquery.pack.queryFlyoutForm.intervalFieldLabel', { defaultMessage: 'Interval (s)', }), validations: [{ validator: intervalFieldValidation }], }, platform: { type: FIELD_TYPES.TEXT, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformFieldLabel', { + label: i18n.translate('xpack.osquery.pack.queryFlyoutForm.platformFieldLabel', { defaultMessage: 'Platform', }), validations: [], @@ -65,7 +62,7 @@ export const createFormSchema = (ids: Set) => ({ @@ -73,4 +70,9 @@ export const createFormSchema = (ids: Set) => ({ ) as unknown as string, validations: [], }, + ecs_mapping: { + defaultValue: {}, + type: FIELD_TYPES.JSON, + validations: [], + }, }); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/use_scheduled_query_group_query_form.tsx b/x-pack/plugins/osquery/public/packs/queries/use_pack_query_form.tsx similarity index 60% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/use_scheduled_query_group_query_form.tsx rename to x-pack/plugins/osquery/public/packs/queries/use_pack_query_form.tsx index 5881612e18219..a6cb38e248774 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/use_scheduled_query_group_query_form.tsx +++ b/x-pack/plugins/osquery/public/packs/queries/use_pack_query_form.tsx @@ -11,23 +11,31 @@ import { produce } from 'immer'; import { useMemo } from 'react'; import { FormConfig, useForm } from '../../shared_imports'; -import { OsqueryManagerPackagePolicyConfigRecord } from '../../../common/types'; import { createFormSchema } from './schema'; const FORM_ID = 'editQueryFlyoutForm'; -export interface UseScheduledQueryGroupQueryFormProps { +export interface UsePackQueryFormProps { uniqueQueryIds: string[]; - defaultValue?: OsqueryManagerPackagePolicyConfigRecord | undefined; - handleSubmit: FormConfig['onSubmit']; + defaultValue?: PackFormData | undefined; + handleSubmit: FormConfig['onSubmit']; } -export interface ScheduledQueryGroupFormData { +export interface PackSOFormData { id: string; query: string; interval: number; platform?: string | undefined; - version?: string[] | undefined; + version?: string | undefined; + ecs_mapping?: Array<{ field: string; value: string }> | undefined; +} + +export interface PackFormData { + id: string; + query: string; + interval: number; + platform?: string | undefined; + version?: string | undefined; ecs_mapping?: | Record< string, @@ -38,14 +46,13 @@ export interface ScheduledQueryGroupFormData { | undefined; } -export const useScheduledQueryGroupQueryForm = ({ +export const usePackQueryForm = ({ uniqueQueryIds, defaultValue, handleSubmit, -}: UseScheduledQueryGroupQueryFormProps) => { +}: UsePackQueryFormProps) => { const idSet = useMemo>( - () => - new Set(xor(uniqueQueryIds, defaultValue?.id.value ? [defaultValue.id.value] : [])), + () => new Set(xor(uniqueQueryIds, defaultValue?.id ? [defaultValue.id] : [])), [uniqueQueryIds, defaultValue] ); const formSchema = useMemo>( @@ -53,7 +60,7 @@ export const useScheduledQueryGroupQueryForm = ({ [idSet] ); - return useForm({ + return useForm({ id: FORM_ID + uuid.v4(), onSubmit: async (formData, isValid) => { if (isValid && handleSubmit) { @@ -62,24 +69,14 @@ export const useScheduledQueryGroupQueryForm = ({ } }, options: { - stripEmptyFields: false, + stripEmptyFields: true, }, + // @ts-expect-error update types defaultValue: defaultValue || { - id: { - type: 'text', - value: '', - }, - query: { - type: 'text', - value: '', - }, - interval: { - type: 'integer', - value: '3600', - }, - ecs_mapping: { - value: {}, - }, + id: '', + query: '', + interval: 3600, + ecs_mapping: {}, }, // @ts-expect-error update types serializer: (payload) => @@ -95,7 +92,6 @@ export const useScheduledQueryGroupQueryForm = ({ if (!draft.version.length) { delete draft.version; } else { - // @ts-expect-error update types draft.version = draft.version[0]; } } @@ -104,18 +100,20 @@ export const useScheduledQueryGroupQueryForm = ({ } return draft; }), + // @ts-expect-error update types deserializer: (payload) => { - if (!payload) return {} as ScheduledQueryGroupFormData; + if (!payload) return {} as PackFormData; return { - id: payload.id.value, - query: payload.query.value, - interval: parseInt(payload.interval.value, 10), - platform: payload.platform?.value, - version: payload.version?.value ? [payload.version?.value] : [], - ecs_mapping: payload.ecs_mapping?.value ?? {}, + id: payload.id, + query: payload.query, + interval: payload.interval, + platform: payload.platform, + version: payload.version ? [payload.version] : [], + ecs_mapping: payload.ecs_mapping ?? {}, }; }, + // @ts-expect-error update types schema: formSchema, }); }; diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/validations.ts b/x-pack/plugins/osquery/public/packs/queries/validations.ts similarity index 72% rename from x-pack/plugins/osquery/public/scheduled_query_groups/queries/validations.ts rename to x-pack/plugins/osquery/public/packs/queries/validations.ts index c9f128b8e5d79..1c568337524c7 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/queries/validations.ts +++ b/x-pack/plugins/osquery/public/packs/queries/validations.ts @@ -12,11 +12,11 @@ export { queryFieldValidation } from '../../common/validations'; const idPattern = /^[a-zA-Z0-9-_]+$/; // eslint-disable-next-line @typescript-eslint/no-explicit-any -const idSchemaValidation: ValidationFunc = ({ value }) => { +export const idSchemaValidation: ValidationFunc = ({ value }) => { const valueIsValid = idPattern.test(value); if (!valueIsValid) { return { - message: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIdError', { + message: i18n.translate('xpack.osquery.pack.queryFlyoutForm.invalidIdError', { defaultMessage: 'Characters must be alphanumeric, _, or -', }), }; @@ -28,7 +28,7 @@ const createUniqueIdValidation = (ids: Set) => { const uniqueIdCheck: ValidationFunc = ({ value }) => { if (ids.has(value)) { return { - message: i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.uniqueIdError', { + message: i18n.translate('xpack.osquery.pack.queryFlyoutForm.uniqueIdError', { defaultMessage: 'ID must be unique', }), }; @@ -39,7 +39,7 @@ const createUniqueIdValidation = (ids: Set) => { export const createIdFieldValidations = (ids: Set) => [ fieldValidators.emptyField( - i18n.translate('xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyIdError', { + i18n.translate('xpack.osquery.pack.queryFlyoutForm.emptyIdError', { defaultMessage: 'ID is required', }) ), @@ -54,10 +54,7 @@ export const intervalFieldValidation: ValidationFunc< number > = fieldValidators.numberGreaterThanField({ than: 0, - message: i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIntervalField', - { - defaultMessage: 'A positive interval value is required', - } - ), + message: i18n.translate('xpack.osquery.pack.queryFlyoutForm.invalidIntervalField', { + defaultMessage: 'A positive interval value is required', + }), }); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_errors_table.tsx b/x-pack/plugins/osquery/public/packs/scheduled_query_errors_table.tsx similarity index 89% rename from x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_errors_table.tsx rename to x-pack/plugins/osquery/public/packs/scheduled_query_errors_table.tsx index 71ae346603229..2174c7ce1cc8f 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/scheduled_query_errors_table.tsx +++ b/x-pack/plugins/osquery/public/packs/scheduled_query_errors_table.tsx @@ -13,10 +13,11 @@ import { stringify } from 'querystring'; import { useKibana, isModifiedEvent, isLeftClickEvent } from '../common/lib/kibana'; import { AgentIdToName } from '../agents/agent_id_to_name'; -import { useScheduledQueryGroupQueryErrors } from './use_scheduled_query_group_query_errors'; +import { usePackQueryErrors } from './use_pack_query_errors'; +import { SearchHit } from '../../common/search_strategy'; const VIEW_IN_LOGS = i18n.translate( - 'xpack.osquery.scheduledQueryGroup.queriesTable.viewLogsErrorsActionAriaLabel', + 'xpack.osquery.pack.queriesTable.viewLogsErrorsActionAriaLabel', { defaultMessage: 'View in Logs', } @@ -82,12 +83,10 @@ const renderErrorMessage = (error: string) => ( const ScheduledQueryErrorsTableComponent: React.FC = ({ actionId, - agentIds, interval, }) => { - const { data: lastErrorsData } = useScheduledQueryGroupQueryErrors({ + const { data: lastErrorsData } = usePackQueryErrors({ actionId, - agentIds, interval, }); @@ -139,8 +138,14 @@ const ScheduledQueryErrorsTableComponent: React.FC; + return ( + + // eslint-disable-next-line react-perf/jsx-no-new-array-as-prop + items={lastErrorsData?.hits ?? []} + columns={columns} + pagination={true} + /> + ); }; export const ScheduledQueryErrorsTable = React.memo(ScheduledQueryErrorsTableComponent); diff --git a/x-pack/plugins/osquery/public/packs/use_create_pack.ts b/x-pack/plugins/osquery/public/packs/use_create_pack.ts new file mode 100644 index 0000000000000..05756afde40d8 --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/use_create_pack.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMutation, useQueryClient } from 'react-query'; +import { i18n } from '@kbn/i18n'; + +import { useKibana } from '../common/lib/kibana'; +import { PLUGIN_ID } from '../../common'; +import { pagePathGetters } from '../common/page_paths'; +import { PACKS_ID } from './constants'; +import { useErrorToast } from '../common/hooks/use_error_toast'; + +interface UseCreatePackProps { + withRedirect?: boolean; +} + +export const useCreatePack = ({ withRedirect }: UseCreatePackProps) => { + const queryClient = useQueryClient(); + const { + application: { navigateToApp }, + http, + notifications: { toasts }, + } = useKibana().services; + const setErrorToast = useErrorToast(); + + return useMutation( + (payload) => + http.post('/internal/osquery/packs', { + body: JSON.stringify(payload), + }), + { + onError: (error) => { + // @ts-expect-error update types + setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + }, + onSuccess: (payload) => { + queryClient.invalidateQueries(PACKS_ID); + if (withRedirect) { + navigateToApp(PLUGIN_ID, { path: pagePathGetters.packs() }); + } + toasts.addSuccess( + i18n.translate('xpack.osquery.newPack.successToastMessageText', { + defaultMessage: 'Successfully created "{packName}" pack', + values: { + packName: payload.attributes?.name ?? '', + }, + }) + ); + }, + } + ); +}; diff --git a/x-pack/plugins/osquery/public/packs/use_delete_pack.ts b/x-pack/plugins/osquery/public/packs/use_delete_pack.ts new file mode 100644 index 0000000000000..1e5b55b90600f --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/use_delete_pack.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMutation, useQueryClient } from 'react-query'; +import { i18n } from '@kbn/i18n'; + +import { useKibana } from '../common/lib/kibana'; +import { PLUGIN_ID } from '../../common'; +import { pagePathGetters } from '../common/page_paths'; +import { PACKS_ID } from './constants'; +import { useErrorToast } from '../common/hooks/use_error_toast'; + +interface UseDeletePackProps { + packId: string; + withRedirect?: boolean; +} + +export const useDeletePack = ({ packId, withRedirect }: UseDeletePackProps) => { + const queryClient = useQueryClient(); + const { + application: { navigateToApp }, + http, + notifications: { toasts }, + } = useKibana().services; + const setErrorToast = useErrorToast(); + + return useMutation(() => http.delete(`/internal/osquery/packs/${packId}`), { + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); + }, + onSuccess: () => { + queryClient.invalidateQueries(PACKS_ID); + if (withRedirect) { + navigateToApp(PLUGIN_ID, { path: pagePathGetters.packs() }); + } + toasts.addSuccess( + i18n.translate('xpack.osquery.deletePack.successToastMessageText', { + defaultMessage: 'Successfully deleted pack', + }) + ); + }, + }); +}; diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group.ts b/x-pack/plugins/osquery/public/packs/use_pack.ts similarity index 56% rename from x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group.ts rename to x-pack/plugins/osquery/public/packs/use_pack.ts index c3458698dd517..6aadedab206c4 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group.ts +++ b/x-pack/plugins/osquery/public/packs/use_pack.ts @@ -11,30 +11,20 @@ import { useKibana } from '../common/lib/kibana'; import { GetOnePackagePolicyResponse } from '../../../fleet/common'; import { OsqueryManagerPackagePolicy } from '../../common/types'; -interface UseScheduledQueryGroup { - scheduledQueryGroupId: string; +interface UsePack { + packId: string; skip?: boolean; } -export const useScheduledQueryGroup = ({ - scheduledQueryGroupId, - skip = false, -}: UseScheduledQueryGroup) => { +export const usePack = ({ packId, skip = false }: UsePack) => { const { http } = useKibana().services; return useQuery< Omit & { item: OsqueryManagerPackagePolicy }, unknown, OsqueryManagerPackagePolicy - >( - ['scheduledQueryGroup', { scheduledQueryGroupId }], - () => http.get(`/internal/osquery/scheduled_query_group/${scheduledQueryGroupId}`), - { - keepPreviousData: true, - enabled: !skip || !scheduledQueryGroupId, - select: (response) => response.item, - refetchOnReconnect: false, - refetchOnWindowFocus: false, - } - ); + >(['pack', { packId }], () => http.get(`/internal/osquery/packs/${packId}`), { + keepPreviousData: true, + enabled: !skip || !packId, + }); }; diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_errors.ts b/x-pack/plugins/osquery/public/packs/use_pack_query_errors.ts similarity index 80% rename from x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_errors.ts rename to x-pack/plugins/osquery/public/packs/use_pack_query_errors.ts index 338d97f8801c8..b88bd8ce5709d 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_errors.ts +++ b/x-pack/plugins/osquery/public/packs/use_pack_query_errors.ts @@ -10,21 +10,19 @@ import { IndexPattern, SortDirection } from '../../../../../src/plugins/data/com import { useKibana } from '../common/lib/kibana'; -interface UseScheduledQueryGroupQueryErrorsProps { +interface UsePackQueryErrorsProps { actionId: string; - agentIds?: string[]; interval: number; logsIndexPattern?: IndexPattern; skip?: boolean; } -export const useScheduledQueryGroupQueryErrors = ({ +export const usePackQueryErrors = ({ actionId, - agentIds, interval, logsIndexPattern, skip = false, -}: UseScheduledQueryGroupQueryErrorsProps) => { +}: UsePackQueryErrorsProps) => { const data = useKibana().services.data; return useQuery( @@ -41,12 +39,6 @@ export const useScheduledQueryGroupQueryErrors = ({ query: { // @ts-expect-error update types bool: { - should: agentIds?.map((agentId) => ({ - match_phrase: { - 'elastic_agent.id': agentId, - }, - })), - minimum_should_match: 1, filter: [ { match_phrase: { @@ -81,7 +73,7 @@ export const useScheduledQueryGroupQueryErrors = ({ }, { keepPreviousData: true, - enabled: !!(!skip && actionId && interval && agentIds?.length && logsIndexPattern), + enabled: !!(!skip && actionId && interval && logsIndexPattern), select: (response) => response.rawResponse.hits ?? [], refetchOnReconnect: false, refetchOnWindowFocus: false, diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_last_results.ts b/x-pack/plugins/osquery/public/packs/use_pack_query_last_results.ts similarity index 79% rename from x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_last_results.ts rename to x-pack/plugins/osquery/public/packs/use_pack_query_last_results.ts index 7cfd6be461e05..af3e5b23e80f8 100644 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_group_query_last_results.ts +++ b/x-pack/plugins/osquery/public/packs/use_pack_query_last_results.ts @@ -9,7 +9,7 @@ import { useQuery } from 'react-query'; import { IndexPattern } from '../../../../../src/plugins/data/common'; import { useKibana } from '../common/lib/kibana'; -interface UseScheduledQueryGroupQueryLastResultsProps { +interface UsePackQueryLastResultsProps { actionId: string; agentIds?: string[]; interval: number; @@ -17,13 +17,12 @@ interface UseScheduledQueryGroupQueryLastResultsProps { skip?: boolean; } -export const useScheduledQueryGroupQueryLastResults = ({ +export const usePackQueryLastResults = ({ actionId, - agentIds, interval, logsIndexPattern, skip = false, -}: UseScheduledQueryGroupQueryLastResultsProps) => { +}: UsePackQueryLastResultsProps) => { const data = useKibana().services.data; return useQuery( @@ -35,12 +34,6 @@ export const useScheduledQueryGroupQueryLastResults = ({ query: { // @ts-expect-error update types bool: { - should: agentIds?.map((agentId) => ({ - match_phrase: { - 'agent.id': agentId, - }, - })), - minimum_should_match: 1, filter: [ { match_phrase: { @@ -66,12 +59,6 @@ export const useScheduledQueryGroupQueryLastResults = ({ query: { // @ts-expect-error update types bool: { - should: agentIds?.map((agentId) => ({ - match_phrase: { - 'agent.id': agentId, - }, - })), - minimum_should_match: 1, filter: [ { match_phrase: { @@ -102,7 +89,7 @@ export const useScheduledQueryGroupQueryLastResults = ({ }, { keepPreviousData: true, - enabled: !!(!skip && actionId && interval && agentIds?.length && logsIndexPattern), + enabled: !!(!skip && actionId && interval && logsIndexPattern), refetchOnReconnect: false, refetchOnWindowFocus: false, } diff --git a/x-pack/plugins/osquery/public/packs/use_packs.ts b/x-pack/plugins/osquery/public/packs/use_packs.ts new file mode 100644 index 0000000000000..9870cb481450f --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/use_packs.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useQuery } from 'react-query'; + +import { useKibana } from '../common/lib/kibana'; +import { PACKS_ID } from './constants'; + +export const usePacks = ({ + isLive = false, + pageIndex = 0, + pageSize = 10000, + sortField = 'updated_at', + sortDirection = 'desc', +}) => { + const { http } = useKibana().services; + + return useQuery( + [PACKS_ID, { pageIndex, pageSize, sortField, sortDirection }], + async () => + http.get('/internal/osquery/packs', { + query: { pageIndex, pageSize, sortField, sortDirection }, + }), + { + keepPreviousData: true, + // Refetch the data every 10 seconds + refetchInterval: isLive ? 10000 : false, + } + ); +}; diff --git a/x-pack/plugins/osquery/public/packs/use_update_pack.ts b/x-pack/plugins/osquery/public/packs/use_update_pack.ts new file mode 100644 index 0000000000000..d9aecbe9ac598 --- /dev/null +++ b/x-pack/plugins/osquery/public/packs/use_update_pack.ts @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMutation, useQueryClient } from 'react-query'; +import { i18n } from '@kbn/i18n'; + +import { useKibana } from '../common/lib/kibana'; +import { PLUGIN_ID } from '../../common'; +import { pagePathGetters } from '../common/page_paths'; +import { PACKS_ID } from './constants'; +import { useErrorToast } from '../common/hooks/use_error_toast'; + +interface UseUpdatePackProps { + withRedirect?: boolean; + // eslint-disable-next-line @typescript-eslint/no-explicit-any + options?: any; +} + +export const useUpdatePack = ({ withRedirect, options }: UseUpdatePackProps) => { + const queryClient = useQueryClient(); + const { + application: { navigateToApp }, + http, + notifications: { toasts }, + } = useKibana().services; + const setErrorToast = useErrorToast(); + + return useMutation( + // @ts-expect-error update types + ({ id, ...payload }) => + http.put(`/internal/osquery/packs/${id}`, { + body: JSON.stringify(payload), + }), + { + onError: (error) => { + // @ts-expect-error update types + setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + }, + onSuccess: (payload) => { + queryClient.invalidateQueries(PACKS_ID); + if (withRedirect) { + navigateToApp(PLUGIN_ID, { path: pagePathGetters.packs() }); + } + toasts.addSuccess( + i18n.translate('xpack.osquery.updatePack.successToastMessageText', { + defaultMessage: 'Successfully updated "{packName}" pack', + values: { + packName: payload.attributes?.name ?? '', + }, + }) + ); + }, + ...options, + } + ); +}; diff --git a/x-pack/plugins/osquery/public/results/results_table.tsx b/x-pack/plugins/osquery/public/results/results_table.tsx index c59cd6281a364..e0dfb208e0ebc 100644 --- a/x-pack/plugins/osquery/public/results/results_table.tsx +++ b/x-pack/plugins/osquery/public/results/results_table.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { isEmpty, isEqual, keys, map } from 'lodash/fp'; +import { get, isEmpty, isEqual, keys, map, reduce } from 'lodash/fp'; import { EuiCallOut, EuiCode, @@ -17,8 +17,10 @@ import { EuiLoadingContent, EuiProgress, EuiSpacer, + EuiIconTip, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n/react'; import React, { createContext, useEffect, useState, useCallback, useContext, useMemo } from 'react'; import { pagePathGetters } from '../../../fleet/public'; @@ -31,9 +33,10 @@ import { ViewResultsInDiscoverAction, ViewResultsInLensAction, ViewResultsActionButtonType, -} from '../scheduled_query_groups/scheduled_query_group_queries_status_table'; +} from '../packs/pack_queries_status_table'; import { useActionResultsPrivileges } from '../action_results/use_action_privileges'; import { OSQUERY_INTEGRATION_NAME } from '../../common'; +import { useActionDetails } from '../actions/use_action_details'; const DataContext = createContext([]); @@ -53,6 +56,8 @@ const ResultsTableComponent: React.FC = ({ }) => { const [isLive, setIsLive] = useState(true); const { data: hasActionResultsPrivileges } = useActionResultsPrivileges(); + const { data: actionDetails } = useActionDetails({ actionId }); + const { // @ts-expect-error update types data: { aggregations }, @@ -155,6 +160,59 @@ const ResultsTableComponent: React.FC = ({ [onChangeItemsPerPage, onChangePage, pagination] ); + const ecsMapping = useMemo(() => { + const mapping = get('actionDetails._source.data.ecs_mapping', actionDetails); + if (!mapping) return; + + return reduce( + (acc, [key, value]) => { + // @ts-expect-error update types + if (value?.field) { + // @ts-expect-error update types + acc[value?.field] = [...(acc[value?.field] ?? []), key]; + } + return acc; + }, + {}, + Object.entries(mapping) + ); + }, [actionDetails]); + + const getHeaderDisplay = useCallback( + (columnName: string) => { + // @ts-expect-error update types + if (ecsMapping && ecsMapping[columnName]) { + return ( + <> + {columnName}{' '} + + + {`:`} +
    + { + // @ts-expect-error update types + ecsMapping[columnName].map((fieldName) => ( +
  • {fieldName}
  • + )) + } +
+ + } + type="indexMapping" + /> + + ); + } + }, + [ecsMapping] + ); + useEffect(() => { if (!allResultsData?.edges) { return; @@ -186,6 +244,7 @@ const ResultsTableComponent: React.FC = ({ data.push({ id: fieldName, displayAsText, + display: getHeaderDisplay(displayAsText), defaultSortDirection: Direction.asc, }); seen.add(displayAsText); @@ -198,11 +257,11 @@ const ResultsTableComponent: React.FC = ({ { data: [], seen: new Set() } as { data: EuiDataGridColumn[]; seen: Set } ).data; - if (!isEqual(columns, newColumns)) { - setColumns(newColumns); - setVisibleColumns(map('id', newColumns)); - } - }, [columns, allResultsData?.edges]); + setColumns((currentColumns) => + !isEqual(map('id', currentColumns), map('id', newColumns)) ? newColumns : currentColumns + ); + setVisibleColumns(map('id', newColumns)); + }, [allResultsData?.edges, getHeaderDisplay]); const toolbarVisibility = useMemo( () => ({ diff --git a/x-pack/plugins/osquery/public/results/translations.ts b/x-pack/plugins/osquery/public/results/translations.ts index e4f71d818f01d..ca6b4a5203399 100644 --- a/x-pack/plugins/osquery/public/results/translations.ts +++ b/x-pack/plugins/osquery/public/results/translations.ts @@ -7,13 +7,12 @@ import { i18n } from '@kbn/i18n'; -export const generateEmptyDataMessage = (agentsResponded: number): string => { - return i18n.translate('xpack.osquery.results.multipleAgentsResponded', { +export const generateEmptyDataMessage = (agentsResponded: number): string => + i18n.translate('xpack.osquery.results.multipleAgentsResponded', { defaultMessage: '{agentsResponded, plural, one {# agent has} other {# agents have}} responded, no osquery data has been reported.', values: { agentsResponded }, }); -}; export const ERROR_ALL_RESULTS = i18n.translate('xpack.osquery.results.errorSearchDescription', { defaultMessage: `An error has occurred on all results search`, diff --git a/x-pack/plugins/osquery/public/routes/index.tsx b/x-pack/plugins/osquery/public/routes/index.tsx index a858a51aad64e..48ce8a7619e13 100644 --- a/x-pack/plugins/osquery/public/routes/index.tsx +++ b/x-pack/plugins/osquery/public/routes/index.tsx @@ -10,20 +10,20 @@ import { Switch, Redirect, Route } from 'react-router-dom'; import { useBreadcrumbs } from '../common/hooks/use_breadcrumbs'; import { LiveQueries } from './live_queries'; -import { ScheduledQueryGroups } from './scheduled_query_groups'; import { SavedQueries } from './saved_queries'; +import { Packs } from './packs'; const OsqueryAppRoutesComponent = () => { useBreadcrumbs('base'); return ( + + + - - - diff --git a/x-pack/plugins/osquery/public/routes/live_queries/new/index.tsx b/x-pack/plugins/osquery/public/routes/live_queries/new/index.tsx index cc37e1bc95a91..28db39ac1805f 100644 --- a/x-pack/plugins/osquery/public/routes/live_queries/new/index.tsx +++ b/x-pack/plugins/osquery/public/routes/live_queries/new/index.tsx @@ -22,20 +22,20 @@ const NewLiveQueryPageComponent = () => { const { replace } = useHistory(); const location = useLocation(); const liveQueryListProps = useRouterNavigate('live_queries'); - const [initialQuery, setInitialQuery] = useState(undefined); + const [initialFormData, setInitialFormData] = useState | undefined>({}); - const agentPolicyId = useMemo(() => { + const agentPolicyIds = useMemo(() => { const queryParams = qs.parse(location.search); - return queryParams?.agentPolicyId as string | undefined; + return queryParams?.agentPolicyId ? ([queryParams?.agentPolicyId] as string[]) : undefined; }, [location.search]); useEffect(() => { - if (location.state?.form.query) { + if (location.state?.form) { + setInitialFormData(location.state?.form); replace({ state: null }); - setInitialQuery(location.state?.form.query); } - }, [location.state?.form.query, replace]); + }, [location.state?.form, replace]); const LeftColumn = useMemo( () => ( @@ -66,7 +66,7 @@ const NewLiveQueryPageComponent = () => { return ( - + ); }; diff --git a/x-pack/plugins/osquery/public/routes/packs/add/index.tsx b/x-pack/plugins/osquery/public/routes/packs/add/index.tsx new file mode 100644 index 0000000000000..b34550d07f811 --- /dev/null +++ b/x-pack/plugins/osquery/public/routes/packs/add/index.tsx @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n/react'; +import React, { useMemo } from 'react'; + +import { WithHeaderLayout } from '../../../components/layouts'; +import { useRouterNavigate } from '../../../common/lib/kibana'; +import { PackForm } from '../../../packs/form'; +import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; +import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; + +const AddPackPageComponent = () => { + useBreadcrumbs('pack_add'); + const packListProps = useRouterNavigate('packs'); + + const LeftColumn = useMemo( + () => ( + + + + + + + + +

+ +

+ +
+
+
+ ), + [packListProps] + ); + + return ( + + + + ); +}; + +export const AddPackPage = React.memo(AddPackPageComponent); diff --git a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/details/index.tsx b/x-pack/plugins/osquery/public/routes/packs/details/index.tsx similarity index 65% rename from x-pack/plugins/osquery/public/routes/scheduled_query_groups/details/index.tsx rename to x-pack/plugins/osquery/public/routes/packs/details/index.tsx index 35184ec4bcbc8..063cc75db2572 100644 --- a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/details/index.tsx +++ b/x-pack/plugins/osquery/public/routes/packs/details/index.tsx @@ -23,10 +23,9 @@ import styled from 'styled-components'; import { useKibana, useRouterNavigate } from '../../../common/lib/kibana'; import { WithHeaderLayout } from '../../../components/layouts'; -import { useScheduledQueryGroup } from '../../../scheduled_query_groups/use_scheduled_query_group'; -import { ScheduledQueryGroupQueriesStatusTable } from '../../../scheduled_query_groups/scheduled_query_group_queries_status_table'; +import { usePack } from '../../../packs/use_pack'; +import { PackQueriesStatusTable } from '../../../packs/pack_queries_status_table'; import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; -import { AgentsPolicyLink } from '../../../agent_policies/agents_policy_link'; import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; import { useAgentPolicyAgentIds } from '../../../agents/use_agent_policy_agent_ids'; @@ -36,35 +35,36 @@ const Divider = styled.div` border-left: ${({ theme }) => theme.eui.euiBorderThin}; `; -const ScheduledQueryGroupDetailsPageComponent = () => { +const PackDetailsPageComponent = () => { const permissions = useKibana().services.application.capabilities.osquery; - const { scheduledQueryGroupId } = useParams<{ scheduledQueryGroupId: string }>(); - const scheduledQueryGroupsListProps = useRouterNavigate('scheduled_query_groups'); - const editQueryLinkProps = useRouterNavigate( - `scheduled_query_groups/${scheduledQueryGroupId}/edit` - ); + const { packId } = useParams<{ packId: string }>(); + const packsListProps = useRouterNavigate('packs'); + const editQueryLinkProps = useRouterNavigate(`packs/${packId}/edit`); - const { data } = useScheduledQueryGroup({ scheduledQueryGroupId }); + const { data } = usePack({ packId }); const { data: agentIds } = useAgentPolicyAgentIds({ agentPolicyId: data?.policy_id, skip: !data, }); - useBreadcrumbs('scheduled_query_group_details', { scheduledQueryGroupName: data?.name ?? '' }); + useBreadcrumbs('pack_details', { packName: data?.name ?? '' }); + + const queriesArray = useMemo( + () => + // @ts-expect-error update types + (data?.queries && Object.entries(data.queries).map(([id, query]) => ({ ...query, id }))) ?? + [], + [data] + ); const LeftColumn = useMemo( () => ( - + @@ -72,7 +72,7 @@ const ScheduledQueryGroupDetailsPageComponent = () => {

{ )} ), - [data?.description, data?.name, scheduledQueryGroupsListProps] + [data?.description, data?.name, packsListProps] ); const RightColumn = useMemo( @@ -104,12 +104,15 @@ const ScheduledQueryGroupDetailsPageComponent = () => { - {data?.policy_id ? : null} + { + // @ts-expect-error update types + data?.policy_ids?.length + } @@ -124,27 +127,24 @@ const ScheduledQueryGroupDetailsPageComponent = () => { isDisabled={!permissions.writePacks} > ), - [data?.policy_id, editQueryLinkProps, permissions] + // @ts-expect-error update types + [data?.policy_ids, editQueryLinkProps, permissions] ); return ( {data && ( - + )} ); }; -export const ScheduledQueryGroupDetailsPage = React.memo(ScheduledQueryGroupDetailsPageComponent); +export const PackDetailsPage = React.memo(PackDetailsPageComponent); diff --git a/x-pack/plugins/osquery/public/routes/packs/edit/index.tsx b/x-pack/plugins/osquery/public/routes/packs/edit/index.tsx new file mode 100644 index 0000000000000..bd1d7a5e0875c --- /dev/null +++ b/x-pack/plugins/osquery/public/routes/packs/edit/index.tsx @@ -0,0 +1,141 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + EuiButton, + EuiButtonEmpty, + EuiConfirmModal, + EuiFlexGroup, + EuiFlexItem, + EuiLoadingContent, +} from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n/react'; +import React, { useCallback, useMemo, useState } from 'react'; +import { useParams } from 'react-router-dom'; + +import { WithHeaderLayout } from '../../../components/layouts'; +import { useRouterNavigate } from '../../../common/lib/kibana'; +import { PackForm } from '../../../packs/form'; +import { usePack } from '../../../packs/use_pack'; +import { useDeletePack } from '../../../packs/use_delete_pack'; + +import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; +import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; + +const EditPackPageComponent = () => { + const { packId } = useParams<{ packId: string }>(); + const queryDetailsLinkProps = useRouterNavigate(`packs/${packId}`); + const [isDeleteModalVisible, setIsDeleteModalVisible] = useState(false); + + const { isLoading, data } = usePack({ packId }); + const deletePackMutation = useDeletePack({ packId, withRedirect: true }); + + useBreadcrumbs('pack_edit', { + packId: data?.id ?? '', + packName: data?.name ?? '', + }); + + const handleCloseDeleteConfirmationModal = useCallback(() => { + setIsDeleteModalVisible(false); + }, []); + + const handleDeleteClick = useCallback(() => { + setIsDeleteModalVisible(true); + }, []); + + const handleDeleteConfirmClick = useCallback(() => { + deletePackMutation.mutateAsync().then(() => { + handleCloseDeleteConfirmationModal(); + }); + }, [deletePackMutation, handleCloseDeleteConfirmationModal]); + + const LeftColumn = useMemo( + () => ( + + + + + + + + +

+ +

+ +
+
+
+ ), + [data?.name, queryDetailsLinkProps] + ); + + const RightColumn = useMemo( + () => ( + + + + ), + [handleDeleteClick] + ); + + if (isLoading) return null; + + return ( + + {!data ? : } + {isDeleteModalVisible ? ( + + } + onCancel={handleCloseDeleteConfirmationModal} + onConfirm={handleDeleteConfirmClick} + cancelButtonText={ + + } + confirmButtonText={ + + } + buttonColor="danger" + defaultFocusedButton="confirm" + > + + + ) : null} + + ); +}; + +export const EditPackPage = React.memo(EditPackPageComponent); diff --git a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/index.tsx b/x-pack/plugins/osquery/public/routes/packs/index.tsx similarity index 53% rename from x-pack/plugins/osquery/public/routes/scheduled_query_groups/index.tsx rename to x-pack/plugins/osquery/public/routes/packs/index.tsx index 53bf4ae79a908..7b6f5ed582292 100644 --- a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/index.tsx +++ b/x-pack/plugins/osquery/public/routes/packs/index.tsx @@ -8,17 +8,17 @@ import React from 'react'; import { Switch, Route, useRouteMatch } from 'react-router-dom'; -import { ScheduledQueryGroupsPage } from './list'; -import { AddScheduledQueryGroupPage } from './add'; -import { EditScheduledQueryGroupPage } from './edit'; -import { ScheduledQueryGroupDetailsPage } from './details'; +import { PacksPage } from './list'; +import { AddPackPage } from './add'; +import { EditPackPage } from './edit'; +import { PackDetailsPage } from './details'; import { useBreadcrumbs } from '../../common/hooks/use_breadcrumbs'; import { useKibana } from '../../common/lib/kibana'; import { MissingPrivileges } from '../components'; -const ScheduledQueryGroupsComponent = () => { +const PacksComponent = () => { const permissions = useKibana().services.application.capabilities.osquery; - useBreadcrumbs('scheduled_query_groups'); + useBreadcrumbs('packs'); const match = useRouteMatch(); if (!permissions.readPacks) { @@ -28,19 +28,19 @@ const ScheduledQueryGroupsComponent = () => { return ( - {permissions.writePacks ? : } + {permissions.writePacks ? : } - - {permissions.writePacks ? : } + + {permissions.writePacks ? : } - - + + - + ); }; -export const ScheduledQueryGroups = React.memo(ScheduledQueryGroupsComponent); +export const Packs = React.memo(PacksComponent); diff --git a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/list/index.tsx b/x-pack/plugins/osquery/public/routes/packs/list/index.tsx similarity index 69% rename from x-pack/plugins/osquery/public/routes/scheduled_query_groups/list/index.tsx rename to x-pack/plugins/osquery/public/routes/packs/list/index.tsx index 006dd0e6ec1b6..12f646e230ff6 100644 --- a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/list/index.tsx +++ b/x-pack/plugins/osquery/public/routes/packs/list/index.tsx @@ -11,12 +11,12 @@ import React, { useMemo } from 'react'; import { useKibana, useRouterNavigate } from '../../../common/lib/kibana'; import { WithHeaderLayout } from '../../../components/layouts'; -import { ScheduledQueryGroupsTable } from '../../../scheduled_query_groups/scheduled_query_groups_table'; +import { PacksTable } from '../../../packs/packs_table'; import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; -const ScheduledQueryGroupsPageComponent = () => { +const PacksPageComponent = () => { const permissions = useKibana().services.application.capabilities.osquery; - const newQueryLinkProps = useRouterNavigate('scheduled_query_groups/add'); + const newQueryLinkProps = useRouterNavigate('packs/add'); const LeftColumn = useMemo( () => ( @@ -24,10 +24,7 @@ const ScheduledQueryGroupsPageComponent = () => {

- +

@@ -46,8 +43,8 @@ const ScheduledQueryGroupsPageComponent = () => { isDisabled={!permissions.writePacks} > ), @@ -56,9 +53,9 @@ const ScheduledQueryGroupsPageComponent = () => { return ( - + ); }; -export const ScheduledQueryGroupsPage = React.memo(ScheduledQueryGroupsPageComponent); +export const PacksPage = React.memo(PacksPageComponent); diff --git a/x-pack/plugins/osquery/public/routes/saved_queries/edit/form.tsx b/x-pack/plugins/osquery/public/routes/saved_queries/edit/form.tsx index 617d83821d08d..c26bdb4270412 100644 --- a/x-pack/plugins/osquery/public/routes/saved_queries/edit/form.tsx +++ b/x-pack/plugins/osquery/public/routes/saved_queries/edit/form.tsx @@ -13,12 +13,12 @@ import { EuiFlexItem, EuiSpacer, } from '@elastic/eui'; -import React from 'react'; +import React, { useRef } from 'react'; import { FormattedMessage } from '@kbn/i18n/react'; import { useRouterNavigate } from '../../../common/lib/kibana'; import { Form } from '../../../shared_imports'; -import { SavedQueryForm } from '../../../saved_queries/form'; +import { SavedQueryForm, SavedQueryFormRefObject } from '../../../saved_queries/form'; import { useSavedQueryForm } from '../../../saved_queries/form/use_saved_query_form'; interface EditSavedQueryFormProps { @@ -32,17 +32,19 @@ const EditSavedQueryFormComponent: React.FC = ({ handleSubmit, viewMode, }) => { + const savedQueryFormRef = useRef(null); const savedQueryListProps = useRouterNavigate('saved_queries'); const { form } = useSavedQueryForm({ defaultValue, + savedQueryFormRef, handleSubmit, }); const { submit, isSubmitting } = form; return (
- + {!viewMode && ( <> diff --git a/x-pack/plugins/osquery/public/routes/saved_queries/edit/index.tsx b/x-pack/plugins/osquery/public/routes/saved_queries/edit/index.tsx index abed9fc1bce48..71d0c886aac56 100644 --- a/x-pack/plugins/osquery/public/routes/saved_queries/edit/index.tsx +++ b/x-pack/plugins/osquery/public/routes/saved_queries/edit/index.tsx @@ -118,7 +118,6 @@ const EditSavedQueryPageComponent = () => { {!isLoading && !isEmpty(savedQueryDetails) && ( diff --git a/x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx b/x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx index 205099bb68618..9f6ec176faac2 100644 --- a/x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx +++ b/x-pack/plugins/osquery/public/routes/saved_queries/list/index.tsx @@ -19,34 +19,38 @@ import { FormattedMessage } from '@kbn/i18n/react'; import { useHistory } from 'react-router-dom'; import { SavedObject } from 'kibana/public'; +import { ECSMapping } from '../../../../common/schemas/common'; import { WithHeaderLayout } from '../../../components/layouts'; import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; import { useKibana, useRouterNavigate } from '../../../common/lib/kibana'; import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; import { useSavedQueries } from '../../../saved_queries/use_saved_queries'; +type SavedQuerySO = SavedObject<{ + name: string; + query: string; + ecs_mapping: ECSMapping; + updated_at: string; +}>; interface PlayButtonProps { disabled: boolean; - savedQueryId: string; - savedQueryName: string; + savedQuery: SavedQuerySO; } -const PlayButtonComponent: React.FC = ({ - disabled = false, - savedQueryId, - savedQueryName, -}) => { +const PlayButtonComponent: React.FC = ({ disabled = false, savedQuery }) => { const { push } = useHistory(); - // TODO: Fix href + // TODO: Add href const handlePlayClick = useCallback( () => push('/live_queries/new', { form: { - savedQueryId, + savedQueryId: savedQuery.id, + query: savedQuery.attributes.query, + ecs_mapping: savedQuery.attributes.ecs_mapping, }, }), - [push, savedQueryId] + [push, savedQuery] ); return ( @@ -58,7 +62,7 @@ const PlayButtonComponent: React.FC = ({ aria-label={i18n.translate('xpack.osquery.savedQueryList.queriesTable.runActionAriaLabel', { defaultMessage: 'Run {savedQueryName}', values: { - savedQueryName, + savedQueryName: savedQuery.attributes.name, }, })} /> @@ -111,17 +115,16 @@ const SavedQueriesPageComponent = () => { const { data } = useSavedQueries({ isLive: true }); const renderEditAction = useCallback( - (item: SavedObject<{ name: string }>) => ( + (item: SavedQuerySO) => ( ), [] ); const renderPlayAction = useCallback( - (item: SavedObject<{ name: string }>) => ( + (item: SavedQuerySO) => ( ), @@ -169,7 +172,7 @@ const SavedQueriesPageComponent = () => { name: i18n.translate('xpack.osquery.savedQueries.table.updatedAtColumnTitle', { defaultMessage: 'Last updated at', }), - sortable: (item: SavedObject<{ updated_at: string }>) => + sortable: (item: SavedQuerySO) => item.attributes.updated_at ? Date.parse(item.attributes.updated_at) : 0, truncateText: true, render: renderUpdatedAt, @@ -249,11 +252,10 @@ const SavedQueriesPageComponent = () => { return ( - {data?.savedObjects && ( + {data?.saved_objects && ( = ({ defaultValue, handleSubmit, }) => { + const savedQueryFormRef = useRef(null); const savedQueryListProps = useRouterNavigate('saved_queries'); const { form } = useSavedQueryForm({ defaultValue, + savedQueryFormRef, handleSubmit, }); - const { submit, isSubmitting } = form; + const { submit, isSubmitting, isValid } = form; return ( - + diff --git a/x-pack/plugins/osquery/public/routes/saved_queries/new/index.tsx b/x-pack/plugins/osquery/public/routes/saved_queries/new/index.tsx index 3f5a1af64fe34..3dc42aabe7a94 100644 --- a/x-pack/plugins/osquery/public/routes/saved_queries/new/index.tsx +++ b/x-pack/plugins/osquery/public/routes/saved_queries/new/index.tsx @@ -20,7 +20,7 @@ const NewSavedQueryPageComponent = () => { useBreadcrumbs('saved_query_new'); const savedQueryListProps = useRouterNavigate('saved_queries'); - const createSavedQueryMutation = useCreateSavedQuery({ withRedirect: true }); + const { mutateAsync } = useCreateSavedQuery({ withRedirect: true }); const LeftColumn = useMemo( () => ( @@ -51,10 +51,7 @@ const NewSavedQueryPageComponent = () => { return ( - { - // @ts-expect-error update types - - } + ); }; diff --git a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/add/index.tsx b/x-pack/plugins/osquery/public/routes/scheduled_query_groups/add/index.tsx deleted file mode 100644 index 6a4753e7aac95..0000000000000 --- a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/add/index.tsx +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { startCase } from 'lodash'; -import { EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n/react'; -import React, { useMemo } from 'react'; - -import { WithHeaderLayout } from '../../../components/layouts'; -import { useRouterNavigate } from '../../../common/lib/kibana'; -import { ScheduledQueryGroupForm } from '../../../scheduled_query_groups/form'; -import { useOsqueryIntegrationStatus } from '../../../common/hooks'; -import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; -import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; - -const AddScheduledQueryGroupPageComponent = () => { - useBreadcrumbs('scheduled_query_group_add'); - const scheduledQueryListProps = useRouterNavigate('scheduled_query_groups'); - const { data: osqueryIntegration } = useOsqueryIntegrationStatus(); - - const packageInfo = useMemo(() => { - if (!osqueryIntegration) return; - - return { - name: osqueryIntegration.name, - title: osqueryIntegration.title ?? startCase(osqueryIntegration.name), - version: osqueryIntegration.version, - }; - }, [osqueryIntegration]); - - const LeftColumn = useMemo( - () => ( - - - - - - - - -

- -

- -
-
-
- ), - [scheduledQueryListProps] - ); - - return ( - - {packageInfo && } - - ); -}; - -export const AddScheduledQueryGroupPage = React.memo(AddScheduledQueryGroupPageComponent); diff --git a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/edit/index.tsx b/x-pack/plugins/osquery/public/routes/scheduled_query_groups/edit/index.tsx deleted file mode 100644 index 7d816d3c4f7d4..0000000000000 --- a/x-pack/plugins/osquery/public/routes/scheduled_query_groups/edit/index.tsx +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiButtonEmpty, EuiFlexGroup, EuiFlexItem, EuiLoadingContent } from '@elastic/eui'; -import { FormattedMessage } from '@kbn/i18n/react'; -import React, { useMemo } from 'react'; -import { useParams } from 'react-router-dom'; - -import { WithHeaderLayout } from '../../../components/layouts'; -import { useRouterNavigate } from '../../../common/lib/kibana'; -import { ScheduledQueryGroupForm } from '../../../scheduled_query_groups/form'; -import { useScheduledQueryGroup } from '../../../scheduled_query_groups/use_scheduled_query_group'; -import { useBreadcrumbs } from '../../../common/hooks/use_breadcrumbs'; -import { BetaBadge, BetaBadgeRowWrapper } from '../../../components/beta_badge'; - -const EditScheduledQueryGroupPageComponent = () => { - const { scheduledQueryGroupId } = useParams<{ scheduledQueryGroupId: string }>(); - const queryDetailsLinkProps = useRouterNavigate( - `scheduled_query_groups/${scheduledQueryGroupId}` - ); - - const { data } = useScheduledQueryGroup({ scheduledQueryGroupId }); - - useBreadcrumbs('scheduled_query_group_edit', { - scheduledQueryGroupId: data?.id ?? '', - scheduledQueryGroupName: data?.name ?? '', - }); - - const LeftColumn = useMemo( - () => ( - - - - - - - - -

- -

- -
-
-
- ), - [data?.name, queryDetailsLinkProps] - ); - - return ( - - {!data ? ( - - ) : ( - - )} - - ); -}; - -export const EditScheduledQueryGroupPage = React.memo(EditScheduledQueryGroupPageComponent); diff --git a/x-pack/plugins/osquery/public/saved_queries/form/code_editor_field.tsx b/x-pack/plugins/osquery/public/saved_queries/form/code_editor_field.tsx index c70aeae66396e..cc64e539e399f 100644 --- a/x-pack/plugins/osquery/public/saved_queries/form/code_editor_field.tsx +++ b/x-pack/plugins/osquery/public/saved_queries/form/code_editor_field.tsx @@ -6,18 +6,24 @@ */ import { isEmpty } from 'lodash/fp'; -import { EuiFormRow } from '@elastic/eui'; +import { EuiCodeBlock, EuiFormRow } from '@elastic/eui'; import React from 'react'; +import styled from 'styled-components'; import { OsquerySchemaLink } from '../../components/osquery_schema_link'; import { OsqueryEditor } from '../../editor'; import { FieldHook } from '../../shared_imports'; +const StyledEuiCodeBlock = styled(EuiCodeBlock)` + min-height: 100px; +`; + interface CodeEditorFieldProps { + euiFieldProps?: Record; field: FieldHook; } -const CodeEditorFieldComponent: React.FC = ({ field }) => { +const CodeEditorFieldComponent: React.FC = ({ euiFieldProps, field }) => { const { value, label, labelAppend, helpText, setValue, errors } = field; const error = errors[0]?.message; @@ -30,7 +36,18 @@ const CodeEditorFieldComponent: React.FC = ({ field }) => error={error} fullWidth > - + {euiFieldProps?.disabled ? ( + + {value} + + ) : ( + + )} ); }; diff --git a/x-pack/plugins/osquery/public/saved_queries/form/index.tsx b/x-pack/plugins/osquery/public/saved_queries/form/index.tsx index beff34a8919a0..1d3677e96298e 100644 --- a/x-pack/plugins/osquery/public/saved_queries/form/index.tsx +++ b/x-pack/plugins/osquery/public/saved_queries/form/index.tsx @@ -5,90 +5,161 @@ * 2.0. */ -import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiTitle, EuiText } from '@elastic/eui'; -import React, { useMemo } from 'react'; +import { + EuiFlexGroup, + EuiFlexItem, + EuiSpacer, + EuiTitle, + EuiText, + EuiButtonEmpty, +} from '@elastic/eui'; +import React, { + useCallback, + useMemo, + useRef, + forwardRef, + useImperativeHandle, + useState, +} from 'react'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { ALL_OSQUERY_VERSIONS_OPTIONS } from '../../scheduled_query_groups/queries/constants'; -import { PlatformCheckBoxGroupField } from '../../scheduled_query_groups/queries/platform_checkbox_group_field'; -import { Field, getUseField, UseField } from '../../shared_imports'; +import { ALL_OSQUERY_VERSIONS_OPTIONS } from '../../packs/queries/constants'; +import { PlatformCheckBoxGroupField } from '../../packs/queries/platform_checkbox_group_field'; +import { Field, getUseField, UseField, useFormData } from '../../shared_imports'; import { CodeEditorField } from './code_editor_field'; +import { + ECSMappingEditorField, + ECSMappingEditorFieldRef, +} from '../../packs/queries/lazy_ecs_mapping_editor_field'; +import { PlaygroundFlyout } from './playground_flyout'; export const CommonUseField = getUseField({ component: Field }); interface SavedQueryFormProps { viewMode?: boolean; + hasPlayground?: boolean; + isValid?: boolean; } +export interface SavedQueryFormRefObject { + validateEcsMapping: ECSMappingEditorFieldRef['validate']; +} + +const SavedQueryFormComponent = forwardRef( + ({ viewMode, hasPlayground, isValid }, ref) => { + const [playgroundVisible, setPlaygroundVisible] = useState(false); + const ecsFieldRef = useRef(); + + const euiFieldProps = useMemo( + () => ({ + isDisabled: !!viewMode, + }), + [viewMode] + ); + + const [{ query }] = useFormData({ watch: ['query'] }); -const SavedQueryFormComponent: React.FC = ({ viewMode }) => { - const euiFieldProps = useMemo( - () => ({ - isDisabled: !!viewMode, - }), - [viewMode] - ); + const handleHidePlayground = useCallback(() => setPlaygroundVisible(false), []); - return ( - <> - - - - - - - - - -
+ const handleTogglePlayground = useCallback( + () => setPlaygroundVisible((prevValue) => !prevValue), + [] + ); + + useImperativeHandle( + ref, + () => ({ + validateEcsMapping: () => { + if (ecsFieldRef.current) { + return ecsFieldRef.current.validate(); + } + return Promise.resolve(false); + }, + }), + [] + ); + + return ( + <> + + + + + + + + + + + + {!viewMode && hasPlayground && ( + + + + Test configuration + + + + )} + + + + +
+ +
+
+ -
-
- - +
+
+ + + + + + - - - - - - - - - - - - - - - - - ); -}; +
+ + + +
+ {playgroundVisible && } + + ); + } +); export const SavedQueryForm = React.memo(SavedQueryFormComponent); diff --git a/x-pack/plugins/osquery/public/saved_queries/form/playground_flyout.tsx b/x-pack/plugins/osquery/public/saved_queries/form/playground_flyout.tsx new file mode 100644 index 0000000000000..5e8bb725dd5a2 --- /dev/null +++ b/x-pack/plugins/osquery/public/saved_queries/form/playground_flyout.tsx @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiFlyout, EuiFlyoutHeader, EuiTitle, EuiFlyoutBody } from '@elastic/eui'; +import React from 'react'; +import styled from 'styled-components'; +import { FormattedMessage } from '@kbn/i18n/react'; + +import { LiveQuery } from '../../live_queries'; +import { useFormData } from '../../shared_imports'; + +const StyledEuiFlyoutHeader = styled(EuiFlyoutHeader)` + &.euiFlyoutHeader.euiFlyoutHeader--hasBorder { + padding-top: 21px; + padding-bottom: 20px; + } +`; + +interface PlaygroundFlyoutProps { + enabled?: boolean; + onClose: () => void; +} + +const PlaygroundFlyoutComponent: React.FC = ({ enabled, onClose }) => { + // eslint-disable-next-line @typescript-eslint/naming-convention + const [{ query, ecs_mapping, savedQueryId }] = useFormData({ + watch: ['query', 'ecs_mapping', 'savedQueryId'], + }); + + return ( + + + +
+ +
+
+
+ + + +
+ ); +}; + +export const PlaygroundFlyout = React.memo(PlaygroundFlyoutComponent); diff --git a/x-pack/plugins/osquery/public/saved_queries/form/use_saved_query_form.tsx b/x-pack/plugins/osquery/public/saved_queries/form/use_saved_query_form.tsx index eed16d84278b8..3fd2275477ebf 100644 --- a/x-pack/plugins/osquery/public/saved_queries/form/use_saved_query_form.tsx +++ b/x-pack/plugins/osquery/public/saved_queries/form/use_saved_query_form.tsx @@ -5,27 +5,33 @@ * 2.0. */ -import { isArray } from 'lodash'; +import { isArray, isEmpty, map } from 'lodash'; import uuid from 'uuid'; import { produce } from 'immer'; +import { RefObject, useMemo } from 'react'; -import { useMemo } from 'react'; import { useForm } from '../../shared_imports'; -import { createFormSchema } from '../../scheduled_query_groups/queries/schema'; -import { ScheduledQueryGroupFormData } from '../../scheduled_query_groups/queries/use_scheduled_query_group_query_form'; +import { createFormSchema } from '../../packs/queries/schema'; +import { PackFormData } from '../../packs/queries/use_pack_query_form'; import { useSavedQueries } from '../use_saved_queries'; +import { SavedQueryFormRefObject } from '.'; const SAVED_QUERY_FORM_ID = 'savedQueryForm'; interface UseSavedQueryFormProps { defaultValue?: unknown; handleSubmit: (payload: unknown) => Promise; + savedQueryFormRef: RefObject; } -export const useSavedQueryForm = ({ defaultValue, handleSubmit }: UseSavedQueryFormProps) => { +export const useSavedQueryForm = ({ + defaultValue, + handleSubmit, + savedQueryFormRef, +}: UseSavedQueryFormProps) => { const { data } = useSavedQueries({}); const ids: string[] = useMemo( - () => data?.savedObjects.map((obj) => obj.attributes.id) ?? [], + () => map(data?.saved_objects, 'attributes.id') ?? [], [data] ); const idSet = useMemo>(() => { @@ -42,13 +48,18 @@ export const useSavedQueryForm = ({ defaultValue, handleSubmit }: UseSavedQueryF id: SAVED_QUERY_FORM_ID + uuid.v4(), schema: formSchema, onSubmit: async (formData, isValid) => { + const ecsFieldValue = await savedQueryFormRef?.current?.validateEcsMapping(); + if (isValid) { - return handleSubmit(formData); + try { + await handleSubmit({ + ...formData, + ...(isEmpty(ecsFieldValue) ? {} : { ecs_mapping: ecsFieldValue }), + }); + // eslint-disable-next-line no-empty + } catch (e) {} } }, - options: { - stripEmptyFields: false, - }, // @ts-expect-error update types defaultValue, serializer: (payload) => @@ -67,19 +78,26 @@ export const useSavedQueryForm = ({ defaultValue, handleSubmit }: UseSavedQueryF draft.version = draft.version[0]; } } + if (isEmpty(draft.ecs_mapping)) { + // @ts-expect-error update types + delete draft.ecs_mapping; + } + // @ts-expect-error update types + draft.interval = draft.interval + ''; return draft; }), // @ts-expect-error update types deserializer: (payload) => { - if (!payload) return {} as ScheduledQueryGroupFormData; + if (!payload) return {} as PackFormData; return { id: payload.id, description: payload.description, query: payload.query, - interval: payload.interval ? parseInt(payload.interval, 10) : undefined, + interval: payload.interval ?? 3600, platform: payload.platform, version: payload.version ? [payload.version] : [], + ecs_mapping: payload.ecs_mapping ?? {}, }; }, }); diff --git a/x-pack/plugins/osquery/public/saved_queries/saved_queries_dropdown.tsx b/x-pack/plugins/osquery/public/saved_queries/saved_queries_dropdown.tsx index fc7cee2fc804c..7a652720e9cb1 100644 --- a/x-pack/plugins/osquery/public/saved_queries/saved_queries_dropdown.tsx +++ b/x-pack/plugins/osquery/public/saved_queries/saved_queries_dropdown.tsx @@ -7,25 +7,15 @@ import { find } from 'lodash/fp'; import { EuiCodeBlock, EuiFormRow, EuiComboBox, EuiTextColor } from '@elastic/eui'; -import React, { - forwardRef, - useCallback, - useEffect, - useImperativeHandle, - useMemo, - useState, -} from 'react'; +import React, { useCallback, useEffect, useMemo, useState } from 'react'; import { SimpleSavedObject } from 'kibana/public'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { useHistory, useLocation } from 'react-router-dom'; import styled from 'styled-components'; +import deepEqual from 'fast-deep-equal'; import { useSavedQueries } from './use_saved_queries'; - -export interface SavedQueriesDropdownRef { - clearSelection: () => void; -} +import { useFormData } from '../shared_imports'; const TextTruncate = styled.div` overflow: hidden; @@ -51,28 +41,33 @@ interface SavedQueriesDropdownProps { ) => void; } -const SavedQueriesDropdownComponent = forwardRef< - SavedQueriesDropdownRef, - SavedQueriesDropdownProps ->(({ disabled, onChange }, ref) => { - const { replace } = useHistory(); - const location = useLocation(); +const SavedQueriesDropdownComponent: React.FC = ({ + disabled, + onChange, +}) => { const [selectedOptions, setSelectedOptions] = useState([]); + // eslint-disable-next-line @typescript-eslint/naming-convention + const [{ query, ecs_mapping, savedQueryId }] = useFormData({ + watch: ['ecs_mapping', 'query', 'savedQueryId'], + }); + const { data } = useSavedQueries({}); const queryOptions = useMemo( () => - data?.savedObjects?.map((savedQuery) => ({ + // @ts-expect-error update types + data?.saved_objects?.map((savedQuery) => ({ label: savedQuery.attributes.id ?? '', value: { - savedObjectId: savedQuery.id, + savedQueryId: savedQuery.id, id: savedQuery.attributes.id, description: savedQuery.attributes.description, query: savedQuery.attributes.query, + ecs_mapping: savedQuery.attributes.ecs_mapping, }, })) ?? [], - [data?.savedObjects] + [data?.saved_objects] ); const handleSavedQueryChange = useCallback( @@ -85,15 +80,16 @@ const SavedQueriesDropdownComponent = forwardRef< const selectedSavedQuery = find( ['attributes.id', newSelectedOptions[0].value.id], - data?.savedObjects + data?.saved_objects ); if (selectedSavedQuery) { - onChange(selectedSavedQuery.attributes); + onChange({ ...selectedSavedQuery.attributes, savedQueryId: selectedSavedQuery.id }); } + setSelectedOptions(newSelectedOptions); }, - [data?.savedObjects, onChange] + [data?.saved_objects, onChange] ); const renderOption = useCallback( @@ -111,29 +107,29 @@ const SavedQueriesDropdownComponent = forwardRef< [] ); - const clearSelection = useCallback(() => setSelectedOptions([]), []); - useEffect(() => { - const savedQueryId = location.state?.form?.savedQueryId; - if (savedQueryId) { - const savedQueryOption = find(['value.savedObjectId', savedQueryId], queryOptions); + const savedQueryOption = find(['value.savedQueryId', savedQueryId], queryOptions); if (savedQueryOption) { handleSavedQueryChange([savedQueryOption]); } + } + }, [savedQueryId, handleSavedQueryChange, queryOptions]); - replace({ state: null }); + useEffect(() => { + if ( + selectedOptions.length && + // @ts-expect-error update types + (selectedOptions[0].value.savedQueryId !== savedQueryId || + // @ts-expect-error update types + selectedOptions[0].value.query !== query || + // @ts-expect-error update types + !deepEqual(selectedOptions[0].value.ecs_mapping, ecs_mapping)) + ) { + setSelectedOptions([]); } - }, [handleSavedQueryChange, replace, location.state, queryOptions]); - - useImperativeHandle( - ref, - () => ({ - clearSelection, - }), - [clearSelection] - ); + }, [ecs_mapping, query, savedQueryId, selectedOptions]); return ( ); -}); +}; export const SavedQueriesDropdown = React.memo(SavedQueriesDropdownComponent); diff --git a/x-pack/plugins/osquery/public/saved_queries/saved_query_flyout.tsx b/x-pack/plugins/osquery/public/saved_queries/saved_query_flyout.tsx index 8c35a359a9baf..2c1d00ac1031d 100644 --- a/x-pack/plugins/osquery/public/saved_queries/saved_query_flyout.tsx +++ b/x-pack/plugins/osquery/public/saved_queries/saved_query_flyout.tsx @@ -17,12 +17,12 @@ import { EuiButtonEmpty, EuiButton, } from '@elastic/eui'; -import React, { useCallback } from 'react'; +import React, { useCallback, useRef } from 'react'; import { FormattedMessage } from '@kbn/i18n/react'; import { Form } from '../shared_imports'; import { useSavedQueryForm } from './form/use_saved_query_form'; -import { SavedQueryForm } from './form'; +import { SavedQueryForm, SavedQueryFormRefObject } from './form'; import { useCreateSavedQuery } from './use_create_saved_query'; interface AddQueryFlyoutProps { @@ -31,6 +31,7 @@ interface AddQueryFlyoutProps { } const SavedQueryFlyoutComponent: React.FC = ({ defaultValue, onClose }) => { + const savedQueryFormRef = useRef(null); const createSavedQueryMutation = useCreateSavedQuery({ withRedirect: false }); const handleSubmit = useCallback( @@ -40,6 +41,7 @@ const SavedQueryFlyoutComponent: React.FC = ({ defaultValue const { form } = useSavedQueryForm({ defaultValue, + savedQueryFormRef, handleSubmit, }); const { submit, isSubmitting } = form; @@ -59,7 +61,7 @@ const SavedQueryFlyoutComponent: React.FC = ({ defaultValue - + @@ -67,7 +69,7 @@ const SavedQueryFlyoutComponent: React.FC = ({ defaultValue @@ -75,7 +77,7 @@ const SavedQueryFlyoutComponent: React.FC = ({ defaultValue diff --git a/x-pack/plugins/osquery/public/saved_queries/use_create_saved_query.ts b/x-pack/plugins/osquery/public/saved_queries/use_create_saved_query.ts index ddc25630079cd..c736cdf9c3545 100644 --- a/x-pack/plugins/osquery/public/saved_queries/use_create_saved_query.ts +++ b/x-pack/plugins/osquery/public/saved_queries/use_create_saved_query.ts @@ -9,7 +9,6 @@ import { useMutation, useQueryClient } from 'react-query'; import { i18n } from '@kbn/i18n'; import { useKibana } from '../common/lib/kibana'; -import { savedQuerySavedObjectType } from '../../common/types'; import { PLUGIN_ID } from '../../common'; import { pagePathGetters } from '../common/page_paths'; import { SAVED_QUERIES_ID } from './constants'; @@ -23,48 +22,22 @@ export const useCreateSavedQuery = ({ withRedirect }: UseCreateSavedQueryProps) const queryClient = useQueryClient(); const { application: { navigateToApp }, - savedObjects, - security, + http, notifications: { toasts }, } = useKibana().services; const setErrorToast = useErrorToast(); return useMutation( - async (payload) => { - const currentUser = await security.authc.getCurrentUser(); - - if (!currentUser) { - throw new Error('CurrentUser is missing'); - } - // @ts-expect-error update types - const payloadId = payload.id; - const conflictingEntries = await savedObjects.client.find({ - type: savedQuerySavedObjectType, - search: payloadId, - searchFields: ['id'], - }); - if (conflictingEntries.savedObjects.length) { - throw new Error(`Saved query with id ${payloadId} already exists.`); - } - return savedObjects.client.create(savedQuerySavedObjectType, { - // @ts-expect-error update types - ...payload, - created_by: currentUser.username, - created_at: new Date(Date.now()).toISOString(), - updated_by: currentUser.username, - updated_at: new Date(Date.now()).toISOString(), - }); - }, + (payload) => + http.post('/internal/osquery/saved_query', { + body: JSON.stringify(payload), + }), { - onError: (error) => { - if (error instanceof Error) { - return setErrorToast(error, { - title: 'Saved query creation error', - toastMessage: error.message, - }); - } - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); }, onSuccess: (payload) => { queryClient.invalidateQueries(SAVED_QUERIES_ID); diff --git a/x-pack/plugins/osquery/public/saved_queries/use_delete_saved_query.ts b/x-pack/plugins/osquery/public/saved_queries/use_delete_saved_query.ts index b2fee8b25f7a4..de03b834f5e6a 100644 --- a/x-pack/plugins/osquery/public/saved_queries/use_delete_saved_query.ts +++ b/x-pack/plugins/osquery/public/saved_queries/use_delete_saved_query.ts @@ -9,7 +9,6 @@ import { useMutation, useQueryClient } from 'react-query'; import { i18n } from '@kbn/i18n'; import { useKibana } from '../common/lib/kibana'; -import { savedQuerySavedObjectType } from '../../common/types'; import { PLUGIN_ID } from '../../common'; import { pagePathGetters } from '../common/page_paths'; import { SAVED_QUERIES_ID } from './constants'; @@ -23,15 +22,17 @@ export const useDeleteSavedQuery = ({ savedQueryId }: UseDeleteSavedQueryProps) const queryClient = useQueryClient(); const { application: { navigateToApp }, - savedObjects, + http, notifications: { toasts }, } = useKibana().services; const setErrorToast = useErrorToast(); - return useMutation(() => savedObjects.client.delete(savedQuerySavedObjectType, savedQueryId), { - onError: (error) => { - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + return useMutation(() => http.delete(`/internal/osquery/saved_query/${savedQueryId}`), { + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); }, onSuccess: () => { queryClient.invalidateQueries(SAVED_QUERIES_ID); diff --git a/x-pack/plugins/osquery/public/saved_queries/use_saved_queries.ts b/x-pack/plugins/osquery/public/saved_queries/use_saved_queries.ts index bb5a73d9d50fa..22ed81a62a5b3 100644 --- a/x-pack/plugins/osquery/public/saved_queries/use_saved_queries.ts +++ b/x-pack/plugins/osquery/public/saved_queries/use_saved_queries.ts @@ -8,7 +8,7 @@ import { useQuery } from 'react-query'; import { useKibana } from '../common/lib/kibana'; -import { savedQuerySavedObjectType } from '../../common/types'; +import { useErrorToast } from '../common/hooks/use_error_toast'; import { SAVED_QUERIES_ID } from './constants'; export const useSavedQueries = ({ @@ -18,29 +18,24 @@ export const useSavedQueries = ({ sortField = 'updated_at', sortDirection = 'desc', }) => { - const { savedObjects } = useKibana().services; + const { http } = useKibana().services; + const setErrorToast = useErrorToast(); return useQuery( [SAVED_QUERIES_ID, { pageIndex, pageSize, sortField, sortDirection }], - async () => - savedObjects.client.find<{ - id: string; - description?: string; - query: string; - updated_at: string; - updated_by: string; - created_at: string; - created_by: string; - }>({ - type: savedQuerySavedObjectType, - page: pageIndex + 1, - perPage: pageSize, - sortField, + () => + http.get('/internal/osquery/saved_query', { + query: { pageIndex, pageSize, sortField, sortDirection }, }), { keepPreviousData: true, - // Refetch the data every 10 seconds - refetchInterval: isLive ? 5000 : false, + refetchInterval: isLive ? 10000 : false, + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); + }, } ); }; diff --git a/x-pack/plugins/osquery/public/saved_queries/use_saved_query.ts b/x-pack/plugins/osquery/public/saved_queries/use_saved_query.ts index 5b736c2cb3217..04d7a9b505372 100644 --- a/x-pack/plugins/osquery/public/saved_queries/use_saved_query.ts +++ b/x-pack/plugins/osquery/public/saved_queries/use_saved_query.ts @@ -9,7 +9,6 @@ import { useQuery } from 'react-query'; import { PLUGIN_ID } from '../../common'; import { useKibana } from '../common/lib/kibana'; -import { savedQuerySavedObjectType } from '../../common/types'; import { pagePathGetters } from '../common/page_paths'; import { useErrorToast } from '../common/hooks/use_error_toast'; import { SAVED_QUERY_ID } from './constants'; @@ -21,18 +20,13 @@ interface UseSavedQueryProps { export const useSavedQuery = ({ savedQueryId }: UseSavedQueryProps) => { const { application: { navigateToApp }, - savedObjects, + http, } = useKibana().services; const setErrorToast = useErrorToast(); return useQuery( [SAVED_QUERY_ID, { savedQueryId }], - async () => - savedObjects.client.get<{ - id: string; - description?: string; - query: string; - }>(savedQuerySavedObjectType, savedQueryId), + () => http.get(`/internal/osquery/saved_query/${savedQueryId}`), { keepPreviousData: true, onSuccess: (data) => { @@ -44,9 +38,11 @@ export const useSavedQuery = ({ savedQueryId }: UseSavedQueryProps) => { navigateToApp(PLUGIN_ID, { path: pagePathGetters.saved_queries() }); } }, - onError: (error) => { - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); }, } ); diff --git a/x-pack/plugins/osquery/public/saved_queries/use_scheduled_query_group.ts b/x-pack/plugins/osquery/public/saved_queries/use_scheduled_query_group.ts deleted file mode 100644 index 93d552b3f71f3..0000000000000 --- a/x-pack/plugins/osquery/public/saved_queries/use_scheduled_query_group.ts +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { useQuery } from 'react-query'; - -import { useKibana } from '../common/lib/kibana'; -import { GetOnePackagePolicyResponse, packagePolicyRouteService } from '../../../fleet/common'; -import { OsqueryManagerPackagePolicy } from '../../common/types'; - -interface UseScheduledQueryGroup { - scheduledQueryGroupId: string; - skip?: boolean; -} - -export const useScheduledQueryGroup = ({ - scheduledQueryGroupId, - skip = false, -}: UseScheduledQueryGroup) => { - const { http } = useKibana().services; - - return useQuery< - Omit & { item: OsqueryManagerPackagePolicy }, - unknown, - OsqueryManagerPackagePolicy - >( - ['scheduledQueryGroup', { scheduledQueryGroupId }], - () => http.get(packagePolicyRouteService.getInfoPath(scheduledQueryGroupId)), - { - keepPreviousData: true, - enabled: !skip, - select: (response) => response.item, - } - ); -}; diff --git a/x-pack/plugins/osquery/public/saved_queries/use_update_saved_query.ts b/x-pack/plugins/osquery/public/saved_queries/use_update_saved_query.ts index 954b984d0c312..b2e23163a74c8 100644 --- a/x-pack/plugins/osquery/public/saved_queries/use_update_saved_query.ts +++ b/x-pack/plugins/osquery/public/saved_queries/use_update_saved_query.ts @@ -9,7 +9,6 @@ import { useMutation, useQueryClient } from 'react-query'; import { i18n } from '@kbn/i18n'; import { useKibana } from '../common/lib/kibana'; -import { savedQuerySavedObjectType } from '../../common/types'; import { PLUGIN_ID } from '../../common'; import { pagePathGetters } from '../common/page_paths'; import { SAVED_QUERIES_ID, SAVED_QUERY_ID } from './constants'; @@ -23,54 +22,22 @@ export const useUpdateSavedQuery = ({ savedQueryId }: UseUpdateSavedQueryProps) const queryClient = useQueryClient(); const { application: { navigateToApp }, - savedObjects, - security, notifications: { toasts }, + http, } = useKibana().services; const setErrorToast = useErrorToast(); return useMutation( - async (payload) => { - const currentUser = await security.authc.getCurrentUser(); - - if (!currentUser) { - throw new Error('CurrentUser is missing'); - } - - // @ts-expect-error update types - const payloadId = payload.id; - const conflictingEntries = await savedObjects.client.find({ - type: savedQuerySavedObjectType, - search: payloadId, - searchFields: ['id'], - }); - const conflictingObjects = conflictingEntries.savedObjects; - // we some how have more than one object with the same id - const updateConflicts = - conflictingObjects.length > 1 || - // or the one we conflict with isn't the same one we are updating - (conflictingObjects.length && conflictingObjects[0].id !== savedQueryId); - if (updateConflicts) { - throw new Error(`Saved query with id ${payloadId} already exists.`); - } - - return savedObjects.client.update(savedQuerySavedObjectType, savedQueryId, { - // @ts-expect-error update types - ...payload, - updated_by: currentUser.username, - updated_at: new Date(Date.now()).toISOString(), - }); - }, + (payload) => + http.put(`/internal/osquery/saved_query/${savedQueryId}`, { + body: JSON.stringify(payload), + }), { - onError: (error) => { - if (error instanceof Error) { - return setErrorToast(error, { - title: 'Saved query update error', - toastMessage: error.message, - }); - } - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); + onError: (error: { body: { error: string; message: string } }) => { + setErrorToast(error, { + title: error.body.error, + toastMessage: error.body.message, + }); }, onSuccess: (payload) => { queryClient.invalidateQueries(SAVED_QUERIES_ID); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/active_state_switch.tsx b/x-pack/plugins/osquery/public/scheduled_query_groups/active_state_switch.tsx deleted file mode 100644 index 7f26534626b12..0000000000000 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/active_state_switch.tsx +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { produce } from 'immer'; -import { EuiSwitch, EuiLoadingSpinner } from '@elastic/eui'; -import React, { useCallback, useState } from 'react'; -import { useMutation, useQueryClient } from 'react-query'; -import styled from 'styled-components'; -import { i18n } from '@kbn/i18n'; - -import { - PackagePolicy, - UpdatePackagePolicy, - packagePolicyRouteService, -} from '../../../fleet/common'; -import { useKibana } from '../common/lib/kibana'; -import { useAgentStatus } from '../agents/use_agent_status'; -import { useAgentPolicy } from '../agent_policies/use_agent_policy'; -import { ConfirmDeployAgentPolicyModal } from './form/confirmation_modal'; -import { useErrorToast } from '../common/hooks/use_error_toast'; - -const StyledEuiLoadingSpinner = styled(EuiLoadingSpinner)` - margin-right: ${({ theme }) => theme.eui.paddingSizes.s}; -`; - -interface ActiveStateSwitchProps { - disabled?: boolean; - item: PackagePolicy; -} - -const ActiveStateSwitchComponent: React.FC = ({ item }) => { - const queryClient = useQueryClient(); - const { - application: { - capabilities: { osquery: permissions }, - }, - http, - notifications: { toasts }, - } = useKibana().services; - const setErrorToast = useErrorToast(); - const [confirmationModal, setConfirmationModal] = useState(false); - - const hideConfirmationModal = useCallback(() => setConfirmationModal(false), []); - - const { data: agentStatus } = useAgentStatus({ policyId: item.policy_id }); - const { data: agentPolicy } = useAgentPolicy({ policyId: item.policy_id }); - - const { isLoading, mutate } = useMutation( - ({ id, ...payload }: UpdatePackagePolicy & { id: string }) => - http.put(packagePolicyRouteService.getUpdatePath(id), { - body: JSON.stringify(payload), - }), - { - onSuccess: (response) => { - queryClient.invalidateQueries('scheduledQueries'); - setErrorToast(); - toasts.addSuccess( - response.item.enabled - ? i18n.translate( - 'xpack.osquery.scheduledQueryGroup.table.activatedSuccessToastMessageText', - { - defaultMessage: 'Successfully activated {scheduledQueryGroupName}', - values: { - scheduledQueryGroupName: response.item.name, - }, - } - ) - : i18n.translate( - 'xpack.osquery.scheduledQueryGroup.table.deactivatedSuccessToastMessageText', - { - defaultMessage: 'Successfully deactivated {scheduledQueryGroupName}', - values: { - scheduledQueryGroupName: response.item.name, - }, - } - ) - ); - }, - onError: (error) => { - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); - }, - } - ); - - const handleToggleActive = useCallback(() => { - const updatedPolicy = produce< - UpdatePackagePolicy & { id: string }, - Omit & - Partial<{ - revision: number; - updated_at: string; - updated_by: string; - created_at: string; - created_by: string; - }> - >(item, (draft) => { - delete draft.revision; - delete draft.updated_at; - delete draft.updated_by; - delete draft.created_at; - delete draft.created_by; - - draft.enabled = !item.enabled; - draft.inputs[0].streams.forEach((stream) => { - delete stream.compiled_stream; - }); - - return draft; - }); - - mutate(updatedPolicy); - hideConfirmationModal(); - }, [hideConfirmationModal, item, mutate]); - - const handleToggleActiveClick = useCallback(() => { - if (agentStatus?.total) { - return setConfirmationModal(true); - } - - handleToggleActive(); - }, [agentStatus?.total, handleToggleActive]); - - return ( - <> - {isLoading && } - - {confirmationModal && agentStatus?.total && ( - - )} - - ); -}; - -export const ActiveStateSwitch = React.memo(ActiveStateSwitchComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/index.tsx b/x-pack/plugins/osquery/public/scheduled_query_groups/form/index.tsx deleted file mode 100644 index bcc82c5f27c99..0000000000000 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/form/index.tsx +++ /dev/null @@ -1,411 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { mapKeys } from 'lodash'; -import { merge } from 'lodash/fp'; -import { - EuiFlexGroup, - EuiFlexItem, - EuiButtonEmpty, - EuiButton, - EuiDescribedFormGroup, - EuiSpacer, - EuiBottomBar, - EuiHorizontalRule, -} from '@elastic/eui'; -import React, { useCallback, useMemo, useState } from 'react'; -import { useMutation, useQueryClient } from 'react-query'; -import { produce } from 'immer'; -import { i18n } from '@kbn/i18n'; -import { FormattedMessage } from '@kbn/i18n/react'; - -import { PLUGIN_ID } from '../../../common'; -import { OsqueryManagerPackagePolicy } from '../../../common/types'; -import { - AgentPolicy, - PackagePolicyPackage, - packagePolicyRouteService, -} from '../../../../fleet/common'; -import { - Form, - useForm, - useFormData, - getUseField, - Field, - FIELD_TYPES, - fieldValidators, -} from '../../shared_imports'; -import { useKibana, useRouterNavigate } from '../../common/lib/kibana'; -import { PolicyIdComboBoxField } from './policy_id_combobox_field'; -import { QueriesField } from './queries_field'; -import { ConfirmDeployAgentPolicyModal } from './confirmation_modal'; -import { useAgentPolicies } from '../../agent_policies'; -import { useErrorToast } from '../../common/hooks/use_error_toast'; - -const GhostFormField = () => <>; - -const FORM_ID = 'scheduledQueryForm'; - -const CommonUseField = getUseField({ component: Field }); - -interface ScheduledQueryGroupFormProps { - defaultValue?: OsqueryManagerPackagePolicy; - packageInfo?: PackagePolicyPackage; - editMode?: boolean; -} - -const ScheduledQueryGroupFormComponent: React.FC = ({ - defaultValue, - packageInfo, - editMode = false, -}) => { - const queryClient = useQueryClient(); - const { - application: { navigateToApp }, - http, - notifications: { toasts }, - } = useKibana().services; - const setErrorToast = useErrorToast(); - const [showConfirmationModal, setShowConfirmationModal] = useState(false); - const handleHideConfirmationModal = useCallback(() => setShowConfirmationModal(false), []); - - const { data: agentPolicies } = useAgentPolicies(); - const agentPoliciesById = mapKeys(agentPolicies, 'id'); - const agentPolicyOptions = useMemo( - () => - agentPolicies?.map((agentPolicy) => ({ - key: agentPolicy.id, - label: agentPolicy.id, - })) ?? [], - [agentPolicies] - ); - - const cancelButtonProps = useRouterNavigate( - `scheduled_query_groups/${editMode ? defaultValue?.id : ''}` - ); - - const { mutateAsync } = useMutation( - (payload: Record) => - editMode && defaultValue?.id - ? http.put(packagePolicyRouteService.getUpdatePath(defaultValue.id), { - body: JSON.stringify(payload), - }) - : http.post(packagePolicyRouteService.getCreatePath(), { - body: JSON.stringify(payload), - }), - { - onSuccess: (data) => { - if (!editMode) { - navigateToApp(PLUGIN_ID, { path: `scheduled_query_groups/${data.item.id}` }); - toasts.addSuccess( - i18n.translate('xpack.osquery.scheduledQueryGroup.form.createSuccessToastMessageText', { - defaultMessage: 'Successfully scheduled {scheduledQueryGroupName}', - values: { - scheduledQueryGroupName: data.item.name, - }, - }) - ); - return; - } - - queryClient.invalidateQueries([ - 'scheduledQueryGroup', - { scheduledQueryGroupId: data.item.id }, - ]); - setErrorToast(); - navigateToApp(PLUGIN_ID, { path: `scheduled_query_groups/${data.item.id}` }); - toasts.addSuccess( - i18n.translate('xpack.osquery.scheduledQueryGroup.form.updateSuccessToastMessageText', { - defaultMessage: 'Successfully updated {scheduledQueryGroupName}', - values: { - scheduledQueryGroupName: data.item.name, - }, - }) - ); - }, - onError: (error) => { - // @ts-expect-error update types - setErrorToast(error, { title: error.body.error, toastMessage: error.body.message }); - }, - } - ); - - const { form } = useForm< - Omit & { - policy_id: string; - }, - Omit & { - policy_id: string[]; - namespace: string[]; - } - >({ - id: FORM_ID, - schema: { - name: { - type: FIELD_TYPES.TEXT, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.form.nameFieldLabel', { - defaultMessage: 'Name', - }), - validations: [ - { - validator: fieldValidators.emptyField( - i18n.translate( - 'xpack.osquery.scheduledQueryGroup.form.nameFieldRequiredErrorMessage', - { - defaultMessage: 'Name is a required field', - } - ) - ), - }, - ], - }, - description: { - type: FIELD_TYPES.TEXT, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.form.descriptionFieldLabel', { - defaultMessage: 'Description', - }), - }, - namespace: { - type: FIELD_TYPES.COMBO_BOX, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.form.namespaceFieldLabel', { - defaultMessage: 'Namespace', - }), - }, - policy_id: { - type: FIELD_TYPES.COMBO_BOX, - label: i18n.translate('xpack.osquery.scheduledQueryGroup.form.agentPolicyFieldLabel', { - defaultMessage: 'Agent policy', - }), - validations: [ - { - validator: fieldValidators.emptyField( - i18n.translate( - 'xpack.osquery.scheduledQueryGroup.form.policyIdFieldRequiredErrorMessage', - { - defaultMessage: 'Agent policy is a required field', - } - ) - ), - }, - ], - }, - }, - onSubmit: (payload, isValid) => { - if (!isValid) return Promise.resolve(); - const formData = produce(payload, (draft) => { - if (draft.inputs?.length) { - draft.inputs[0].streams?.forEach((stream) => { - delete stream.compiled_stream; - - // we don't want to send id as null when creating the policy - if (stream.id == null) { - // @ts-expect-error update types - delete stream.id; - } - }); - } - - return draft; - }); - return mutateAsync(formData); - }, - options: { - stripEmptyFields: false, - }, - deserializer: (payload) => ({ - ...payload, - policy_id: payload.policy_id.length ? [payload.policy_id] : [], - namespace: [payload.namespace], - }), - serializer: (payload) => ({ - ...payload, - policy_id: payload.policy_id[0], - namespace: payload.namespace[0], - }), - defaultValue: merge( - { - name: '', - description: '', - enabled: true, - policy_id: '', - namespace: 'default', - output_id: '', - // eslint-disable-next-line @typescript-eslint/no-non-null-assertion - package: packageInfo!, - inputs: [ - { - type: 'osquery', - enabled: true, - streams: [], - }, - ], - }, - defaultValue ?? {} - ), - }); - - const { setFieldValue, submit, isSubmitting } = form; - - const policyIdEuiFieldProps = useMemo( - () => ({ isDisabled: !!defaultValue, options: agentPolicyOptions }), - [defaultValue, agentPolicyOptions] - ); - - const [ - { - name: queryName, - package: { version: integrationPackageVersion } = { version: undefined }, - policy_id: policyId, - }, - ] = useFormData({ - form, - watch: ['name', 'package', 'policy_id'], - }); - - const currentPolicy = useMemo(() => { - if (!policyId) { - return { - agentCount: 0, - agentPolicy: {} as AgentPolicy, - }; - } - - const currentAgentPolicy = agentPoliciesById[policyId[0]]; - return { - agentCount: currentAgentPolicy?.agents ?? 0, - agentPolicy: currentAgentPolicy, - }; - }, [agentPoliciesById, policyId]); - - const handleNameChange = useCallback( - (newName: string) => { - if (queryName === '') { - setFieldValue('name', newName); - } - }, - [setFieldValue, queryName] - ); - - const handleSaveClick = useCallback(() => { - if (currentPolicy.agentCount) { - setShowConfirmationModal(true); - return; - } - - submit().catch((error) => { - form.reset({ resetValues: false }); - setErrorToast(error, { title: error.name, toastMessage: error.message }); - }); - }, [currentPolicy.agentCount, submit, form, setErrorToast]); - - const handleConfirmConfirmationClick = useCallback(() => { - submit().catch((error) => { - form.reset({ resetValues: false }); - setErrorToast(error, { title: error.name, toastMessage: error.message }); - }); - setShowConfirmationModal(false); - }, [submit, form, setErrorToast]); - - return ( - <> -
- - -

- } - fullWidth - description={ - - } - > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {showConfirmationModal && ( - - )} - - ); -}; - -export const ScheduledQueryGroupForm = React.memo(ScheduledQueryGroupFormComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/form/queries_field.tsx b/x-pack/plugins/osquery/public/scheduled_query_groups/form/queries_field.tsx deleted file mode 100644 index 7eec37d62d52e..0000000000000 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/form/queries_field.tsx +++ /dev/null @@ -1,334 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { findIndex, forEach, pullAt, pullAllBy } from 'lodash'; -import { EuiFlexGroup, EuiFlexItem, EuiButton, EuiSpacer } from '@elastic/eui'; -import { produce } from 'immer'; -import React, { useCallback, useMemo, useState } from 'react'; -import { FormattedMessage } from '@kbn/i18n/react'; -import { satisfies } from 'semver'; - -import { - OsqueryManagerPackagePolicyInputStream, - OsqueryManagerPackagePolicyInput, -} from '../../../common/types'; -import { OSQUERY_INTEGRATION_NAME } from '../../../common'; -import { FieldHook } from '../../shared_imports'; -import { ScheduledQueryGroupQueriesTable } from '../scheduled_query_group_queries_table'; -import { QueryFlyout } from '../queries/query_flyout'; -import { OsqueryPackUploader } from './pack_uploader'; -import { getSupportedPlatforms } from '../queries/platforms/helpers'; - -interface QueriesFieldProps { - handleNameChange: (name: string) => void; - field: FieldHook; - integrationPackageVersion?: string | undefined; - scheduledQueryGroupId: string; -} - -interface GetNewStreamProps { - id: string; - interval: string; - query: string; - platform?: string | undefined; - version?: string | undefined; - scheduledQueryGroupId?: string; - ecs_mapping?: Record< - string, - { - field: string; - } - >; -} - -interface GetNewStreamReturn extends Omit { - id?: string | null; -} - -const getNewStream = (payload: GetNewStreamProps) => - produce( - { - data_stream: { type: 'logs', dataset: `${OSQUERY_INTEGRATION_NAME}.result` }, - enabled: true, - id: payload.scheduledQueryGroupId - ? `osquery-${OSQUERY_INTEGRATION_NAME}.result-${payload.scheduledQueryGroupId}` - : null, - vars: { - id: { type: 'text', value: payload.id }, - interval: { - type: 'integer', - value: payload.interval, - }, - query: { type: 'text', value: payload.query }, - }, - }, - (draft) => { - if (payload.platform && draft.vars) { - draft.vars.platform = { type: 'text', value: payload.platform }; - } - if (payload.version && draft.vars) { - draft.vars.version = { type: 'text', value: payload.version }; - } - if (payload.ecs_mapping && draft.vars) { - draft.vars.ecs_mapping = { - value: payload.ecs_mapping, - }; - } - return draft; - } - ); - -const QueriesFieldComponent: React.FC = ({ - field, - handleNameChange, - integrationPackageVersion, - scheduledQueryGroupId, -}) => { - const [showAddQueryFlyout, setShowAddQueryFlyout] = useState(false); - const [showEditQueryFlyout, setShowEditQueryFlyout] = useState(-1); - const [tableSelectedItems, setTableSelectedItems] = useState< - OsqueryManagerPackagePolicyInputStream[] - >([]); - - const handleShowAddFlyout = useCallback(() => setShowAddQueryFlyout(true), []); - const handleHideAddFlyout = useCallback(() => setShowAddQueryFlyout(false), []); - const handleHideEditFlyout = useCallback(() => setShowEditQueryFlyout(-1), []); - - const { setValue } = field; - - const handleDeleteClick = useCallback( - (stream: OsqueryManagerPackagePolicyInputStream) => { - const streamIndex = findIndex(field.value[0].streams, [ - 'vars.id.value', - stream.vars?.id.value, - ]); - - if (streamIndex > -1) { - setValue( - produce((draft) => { - pullAt(draft[0].streams, [streamIndex]); - - return draft; - }) - ); - } - }, - [field.value, setValue] - ); - - const handleEditClick = useCallback( - (stream: OsqueryManagerPackagePolicyInputStream) => { - const streamIndex = findIndex(field.value[0].streams, [ - 'vars.id.value', - stream.vars?.id.value, - ]); - - setShowEditQueryFlyout(streamIndex); - }, - [field.value] - ); - - const handleEditQuery = useCallback( - (updatedQuery) => - new Promise((resolve) => { - if (showEditQueryFlyout >= 0) { - setValue( - produce((draft) => { - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.id.value = updatedQuery.id; - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.interval.value = updatedQuery.interval; - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.query.value = updatedQuery.query; - - if (updatedQuery.platform?.length) { - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.platform = { - type: 'text', - value: updatedQuery.platform, - }; - } else { - // @ts-expect-error update - delete draft[0].streams[showEditQueryFlyout].vars.platform; - } - - if (updatedQuery.version?.length) { - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.version = { - type: 'text', - value: updatedQuery.version, - }; - } else { - // @ts-expect-error update - delete draft[0].streams[showEditQueryFlyout].vars.version; - } - - if (updatedQuery.ecs_mapping) { - // @ts-expect-error update - draft[0].streams[showEditQueryFlyout].vars.ecs_mapping = { - value: updatedQuery.ecs_mapping, - }; - } else { - // @ts-expect-error update - delete draft[0].streams[showEditQueryFlyout].vars.ecs_mapping; - } - - return draft; - }) - ); - } - - handleHideEditFlyout(); - resolve(); - }), - [handleHideEditFlyout, setValue, showEditQueryFlyout] - ); - - const handleAddQuery = useCallback( - (newQuery) => - new Promise((resolve) => { - setValue( - produce((draft) => { - draft[0].streams.push( - // @ts-expect-error update - getNewStream({ - ...newQuery, - scheduledQueryGroupId, - }) - ); - return draft; - }) - ); - handleHideAddFlyout(); - resolve(); - }), - [handleHideAddFlyout, scheduledQueryGroupId, setValue] - ); - - const handleDeleteQueries = useCallback(() => { - setValue( - produce((draft) => { - pullAllBy(draft[0].streams, tableSelectedItems, 'vars.id.value'); - - return draft; - }) - ); - setTableSelectedItems([]); - }, [setValue, tableSelectedItems]); - - const handlePackUpload = useCallback( - (parsedContent, packName) => { - /* Osquery scheduled packs are supported since osquery_manager@0.5.0 */ - const isOsqueryPackSupported = integrationPackageVersion - ? satisfies(integrationPackageVersion, '>=0.5.0') - : false; - - setValue( - produce((draft) => { - forEach(parsedContent.queries, (newQuery, newQueryId) => { - draft[0].streams.push( - // @ts-expect-error update - getNewStream({ - id: isOsqueryPackSupported ? newQueryId : `pack_${packName}_${newQueryId}`, - interval: newQuery.interval ?? parsedContent.interval, - query: newQuery.query, - version: newQuery.version ?? parsedContent.version, - platform: getSupportedPlatforms(newQuery.platform ?? parsedContent.platform), - scheduledQueryGroupId, - }) - ); - }); - - return draft; - }) - ); - - if (isOsqueryPackSupported) { - handleNameChange(packName); - } - }, - [handleNameChange, integrationPackageVersion, scheduledQueryGroupId, setValue] - ); - - const tableData = useMemo( - () => (field.value.length ? field.value[0].streams : []), - [field.value] - ); - - const uniqueQueryIds = useMemo( - () => - field.value && field.value[0].streams.length - ? field.value[0].streams.reduce((acc, stream) => { - if (stream.vars?.id.value) { - acc.push(stream.vars?.id.value); - } - - return acc; - }, [] as string[]) - : [], - [field.value] - ); - - return ( - <> - - - {!tableSelectedItems.length ? ( - - - - ) : ( - - - - )} - - - - {field.value && field.value[0].streams?.length ? ( - - ) : null} - - {} - {showAddQueryFlyout && ( - - )} - {showEditQueryFlyout != null && showEditQueryFlyout >= 0 && ( - - )} - - ); -}; - -export const QueriesField = React.memo(QueriesFieldComponent); diff --git a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_groups.ts b/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_groups.ts deleted file mode 100644 index 01b67a3d5164a..0000000000000 --- a/x-pack/plugins/osquery/public/scheduled_query_groups/use_scheduled_query_groups.ts +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { produce } from 'immer'; -import { useQuery } from 'react-query'; - -import { useKibana } from '../common/lib/kibana'; -import { ListResult, PackagePolicy, PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../fleet/common'; -import { OSQUERY_INTEGRATION_NAME } from '../../common'; - -export const useScheduledQueryGroups = () => { - const { http } = useKibana().services; - - return useQuery>( - ['scheduledQueries'], - () => - http.get('/internal/osquery/scheduled_query_group', { - query: { - page: 1, - perPage: 10000, - kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name: ${OSQUERY_INTEGRATION_NAME}`, - }, - }), - { - keepPreviousData: true, - select: produce((draft: ListResult) => { - draft.items = draft.items.filter( - (item) => - !( - item.inputs[0].streams.length === 1 && - !item.inputs[0].streams[0].compiled_stream.query - ) - ); - }), - } - ); -}; diff --git a/x-pack/plugins/osquery/public/shared_imports.ts b/x-pack/plugins/osquery/public/shared_imports.ts index ea9daf334844a..8ffdc387bf76e 100644 --- a/x-pack/plugins/osquery/public/shared_imports.ts +++ b/x-pack/plugins/osquery/public/shared_imports.ts @@ -34,6 +34,7 @@ export { ComboBoxField, ToggleField, SelectField, + JsonEditorField, } from '../../../../src/plugins/es_ui_shared/static/forms/components'; export { fieldValidators } from '../../../../src/plugins/es_ui_shared/static/forms/helpers'; export { ERROR_CODE } from '../../../../src/plugins/es_ui_shared/static/forms/helpers/field_validators/types'; diff --git a/x-pack/plugins/osquery/server/config.ts b/x-pack/plugins/osquery/server/config.ts index 1fd4b5dbe5ac2..88bdc368a0bba 100644 --- a/x-pack/plugins/osquery/server/config.ts +++ b/x-pack/plugins/osquery/server/config.ts @@ -10,7 +10,7 @@ import { TypeOf, schema } from '@kbn/config-schema'; export const ConfigSchema = schema.object({ actionEnabled: schema.boolean({ defaultValue: false }), savedQueries: schema.boolean({ defaultValue: true }), - packs: schema.boolean({ defaultValue: false }), + packs: schema.boolean({ defaultValue: true }), }); export type ConfigType = TypeOf; diff --git a/x-pack/plugins/osquery/server/create_config.ts b/x-pack/plugins/osquery/server/create_config.ts index d52f299a692cf..6e4a4e7742f7a 100644 --- a/x-pack/plugins/osquery/server/create_config.ts +++ b/x-pack/plugins/osquery/server/create_config.ts @@ -9,6 +9,5 @@ import { PluginInitializerContext } from 'kibana/server'; import { ConfigType } from './config'; -export const createConfig = (context: PluginInitializerContext): Readonly => { - return context.config.get(); -}; +export const createConfig = (context: PluginInitializerContext): Readonly => + context.config.get(); diff --git a/x-pack/plugins/osquery/server/lib/saved_query/saved_object_mappings.ts b/x-pack/plugins/osquery/server/lib/saved_query/saved_object_mappings.ts index 537b6d7874ab8..a633fe4923aeb 100644 --- a/x-pack/plugins/osquery/server/lib/saved_query/saved_object_mappings.ts +++ b/x-pack/plugins/osquery/server/lib/saved_query/saved_object_mappings.ts @@ -41,6 +41,10 @@ export const savedQuerySavedObjectMappings: SavedObjectsType['mappings'] = { interval: { type: 'keyword', }, + ecs_mapping: { + type: 'object', + enabled: false, + }, }, }; @@ -63,22 +67,38 @@ export const packSavedObjectMappings: SavedObjectsType['mappings'] = { type: 'date', }, created_by: { - type: 'text', + type: 'keyword', }, updated_at: { type: 'date', }, updated_by: { - type: 'text', + type: 'keyword', + }, + enabled: { + type: 'boolean', }, queries: { properties: { - name: { + id: { type: 'keyword', }, + query: { + type: 'text', + }, interval: { type: 'text', }, + platform: { + type: 'keyword', + }, + version: { + type: 'keyword', + }, + ecs_mapping: { + type: 'object', + enabled: false, + }, }, }, }, diff --git a/x-pack/plugins/osquery/server/plugin.ts b/x-pack/plugins/osquery/server/plugin.ts index 420fc429f97f4..1bb394843e5b7 100644 --- a/x-pack/plugins/osquery/server/plugin.ts +++ b/x-pack/plugins/osquery/server/plugin.ts @@ -7,6 +7,7 @@ import { i18n } from '@kbn/i18n'; import { + ASSETS_SAVED_OBJECT_TYPE, PACKAGE_POLICY_SAVED_OBJECT_TYPE, AGENT_POLICY_SAVED_OBJECT_TYPE, PACKAGES_SAVED_OBJECT_TYPE, @@ -47,8 +48,12 @@ const registerFeatures = (features: SetupPlugins['features']) => { app: [PLUGIN_ID, 'kibana'], catalogue: [PLUGIN_ID], savedObject: { - all: [PACKAGE_POLICY_SAVED_OBJECT_TYPE], - read: [PACKAGES_SAVED_OBJECT_TYPE, AGENT_POLICY_SAVED_OBJECT_TYPE], + all: [ + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + ASSETS_SAVED_OBJECT_TYPE, + AGENT_POLICY_SAVED_OBJECT_TYPE, + ], + read: [PACKAGES_SAVED_OBJECT_TYPE], }, ui: ['write'], }, @@ -129,6 +134,7 @@ const registerFeatures = (features: SetupPlugins['features']) => { groupType: 'mutually_exclusive', privileges: [ { + api: [`${PLUGIN_ID}-writeSavedQueries`], id: 'saved_queries_all', includeIn: 'all', name: 'All', @@ -139,6 +145,7 @@ const registerFeatures = (features: SetupPlugins['features']) => { ui: ['writeSavedQueries', 'readSavedQueries'], }, { + api: [`${PLUGIN_ID}-readSavedQueries`], id: 'saved_queries_read', includeIn: 'read', name: 'Read', @@ -153,9 +160,8 @@ const registerFeatures = (features: SetupPlugins['features']) => { ], }, { - // TODO: Rename it to "Packs" as part of https://github.com/elastic/kibana/pull/107345 - name: i18n.translate('xpack.osquery.features.scheduledQueryGroupsSubFeatureName', { - defaultMessage: 'Scheduled query groups', + name: i18n.translate('xpack.osquery.features.packsSubFeatureName', { + defaultMessage: 'Packs', }), privilegeGroups: [ { @@ -167,7 +173,11 @@ const registerFeatures = (features: SetupPlugins['features']) => { includeIn: 'all', name: 'All', savedObject: { - all: [packSavedObjectType], + all: [ + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + ASSETS_SAVED_OBJECT_TYPE, + packSavedObjectType, + ], read: [], }, ui: ['writePacks', 'readPacks'], diff --git a/x-pack/plugins/osquery/server/routes/action/create_action_route.ts b/x-pack/plugins/osquery/server/routes/action/create_action_route.ts index aed6c34d33f94..656f05f76031a 100644 --- a/x-pack/plugins/osquery/server/routes/action/create_action_route.ts +++ b/x-pack/plugins/osquery/server/routes/action/create_action_route.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { pickBy } from 'lodash'; import uuid from 'uuid'; import moment from 'moment-timezone'; @@ -68,10 +69,12 @@ export const createActionRoute = (router: IRouter, osqueryContext: OsqueryAppCon input_type: 'osquery', agents: selectedAgents, user_id: currentUser, - data: { + data: pickBy({ id: uuid.v4(), query: request.body.query, - }, + saved_query_id: request.body.saved_query_id, + ecs_mapping: request.body.ecs_mapping, + }), }; const actionResponse = await esClient.index<{}, {}>({ index: '.fleet-actions', diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts index 08b5b4314f1f1..accfc2d9ef4da 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts @@ -7,8 +7,14 @@ import bluebird from 'bluebird'; import { schema } from '@kbn/config-schema'; -import { GetAgentPoliciesResponseItem, AGENT_SAVED_OBJECT_TYPE } from '../../../../fleet/common'; -import { PLUGIN_ID } from '../../../common'; +import { filter, uniq, map } from 'lodash'; +import { satisfies } from 'semver'; +import { + GetAgentPoliciesResponseItem, + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + PackagePolicy, +} from '../../../../fleet/common'; +import { OSQUERY_INTEGRATION_NAME, PLUGIN_ID } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; @@ -25,31 +31,33 @@ export const getAgentPoliciesRoute = (router: IRouter, osqueryContext: OsqueryAp async (context, request, response) => { const soClient = context.core.savedObjects.client; const esClient = context.core.elasticsearch.client.asInternalUser; + const agentService = osqueryContext.service.getAgentService(); + const agentPolicyService = osqueryContext.service.getAgentPolicyService(); + const packagePolicyService = osqueryContext.service.getPackagePolicyService(); - // TODO: Use getAgentPoliciesHandler from x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts - const body = await osqueryContext.service.getAgentPolicyService()?.list(soClient, { - ...(request.query || {}), - perPage: 100, - }); + const { items: packagePolicies } = (await packagePolicyService?.list(soClient, { + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${OSQUERY_INTEGRATION_NAME}`, + perPage: 1000, + page: 1, + })) ?? { items: [] as PackagePolicy[] }; + const supportedPackagePolicyIds = filter(packagePolicies, (packagePolicy) => + satisfies(packagePolicy.package?.version ?? '', '>=0.6.0') + ); + const agentPolicyIds = uniq(map(supportedPackagePolicyIds, 'policy_id')); + const agentPolicies = await agentPolicyService?.getByIds(soClient, agentPolicyIds); - if (body?.items) { + if (agentPolicies?.length) { await bluebird.map( - body.items, + agentPolicies, (agentPolicy: GetAgentPoliciesResponseItem) => - osqueryContext.service - .getAgentService() - ?.listAgents(esClient, { - showInactive: false, - perPage: 0, - page: 1, - kuery: `${AGENT_SAVED_OBJECT_TYPE}.policy_id:${agentPolicy.id}`, - }) + agentService + ?.getAgentStatusForAgentPolicy(esClient, agentPolicy.id) .then(({ total: agentTotal }) => (agentPolicy.agents = agentTotal)), { concurrency: 10 } ); } - return response.ok({ body }); + return response.ok({ body: agentPolicies }); } ); }; diff --git a/x-pack/plugins/osquery/server/routes/index.ts b/x-pack/plugins/osquery/server/routes/index.ts index c927c711a23cb..b32f0c5578207 100644 --- a/x-pack/plugins/osquery/server/routes/index.ts +++ b/x-pack/plugins/osquery/server/routes/index.ts @@ -12,23 +12,13 @@ import { initSavedQueryRoutes } from './saved_query'; import { initStatusRoutes } from './status'; import { initFleetWrapperRoutes } from './fleet_wrapper'; import { initPackRoutes } from './pack'; -import { initScheduledQueryGroupRoutes } from './scheduled_query_group'; import { initPrivilegesCheckRoutes } from './privileges_check'; export const defineRoutes = (router: IRouter, context: OsqueryAppContext) => { - const config = context.config(); - initActionRoutes(router, context); initStatusRoutes(router, context); - initScheduledQueryGroupRoutes(router, context); + initPackRoutes(router, context); initFleetWrapperRoutes(router, context); initPrivilegesCheckRoutes(router, context); - - if (config.packs) { - initPackRoutes(router); - } - - if (config.savedQueries) { - initSavedQueryRoutes(router); - } + initSavedQueryRoutes(router, context); }; diff --git a/x-pack/plugins/osquery/server/routes/pack/create_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/create_pack_route.ts index 3707c3d3e91ec..16710d578abb7 100644 --- a/x-pack/plugins/osquery/server/routes/pack/create_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/create_pack_route.ts @@ -5,58 +5,142 @@ * 2.0. */ +import moment from 'moment-timezone'; +import { has, mapKeys, set, unset, find } from 'lodash'; import { schema } from '@kbn/config-schema'; +import { produce } from 'immer'; +import { + AGENT_POLICY_SAVED_OBJECT_TYPE, + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + PackagePolicy, +} from '../../../../fleet/common'; import { IRouter } from '../../../../../../src/core/server'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { OSQUERY_INTEGRATION_NAME } from '../../../common'; +import { PLUGIN_ID } from '../../../common'; +import { packSavedObjectType } from '../../../common/types'; +import { convertPackQueriesToSO } from './utils'; -import { packSavedObjectType, savedQuerySavedObjectType } from '../../../common/types'; - -export const createPackRoute = (router: IRouter) => { +export const createPackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.post( { - path: '/internal/osquery/pack', + path: '/internal/osquery/packs', validate: { - body: schema.object({}, { unknowns: 'allow' }), + body: schema.object( + { + name: schema.string(), + description: schema.maybe(schema.string()), + enabled: schema.maybe(schema.boolean()), + policy_ids: schema.maybe(schema.arrayOf(schema.string())), + queries: schema.recordOf( + schema.string(), + schema.object({ + query: schema.string(), + interval: schema.maybe(schema.number()), + platform: schema.maybe(schema.string()), + version: schema.maybe(schema.string()), + ecs_mapping: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ + field: schema.string(), + }) + ) + ), + }) + ), + }, + { unknowns: 'allow' } + ), }, + options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, }, async (context, request, response) => { + const esClient = context.core.elasticsearch.client.asCurrentUser; const savedObjectsClient = context.core.savedObjects.client; + const agentPolicyService = osqueryContext.service.getAgentPolicyService(); - // @ts-expect-error update types - const { name, description, queries } = request.body; + const packagePolicyService = osqueryContext.service.getPackagePolicyService(); + const currentUser = await osqueryContext.security.authc.getCurrentUser(request)?.username; - // @ts-expect-error update types - const references = queries.map((savedQuery) => ({ - type: savedQuerySavedObjectType, - id: savedQuery.id, - name: savedQuery.name, - })); - - const { - attributes, - // eslint-disable-next-line @typescript-eslint/no-unused-vars - references: _, - ...restSO - } = await savedObjectsClient.create( + // eslint-disable-next-line @typescript-eslint/naming-convention + const { name, description, queries, enabled, policy_ids } = request.body; + + const conflictingEntries = await savedObjectsClient.find({ + type: packSavedObjectType, + search: name, + searchFields: ['name'], + }); + + if (conflictingEntries.saved_objects.length) { + return response.conflict({ body: `Pack with name "${name}" already exists.` }); + } + + const { items: packagePolicies } = (await packagePolicyService?.list(savedObjectsClient, { + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${OSQUERY_INTEGRATION_NAME}`, + perPage: 1000, + page: 1, + })) ?? { items: [] }; + + const agentPolicies = policy_ids + ? mapKeys(await agentPolicyService?.getByIds(savedObjectsClient, policy_ids), 'id') + : {}; + + const references = policy_ids + ? policy_ids.map((policyId: string) => ({ + id: policyId, + name: agentPolicies[policyId].name, + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + })) + : []; + + const packSO = await savedObjectsClient.create( packSavedObjectType, { name, description, - // @ts-expect-error update types - // eslint-disable-next-line @typescript-eslint/no-unused-vars - queries: queries.map(({ id, query, ...rest }) => rest), + queries: convertPackQueriesToSO(queries), + enabled, + created_at: moment().toISOString(), + created_by: currentUser, + updated_at: moment().toISOString(), + updated_by: currentUser, }, { references, + refresh: 'wait_for', } ); - return response.ok({ - body: { - ...restSO, - ...attributes, - queries, - }, - }); + if (enabled && policy_ids?.length) { + await Promise.all( + policy_ids.map((agentPolicyId) => { + const packagePolicy = find(packagePolicies, ['policy_id', agentPolicyId]); + if (packagePolicy) { + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + if (!has(draft, 'inputs[0].streams')) { + set(draft, 'inputs[0].streams', []); + } + set(draft, `inputs[0].config.osquery.value.packs.${packSO.attributes.name}`, { + queries, + }); + return draft; + }) + ); + } + }) + ); + } + + // @ts-expect-error update types + packSO.attributes.queries = queries; + + return response.ok({ body: packSO }); } ); }; diff --git a/x-pack/plugins/osquery/server/routes/pack/delete_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/delete_pack_route.ts index 3e1cf5bfaed02..aa4496035f774 100644 --- a/x-pack/plugins/osquery/server/routes/pack/delete_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/delete_pack_route.ts @@ -5,37 +5,71 @@ * 2.0. */ +import { has, filter, unset } from 'lodash'; +import { produce } from 'immer'; import { schema } from '@kbn/config-schema'; +import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../fleet/common'; +import { OSQUERY_INTEGRATION_NAME } from '../../../common'; +import { PLUGIN_ID } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { packSavedObjectType } from '../../../common/types'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; -export const deletePackRoute = (router: IRouter) => { +export const deletePackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.delete( { - path: '/internal/osquery/pack', + path: '/internal/osquery/packs/{id}', validate: { - body: schema.object({}, { unknowns: 'allow' }), + params: schema.object({ + id: schema.string(), + }), }, + options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, }, async (context, request, response) => { + const esClient = context.core.elasticsearch.client.asCurrentUser; const savedObjectsClient = context.core.savedObjects.client; + const packagePolicyService = osqueryContext.service.getPackagePolicyService(); - // @ts-expect-error update types - const { packIds } = request.body; + const currentPackSO = await savedObjectsClient.get<{ name: string }>( + packSavedObjectType, + request.params.id + ); + + await savedObjectsClient.delete(packSavedObjectType, request.params.id, { + refresh: 'wait_for', + }); + + const { items: packagePolicies } = (await packagePolicyService?.list(savedObjectsClient, { + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${OSQUERY_INTEGRATION_NAME}`, + perPage: 1000, + page: 1, + })) ?? { items: [] }; + const currentPackagePolicies = filter(packagePolicies, (packagePolicy) => + has(packagePolicy, `inputs[0].config.osquery.value.packs.${currentPackSO.attributes.name}`) + ); await Promise.all( - packIds.map( - // @ts-expect-error update types - async (packId) => - await savedObjectsClient.delete(packSavedObjectType, packId, { - refresh: 'wait_for', + currentPackagePolicies.map((packagePolicy) => + packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + unset( + draft, + `inputs[0].config.osquery.value.packs.${[currentPackSO.attributes.name]}` + ); + return draft; }) + ) ) ); return response.ok({ - body: packIds, + body: {}, }); } ); diff --git a/x-pack/plugins/osquery/server/routes/pack/find_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/find_pack_route.ts index d4f4adfc24e3e..24891b1d9f664 100644 --- a/x-pack/plugins/osquery/server/routes/pack/find_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/find_pack_route.ts @@ -5,19 +5,32 @@ * 2.0. */ -import { find, map, uniq } from 'lodash/fp'; +import { filter, map } from 'lodash'; import { schema } from '@kbn/config-schema'; +import { AGENT_POLICY_SAVED_OBJECT_TYPE } from '../../../../fleet/common'; import { IRouter } from '../../../../../../src/core/server'; -import { packSavedObjectType, savedQuerySavedObjectType } from '../../../common/types'; +import { packSavedObjectType } from '../../../common/types'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { PLUGIN_ID } from '../../../common'; -export const findPackRoute = (router: IRouter) => { +// eslint-disable-next-line @typescript-eslint/no-unused-vars +export const findPackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.get( { - path: '/internal/osquery/pack', + path: '/internal/osquery/packs', validate: { - query: schema.object({}, { unknowns: 'allow' }), + query: schema.object( + { + pageIndex: schema.maybe(schema.string()), + pageSize: schema.maybe(schema.number()), + sortField: schema.maybe(schema.string()), + sortOrder: schema.maybe(schema.string()), + }, + { unknowns: 'allow' } + ), }, + options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; @@ -25,77 +38,30 @@ export const findPackRoute = (router: IRouter) => { const soClientResponse = await savedObjectsClient.find<{ name: string; description: string; - queries: Array<{ name: string; interval: string }>; + queries: Array<{ name: string; interval: number }>; + policy_ids: string[]; }>({ type: packSavedObjectType, - // @ts-expect-error update types - page: parseInt(request.query.pageIndex ?? 0, 10) + 1, - // @ts-expect-error update types + page: parseInt(request.query.pageIndex ?? '0', 10) + 1, perPage: request.query.pageSize ?? 20, - // @ts-expect-error update types sortField: request.query.sortField ?? 'updated_at', // @ts-expect-error update types - sortOrder: request.query.sortDirection ?? 'desc', + sortOrder: request.query.sortOrder ?? 'desc', }); - const packs = soClientResponse.saved_objects.map(({ attributes, references, ...rest }) => ({ - ...rest, - ...attributes, - queries: - attributes.queries?.map((packQuery) => { - const queryReference = find(['name', packQuery.name], references); + soClientResponse.saved_objects.map((pack) => { + const policyIds = map( + filter(pack.references, ['type', AGENT_POLICY_SAVED_OBJECT_TYPE]), + 'id' + ); - if (queryReference) { - return { - ...packQuery, - id: queryReference?.id, - }; - } - - return packQuery; - }) ?? [], - })); - - const savedQueriesIds = uniq( // @ts-expect-error update types - packs.reduce((acc, savedQuery) => [...acc, ...map('id', savedQuery.queries)], []) - ); - - const { saved_objects: savedQueries } = await savedObjectsClient.bulkGet( - savedQueriesIds.map((queryId) => ({ - type: savedQuerySavedObjectType, - id: queryId, - })) - ); - - const packsWithSavedQueriesQueries = packs.map((pack) => ({ - ...pack, - // @ts-expect-error update types - queries: pack.queries.reduce((acc, packQuery) => { - // @ts-expect-error update types - const savedQuerySO = find(['id', packQuery.id], savedQueries); - - // @ts-expect-error update types - if (savedQuerySO?.attributes?.query) { - return [ - ...acc, - { - ...packQuery, - // @ts-expect-error update types - query: find(['id', packQuery.id], savedQueries).attributes.query, - }, - ]; - } - - return acc; - }, []), - })); + pack.policy_ids = policyIds; + return pack; + }); return response.ok({ - body: { - ...soClientResponse, - saved_objects: packsWithSavedQueriesQueries, - }, + body: soClientResponse, }); } ); diff --git a/x-pack/plugins/osquery/server/routes/pack/index.ts b/x-pack/plugins/osquery/server/routes/pack/index.ts index 6df7ce6c71f70..7e7d338de2358 100644 --- a/x-pack/plugins/osquery/server/routes/pack/index.ts +++ b/x-pack/plugins/osquery/server/routes/pack/index.ts @@ -6,6 +6,7 @@ */ import { IRouter } from '../../../../../../src/core/server'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; import { createPackRoute } from './create_pack_route'; import { deletePackRoute } from './delete_pack_route'; @@ -13,10 +14,10 @@ import { findPackRoute } from './find_pack_route'; import { readPackRoute } from './read_pack_route'; import { updatePackRoute } from './update_pack_route'; -export const initPackRoutes = (router: IRouter) => { - createPackRoute(router); - deletePackRoute(router); - findPackRoute(router); - readPackRoute(router); - updatePackRoute(router); +export const initPackRoutes = (router: IRouter, context: OsqueryAppContext) => { + createPackRoute(router, context); + deletePackRoute(router, context); + findPackRoute(router, context); + readPackRoute(router, context); + updatePackRoute(router, context); }; diff --git a/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts index 82cc44dc39487..066938603a2d6 100644 --- a/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts @@ -5,19 +5,27 @@ * 2.0. */ -import { find, map } from 'lodash/fp'; +import { filter, map } from 'lodash'; import { schema } from '@kbn/config-schema'; +import { PLUGIN_ID } from '../../../common'; +import { AGENT_POLICY_SAVED_OBJECT_TYPE } from '../../../../fleet/common'; import { IRouter } from '../../../../../../src/core/server'; -import { savedQuerySavedObjectType, packSavedObjectType } from '../../../common/types'; +import { packSavedObjectType } from '../../../common/types'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { convertSOQueriesToPack } from './utils'; -export const readPackRoute = (router: IRouter) => { +// eslint-disable-next-line @typescript-eslint/no-unused-vars +export const readPackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.get( { - path: '/internal/osquery/pack/{id}', + path: '/internal/osquery/packs/{id}', validate: { - params: schema.object({}, { unknowns: 'allow' }), + params: schema.object({ + id: schema.string(), + }), }, + options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; @@ -25,60 +33,22 @@ export const readPackRoute = (router: IRouter) => { const { attributes, references, ...rest } = await savedObjectsClient.get<{ name: string; description: string; - queries: Array<{ name: string; interval: string }>; - }>( - packSavedObjectType, - // @ts-expect-error update types - request.params.id - ); + queries: Array<{ + id: string; + name: string; + interval: number; + ecs_mapping: Record; + }>; + }>(packSavedObjectType, request.params.id); - const queries = - attributes.queries?.map((packQuery) => { - const queryReference = find(['name', packQuery.name], references); - - if (queryReference) { - return { - ...packQuery, - id: queryReference?.id, - }; - } - - return packQuery; - }) ?? []; - - const queriesIds = map('id', queries); - - const { saved_objects: savedQueries } = await savedObjectsClient.bulkGet<{}>( - queriesIds.map((queryId) => ({ - type: savedQuerySavedObjectType, - id: queryId, - })) - ); - - // @ts-expect-error update types - const queriesWithQueries = queries.reduce((acc, query) => { - // @ts-expect-error update types - const querySavedObject = find(['id', query.id], savedQueries); - // @ts-expect-error update types - if (querySavedObject?.attributes?.query) { - return [ - ...acc, - { - ...query, - // @ts-expect-error update types - query: querySavedObject.attributes.query, - }, - ]; - } - - return acc; - }, []); + const policyIds = map(filter(references, ['type', AGENT_POLICY_SAVED_OBJECT_TYPE]), 'id'); return response.ok({ body: { ...rest, ...attributes, - queries: queriesWithQueries, + queries: convertSOQueriesToPack(attributes.queries), + policy_ids: policyIds, }, }); } diff --git a/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts index edf0cfc2f2f0c..1abdec17a922b 100644 --- a/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts @@ -5,59 +5,295 @@ * 2.0. */ +import moment from 'moment-timezone'; +import { set, unset, has, difference, filter, find, map, mapKeys, pickBy, uniq } from 'lodash'; import { schema } from '@kbn/config-schema'; - +import { produce } from 'immer'; +import { + AGENT_POLICY_SAVED_OBJECT_TYPE, + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + PackagePolicy, +} from '../../../../fleet/common'; import { IRouter } from '../../../../../../src/core/server'; -import { packSavedObjectType, savedQuerySavedObjectType } from '../../../common/types'; -export const updatePackRoute = (router: IRouter) => { +import { OSQUERY_INTEGRATION_NAME } from '../../../common'; +import { packSavedObjectType } from '../../../common/types'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { PLUGIN_ID } from '../../../common'; +import { convertSOQueriesToPack, convertPackQueriesToSO } from './utils'; + +export const updatePackRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.put( { - path: '/internal/osquery/pack/{id}', + path: '/internal/osquery/packs/{id}', validate: { - params: schema.object({}, { unknowns: 'allow' }), - body: schema.object({}, { unknowns: 'allow' }), + params: schema.object( + { + id: schema.string(), + }, + { unknowns: 'allow' } + ), + body: schema.object( + { + name: schema.maybe(schema.string()), + description: schema.maybe(schema.string()), + enabled: schema.maybe(schema.boolean()), + policy_ids: schema.maybe(schema.arrayOf(schema.string())), + queries: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ + query: schema.string(), + interval: schema.maybe(schema.number()), + platform: schema.maybe(schema.string()), + version: schema.maybe(schema.string()), + ecs_mapping: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ + field: schema.string(), + }) + ) + ), + }) + ) + ), + }, + { unknowns: 'allow' } + ), }, + options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, }, async (context, request, response) => { + const esClient = context.core.elasticsearch.client.asCurrentUser; const savedObjectsClient = context.core.savedObjects.client; + const agentPolicyService = osqueryContext.service.getAgentPolicyService(); + const packagePolicyService = osqueryContext.service.getPackagePolicyService(); + const currentUser = await osqueryContext.security.authc.getCurrentUser(request)?.username; + + // eslint-disable-next-line @typescript-eslint/naming-convention + const { name, description, queries, enabled, policy_ids } = request.body; + + const currentPackSO = await savedObjectsClient.get<{ name: string; enabled: boolean }>( + packSavedObjectType, + request.params.id + ); + + if (name) { + const conflictingEntries = await savedObjectsClient.find({ + type: packSavedObjectType, + search: name, + searchFields: ['name'], + }); - // @ts-expect-error update types - const { name, description, queries } = request.body; + if ( + filter(conflictingEntries.saved_objects, (packSO) => packSO.id !== currentPackSO.id) + .length + ) { + return response.conflict({ body: `Pack with name "${name}" already exists.` }); + } + } - // @ts-expect-error update types - const updatedReferences = queries.map((savedQuery) => ({ - type: savedQuerySavedObjectType, - id: savedQuery.id, - name: savedQuery.name, - })); + const { items: packagePolicies } = (await packagePolicyService?.list(savedObjectsClient, { + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${OSQUERY_INTEGRATION_NAME}`, + perPage: 1000, + page: 1, + })) ?? { items: [] }; + const currentPackagePolicies = filter(packagePolicies, (packagePolicy) => + has(packagePolicy, `inputs[0].config.osquery.value.packs.${currentPackSO.attributes.name}`) + ); + const agentPolicies = policy_ids + ? mapKeys(await agentPolicyService?.getByIds(savedObjectsClient, policy_ids), 'id') + : {}; + const agentPolicyIds = Object.keys(agentPolicies); - // eslint-disable-next-line @typescript-eslint/no-unused-vars - const { attributes, references, ...restSO } = await savedObjectsClient.update( + await savedObjectsClient.update( packSavedObjectType, - // @ts-expect-error update types request.params.id, { - name, - description, - // @ts-expect-error update types - // eslint-disable-next-line @typescript-eslint/no-unused-vars - queries: queries.map(({ id, query, ...rest }) => rest), + enabled, + ...pickBy({ + name, + description, + queries: queries && convertPackQueriesToSO(queries), + updated_at: moment().toISOString(), + updated_by: currentUser, + }), }, - { - references: updatedReferences, - } + policy_ids + ? { + refresh: 'wait_for', + references: policy_ids.map((id) => ({ + id, + name: agentPolicies[id].name, + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + })), + } + : { + refresh: 'wait_for', + } ); - return response.ok({ - body: { - ...restSO, - ...attributes, - // @ts-expect-error update types - // eslint-disable-next-line @typescript-eslint/no-unused-vars - queries: queries.map(({ id, ...rest }) => rest), - }, - }); + const currentAgentPolicyIds = map( + filter(currentPackSO.references, ['type', AGENT_POLICY_SAVED_OBJECT_TYPE]), + 'id' + ); + + const updatedPackSO = await savedObjectsClient.get<{ + name: string; + enabled: boolean; + queries: Record; + }>(packSavedObjectType, request.params.id); + + updatedPackSO.attributes.queries = convertSOQueriesToPack(updatedPackSO.attributes.queries); + + if (enabled == null && !currentPackSO.attributes.enabled) { + return response.ok({ body: updatedPackSO }); + } + + if (enabled != null && enabled !== currentPackSO.attributes.enabled) { + if (enabled) { + const policyIds = policy_ids ? agentPolicyIds : currentAgentPolicyIds; + + await Promise.all( + policyIds.map((agentPolicyId) => { + const packagePolicy = find(packagePolicies, ['policy_id', agentPolicyId]); + + if (packagePolicy) { + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + if (!has(draft, 'inputs[0].streams')) { + set(draft, 'inputs[0].streams', []); + } + set( + draft, + `inputs[0].config.osquery.value.packs.${updatedPackSO.attributes.name}`, + { + queries: updatedPackSO.attributes.queries, + } + ); + return draft; + }) + ); + } + }) + ); + } else { + await Promise.all( + currentAgentPolicyIds.map((agentPolicyId) => { + const packagePolicy = find(currentPackagePolicies, ['policy_id', agentPolicyId]); + if (!packagePolicy) return; + + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + unset( + draft, + `inputs[0].config.osquery.value.packs.${currentPackSO.attributes.name}` + ); + return draft; + }) + ); + }) + ); + } + } else { + const agentPolicyIdsToRemove = uniq(difference(currentAgentPolicyIds, agentPolicyIds)); + const agentPolicyIdsToUpdate = uniq( + difference(currentAgentPolicyIds, agentPolicyIdsToRemove) + ); + const agentPolicyIdsToAdd = uniq(difference(agentPolicyIds, currentAgentPolicyIds)); + + await Promise.all( + agentPolicyIdsToRemove.map((agentPolicyId) => { + const packagePolicy = find(currentPackagePolicies, ['policy_id', agentPolicyId]); + if (packagePolicy) { + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + unset( + draft, + `inputs[0].config.osquery.value.packs.${currentPackSO.attributes.name}` + ); + return draft; + }) + ); + } + }) + ); + + await Promise.all( + agentPolicyIdsToUpdate.map((agentPolicyId) => { + const packagePolicy = find(packagePolicies, ['policy_id', agentPolicyId]); + + if (packagePolicy) { + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + if (updatedPackSO.attributes.name !== currentPackSO.attributes.name) { + unset( + draft, + `inputs[0].config.osquery.value.packs.${currentPackSO.attributes.name}` + ); + } + + set( + draft, + `inputs[0].config.osquery.value.packs.${updatedPackSO.attributes.name}`, + { + queries: updatedPackSO.attributes.queries, + } + ); + return draft; + }) + ); + } + }) + ); + + await Promise.all( + agentPolicyIdsToAdd.map((agentPolicyId) => { + const packagePolicy = find(packagePolicies, ['policy_id', agentPolicyId]); + + if (packagePolicy) { + return packagePolicyService?.update( + savedObjectsClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + if (!(draft.inputs.length && draft.inputs[0].streams.length)) { + set(draft, 'inputs[0].streams', []); + } + set( + draft, + `inputs[0].config.osquery.value.packs.${updatedPackSO.attributes.name}`, + { + queries: updatedPackSO.attributes.queries, + } + ); + return draft; + }) + ); + } + }) + ); + } + + return response.ok({ body: updatedPackSO }); } ); }; diff --git a/x-pack/plugins/osquery/server/routes/pack/utils.ts b/x-pack/plugins/osquery/server/routes/pack/utils.ts new file mode 100644 index 0000000000000..004ba7c6d2700 --- /dev/null +++ b/x-pack/plugins/osquery/server/routes/pack/utils.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { pick, reduce } from 'lodash'; +import { convertECSMappingToArray, convertECSMappingToObject } from '../utils'; + +// @ts-expect-error update types +export const convertPackQueriesToSO = (queries) => + reduce( + queries, + (acc, value, key) => { + const ecsMapping = value.ecs_mapping && convertECSMappingToArray(value.ecs_mapping); + acc.push({ + id: key, + ...pick(value, ['query', 'interval', 'platform', 'version']), + ...(ecsMapping ? { ecs_mapping: ecsMapping } : {}), + }); + return acc; + }, + // eslint-disable-next-line @typescript-eslint/no-explicit-any + [] as Array> + ); + +// @ts-expect-error update types +export const convertSOQueriesToPack = (queries) => + reduce( + queries, + // eslint-disable-next-line @typescript-eslint/naming-convention + (acc, { id: queryId, ecs_mapping, ...query }) => { + acc[queryId] = { + ...query, + ecs_mapping: convertECSMappingToObject(ecs_mapping), + }; + return acc; + }, + // eslint-disable-next-line @typescript-eslint/no-explicit-any + {} as Record + ); diff --git a/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts index fe8220c559de8..5c65ebf1a701e 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { pickBy } from 'lodash'; import { IRouter } from '../../../../../../src/core/server'; import { PLUGIN_ID } from '../../../common'; import { @@ -13,8 +14,10 @@ import { } from '../../../common/schemas/routes/saved_query/create_saved_query_request_schema'; import { savedQuerySavedObjectType } from '../../../common/types'; import { buildRouteValidation } from '../../utils/build_validation/route_validation'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { convertECSMappingToArray } from '../utils'; -export const createSavedQueryRoute = (router: IRouter) => { +export const createSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.post( { path: '/internal/osquery/saved_query', @@ -29,19 +32,43 @@ export const createSavedQueryRoute = (router: IRouter) => { async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; - const { id, description, platform, query, version, interval } = request.body; + // eslint-disable-next-line @typescript-eslint/naming-convention + const { id, description, platform, query, version, interval, ecs_mapping } = request.body; - const savedQuerySO = await savedObjectsClient.create(savedQuerySavedObjectType, { - id, - description, - query, - platform, - version, - interval, + const currentUser = await osqueryContext.security.authc.getCurrentUser(request)?.username; + + const conflictingEntries = await savedObjectsClient.find({ + type: savedQuerySavedObjectType, + search: id, + searchFields: ['id'], }); + if (conflictingEntries.saved_objects.length) { + return response.conflict({ body: `Saved query with id "${id}" already exists.` }); + } + + const savedQuerySO = await savedObjectsClient.create( + savedQuerySavedObjectType, + pickBy({ + id, + description, + query, + platform, + version, + interval, + ecs_mapping: convertECSMappingToArray(ecs_mapping), + created_by: currentUser, + created_at: new Date().toISOString(), + updated_by: currentUser, + updated_at: new Date().toISOString(), + }) + ); + return response.ok({ - body: savedQuerySO, + body: pickBy({ + ...savedQuerySO, + ecs_mapping, + }), }); } ); diff --git a/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts index a34db8c11ddc3..6c36d965d2314 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts @@ -13,30 +13,23 @@ import { savedQuerySavedObjectType } from '../../../common/types'; export const deleteSavedQueryRoute = (router: IRouter) => { router.delete( { - path: '/internal/osquery/saved_query', + path: '/internal/osquery/saved_query/{id}', validate: { - body: schema.object({}, { unknowns: 'allow' }), + params: schema.object({ + id: schema.string(), + }), }, options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; - // @ts-expect-error update types - const { savedQueryIds } = request.body; - - await Promise.all( - savedQueryIds.map( - // @ts-expect-error update types - async (savedQueryId) => - await savedObjectsClient.delete(savedQuerySavedObjectType, savedQueryId, { - refresh: 'wait_for', - }) - ) - ); + await savedObjectsClient.delete(savedQuerySavedObjectType, request.params.id, { + refresh: 'wait_for', + }); return response.ok({ - body: savedQueryIds, + body: {}, }); } ); diff --git a/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts index 79d6927d06722..e6ce8b0f768cc 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts @@ -9,33 +9,56 @@ import { schema } from '@kbn/config-schema'; import { PLUGIN_ID } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { savedQuerySavedObjectType } from '../../../common/types'; +import { convertECSMappingToObject } from '../utils'; export const findSavedQueryRoute = (router: IRouter) => { router.get( { path: '/internal/osquery/saved_query', validate: { - query: schema.object({}, { unknowns: 'allow' }), + query: schema.object( + { + pageIndex: schema.maybe(schema.string()), + pageSize: schema.maybe(schema.number()), + sortField: schema.maybe(schema.string()), + sortOrder: schema.maybe(schema.string()), + }, + { unknowns: 'allow' } + ), }, options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; - const savedQueries = await savedObjectsClient.find({ + const savedQueries = await savedObjectsClient.find<{ + ecs_mapping: Array<{ field: string; value: string }>; + }>({ type: savedQuerySavedObjectType, - // @ts-expect-error update types - page: parseInt(request.query.pageIndex, 10) + 1, - // @ts-expect-error update types + page: parseInt(request.query.pageIndex ?? '0', 10) + 1, perPage: request.query.pageSize, - // @ts-expect-error update types sortField: request.query.sortField, // @ts-expect-error update types - sortOrder: request.query.sortDirection, + sortOrder: request.query.sortDirection ?? 'desc', + }); + + const savedObjects = savedQueries.saved_objects.map((savedObject) => { + // eslint-disable-next-line @typescript-eslint/naming-convention + const ecs_mapping = savedObject.attributes.ecs_mapping; + + if (ecs_mapping) { + // @ts-expect-error update types + savedObject.attributes.ecs_mapping = convertECSMappingToObject(ecs_mapping); + } + + return savedObject; }); return response.ok({ - body: savedQueries, + body: { + ...savedQueries, + saved_objects: savedObjects, + }, }); } ); diff --git a/x-pack/plugins/osquery/server/routes/saved_query/index.ts b/x-pack/plugins/osquery/server/routes/saved_query/index.ts index fa905c37387dd..1a8c43599b261 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/index.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/index.ts @@ -12,11 +12,12 @@ import { deleteSavedQueryRoute } from './delete_saved_query_route'; import { findSavedQueryRoute } from './find_saved_query_route'; import { readSavedQueryRoute } from './read_saved_query_route'; import { updateSavedQueryRoute } from './update_saved_query_route'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; -export const initSavedQueryRoutes = (router: IRouter) => { - createSavedQueryRoute(router); +export const initSavedQueryRoutes = (router: IRouter, context: OsqueryAppContext) => { + createSavedQueryRoute(router, context); deleteSavedQueryRoute(router); findSavedQueryRoute(router); readSavedQueryRoute(router); - updateSavedQueryRoute(router); + updateSavedQueryRoute(router, context); }; diff --git a/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts index 4157ed1582305..3308a8023dd9e 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts @@ -9,24 +9,32 @@ import { schema } from '@kbn/config-schema'; import { PLUGIN_ID } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { savedQuerySavedObjectType } from '../../../common/types'; +import { convertECSMappingToObject } from '../utils'; export const readSavedQueryRoute = (router: IRouter) => { router.get( { path: '/internal/osquery/saved_query/{id}', validate: { - params: schema.object({}, { unknowns: 'allow' }), + params: schema.object({ + id: schema.string(), + }), }, options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; - const savedQuery = await savedObjectsClient.get( - savedQuerySavedObjectType, + const savedQuery = await savedObjectsClient.get<{ + ecs_mapping: Array<{ field: string; value: string }>; + }>(savedQuerySavedObjectType, request.params.id); + + if (savedQuery.attributes.ecs_mapping) { // @ts-expect-error update types - request.params.id - ); + savedQuery.attributes.ecs_mapping = convertECSMappingToObject( + savedQuery.attributes.ecs_mapping + ); + } return response.ok({ body: savedQuery, diff --git a/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts index 8edf95e311543..c0148087ee8c9 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts @@ -5,43 +5,104 @@ * 2.0. */ +import { filter, pickBy } from 'lodash'; import { schema } from '@kbn/config-schema'; + import { PLUGIN_ID } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { savedQuerySavedObjectType } from '../../../common/types'; +import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { convertECSMappingToArray, convertECSMappingToObject } from '../utils'; -export const updateSavedQueryRoute = (router: IRouter) => { +export const updateSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.put( { path: '/internal/osquery/saved_query/{id}', validate: { - params: schema.object({}, { unknowns: 'allow' }), - body: schema.object({}, { unknowns: 'allow' }), + params: schema.object({ + id: schema.string(), + }), + body: schema.object( + { + id: schema.string(), + query: schema.string(), + description: schema.maybe(schema.string()), + interval: schema.maybe(schema.number()), + platform: schema.maybe(schema.string()), + version: schema.maybe(schema.string()), + ecs_mapping: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ + field: schema.string(), + }) + ) + ), + }, + { unknowns: 'allow' } + ), }, options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] }, }, async (context, request, response) => { const savedObjectsClient = context.core.savedObjects.client; + const currentUser = await osqueryContext.security.authc.getCurrentUser(request)?.username; + + const { + id, + description, + platform, + query, + version, + interval, + // eslint-disable-next-line @typescript-eslint/naming-convention + ecs_mapping, + } = request.body; - // @ts-expect-error update types - const { id, description, platform, query, version, interval } = request.body; + const conflictingEntries = await savedObjectsClient.find<{ id: string }>({ + type: savedQuerySavedObjectType, + search: id, + searchFields: ['id'], + }); - const savedQuerySO = await savedObjectsClient.update( + if ( + filter(conflictingEntries.saved_objects, (soObject) => soObject.id !== request.params.id) + .length + ) { + return response.conflict({ body: `Saved query with id "${id}" already exists.` }); + } + + const updatedSavedQuerySO = await savedObjectsClient.update( savedQuerySavedObjectType, - // @ts-expect-error update types request.params.id, - { + pickBy({ id, description, platform, query, version, interval, + ecs_mapping: convertECSMappingToArray(ecs_mapping), + updated_by: currentUser, + updated_at: new Date().toISOString(), + }), + { + refresh: 'wait_for', } ); + if (ecs_mapping || updatedSavedQuerySO.attributes.ecs_mapping) { + // @ts-expect-error update types + updatedSavedQuerySO.attributes.ecs_mapping = + ecs_mapping || + (updatedSavedQuerySO.attributes.ecs_mapping && + // @ts-expect-error update types + convertECSMappingToObject(updatedSavedQuerySO.attributes.ecs_mapping)) || + {}; + } + return response.ok({ - body: savedQuerySO, + body: updatedSavedQuerySO, }); } ); diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/create_scheduled_query_route.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/create_scheduled_query_route.ts deleted file mode 100644 index 831fb30f6e320..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/create_scheduled_query_route.ts +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema } from '@kbn/config-schema'; -import { PLUGIN_ID } from '../../../common'; -import { IRouter } from '../../../../../../src/core/server'; -import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; - -export const createScheduledQueryRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { - router.post( - { - path: '/internal/osquery/scheduled_query_group', - validate: { - body: schema.object({}, { unknowns: 'allow' }), - }, - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, - }, - async (context, request, response) => { - const esClient = context.core.elasticsearch.client.asCurrentUser; - const savedObjectsClient = context.core.savedObjects.client; - const packagePolicyService = osqueryContext.service.getPackagePolicyService(); - const integration = await packagePolicyService?.create( - savedObjectsClient, - esClient, - // @ts-expect-error update types - request.body - ); - - return response.ok({ - body: integration, - }); - } - ); -}; diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/delete_scheduled_query_route.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/delete_scheduled_query_route.ts deleted file mode 100644 index c914512bb155e..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/delete_scheduled_query_route.ts +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema } from '@kbn/config-schema'; -import { PLUGIN_ID } from '../../../common'; -import { IRouter } from '../../../../../../src/core/server'; -import { savedQuerySavedObjectType } from '../../../common/types'; - -export const deleteSavedQueryRoute = (router: IRouter) => { - router.delete( - { - path: '/internal/osquery/scheduled_query_group', - validate: { - body: schema.object({}, { unknowns: 'allow' }), - }, - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, - }, - async (context, request, response) => { - const savedObjectsClient = context.core.savedObjects.client; - - // @ts-expect-error update types - const { savedQueryIds } = request.body; - - await Promise.all( - savedQueryIds.map( - // @ts-expect-error update types - async (savedQueryId) => - await savedObjectsClient.delete(savedQuerySavedObjectType, savedQueryId, { - refresh: 'wait_for', - }) - ) - ); - - return response.ok({ - body: savedQueryIds, - }); - } - ); -}; diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/find_scheduled_query_group_route.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/find_scheduled_query_group_route.ts deleted file mode 100644 index 15c45e09b1bfd..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/find_scheduled_query_group_route.ts +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema } from '@kbn/config-schema'; -import { PLUGIN_ID, OSQUERY_INTEGRATION_NAME } from '../../../common'; -import { IRouter } from '../../../../../../src/core/server'; -import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../fleet/common'; -import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; - -export const findScheduledQueryGroupRoute = ( - router: IRouter, - osqueryContext: OsqueryAppContext -) => { - router.get( - { - path: '/internal/osquery/scheduled_query_group', - validate: { - query: schema.object({}, { unknowns: 'allow' }), - }, - options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, - }, - async (context, request, response) => { - const kuery = `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.attributes.package.name: ${OSQUERY_INTEGRATION_NAME}`; - const packagePolicyService = osqueryContext.service.getPackagePolicyService(); - const policies = await packagePolicyService?.list(context.core.savedObjects.client, { - kuery, - }); - - return response.ok({ - body: policies, - }); - } - ); -}; diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/index.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/index.ts deleted file mode 100644 index 416981a5cb5f2..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/index.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { IRouter } from '../../../../../../src/core/server'; - -import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; -// import { createScheduledQueryRoute } from './create_scheduled_query_route'; -// import { deleteScheduledQueryRoute } from './delete_scheduled_query_route'; -import { findScheduledQueryGroupRoute } from './find_scheduled_query_group_route'; -import { readScheduledQueryGroupRoute } from './read_scheduled_query_group_route'; -// import { updateScheduledQueryRoute } from './update_scheduled_query_route'; - -export const initScheduledQueryGroupRoutes = (router: IRouter, context: OsqueryAppContext) => { - // createScheduledQueryRoute(router); - // deleteScheduledQueryRoute(router); - findScheduledQueryGroupRoute(router, context); - readScheduledQueryGroupRoute(router, context); - // updateScheduledQueryRoute(router); -}; diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/read_scheduled_query_group_route.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/read_scheduled_query_group_route.ts deleted file mode 100644 index de8125aab5b29..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/read_scheduled_query_group_route.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema } from '@kbn/config-schema'; -import { PLUGIN_ID } from '../../../common'; -import { IRouter } from '../../../../../../src/core/server'; -import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; - -export const readScheduledQueryGroupRoute = ( - router: IRouter, - osqueryContext: OsqueryAppContext -) => { - router.get( - { - path: '/internal/osquery/scheduled_query_group/{id}', - validate: { - params: schema.object({}, { unknowns: 'allow' }), - }, - options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, - }, - async (context, request, response) => { - const savedObjectsClient = context.core.savedObjects.client; - const packagePolicyService = osqueryContext.service.getPackagePolicyService(); - - const scheduledQueryGroup = await packagePolicyService?.get( - savedObjectsClient, - // @ts-expect-error update types - request.params.id - ); - - return response.ok({ - body: { item: scheduledQueryGroup }, - }); - } - ); -}; diff --git a/x-pack/plugins/osquery/server/routes/scheduled_query_group/update_scheduled_query_route.ts b/x-pack/plugins/osquery/server/routes/scheduled_query_group/update_scheduled_query_route.ts deleted file mode 100644 index 2a6e7a33fcddd..0000000000000 --- a/x-pack/plugins/osquery/server/routes/scheduled_query_group/update_scheduled_query_route.ts +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema } from '@kbn/config-schema'; -import { PLUGIN_ID } from '../../../common'; -import { IRouter } from '../../../../../../src/core/server'; -import { savedQuerySavedObjectType } from '../../../common/types'; - -export const updateSavedQueryRoute = (router: IRouter) => { - router.put( - { - path: '/internal/osquery/saved_query/{id}', - validate: { - params: schema.object({}, { unknowns: 'allow' }), - body: schema.object({}, { unknowns: 'allow' }), - }, - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, - }, - async (context, request, response) => { - const savedObjectsClient = context.core.savedObjects.client; - - // @ts-expect-error update types - const { name, description, query } = request.body; - - const savedQuerySO = await savedObjectsClient.update( - savedQuerySavedObjectType, - // @ts-expect-error update types - request.params.id, - { - name, - description, - query, - } - ); - - return response.ok({ - body: savedQuerySO, - }); - } - ); -}; diff --git a/x-pack/plugins/osquery/server/routes/status/create_status_route.ts b/x-pack/plugins/osquery/server/routes/status/create_status_route.ts index 0a527424f9f42..aa4e3cb36b4c9 100644 --- a/x-pack/plugins/osquery/server/routes/status/create_status_route.ts +++ b/x-pack/plugins/osquery/server/routes/status/create_status_route.ts @@ -5,9 +5,18 @@ * 2.0. */ +import { produce } from 'immer'; +import { satisfies } from 'semver'; +import { filter, reduce, mapKeys, each, set, unset, uniq, map, has } from 'lodash'; +import { packSavedObjectType } from '../../../common/types'; +import { + PACKAGE_POLICY_SAVED_OBJECT_TYPE, + AGENT_POLICY_SAVED_OBJECT_TYPE, +} from '../../../../fleet/common'; import { PLUGIN_ID, OSQUERY_INTEGRATION_NAME } from '../../../common'; import { IRouter } from '../../../../../../src/core/server'; import { OsqueryAppContext } from '../../lib/osquery_app_context_services'; +import { convertPackQueriesToSO } from '../pack/utils'; export const createStatusRoute = (router: IRouter, osqueryContext: OsqueryAppContext) => { router.get( @@ -17,12 +26,171 @@ export const createStatusRoute = (router: IRouter, osqueryContext: OsqueryAppCon options: { tags: [`access:${PLUGIN_ID}-read`] }, }, async (context, request, response) => { + const esClient = context.core.elasticsearch.client.asInternalUser; const soClient = context.core.savedObjects.client; + const packageService = osqueryContext.service.getPackageService(); + const packagePolicyService = osqueryContext.service.getPackagePolicyService(); + const agentPolicyService = osqueryContext.service.getAgentPolicyService(); const packageInfo = await osqueryContext.service .getPackageService() ?.getInstallation({ savedObjectsClient: soClient, pkgName: OSQUERY_INTEGRATION_NAME }); + if (packageInfo?.install_version && satisfies(packageInfo?.install_version, '<0.6.0')) { + try { + const policyPackages = await packagePolicyService?.list(soClient, { + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${OSQUERY_INTEGRATION_NAME}`, + perPage: 10000, + page: 1, + }); + + const migrationObject = reduce( + policyPackages?.items, + (acc, policy) => { + if (acc.agentPolicyToPackage[policy.policy_id]) { + acc.packagePoliciesToDelete.push(policy.id); + } else { + acc.agentPolicyToPackage[policy.policy_id] = policy.id; + } + + const packagePolicyName = policy.name; + const currentOsqueryManagerNamePacksCount = filter( + Object.keys(acc.packs), + (packName) => packName.startsWith('osquery_manager') + ).length; + + const packName = packagePolicyName.startsWith('osquery_manager') + ? `osquery_manager-1_${currentOsqueryManagerNamePacksCount + 1}` + : packagePolicyName; + + if (has(policy, 'inputs[0].streams[0]')) { + if (!acc.packs[packName]) { + acc.packs[packName] = { + policy_ids: [policy.policy_id], + enabled: !packName.startsWith('osquery_manager'), + name: packName, + description: policy.description, + queries: reduce( + policy.inputs[0].streams, + (queries, stream) => { + if (stream.compiled_stream?.id) { + const { id: queryId, ...query } = stream.compiled_stream; + queries[queryId] = query; + } + return queries; + }, + {} as Record + ), + }; + } else { + // @ts-expect-error update types + acc.packs[packName].policy_ids.push(policy.policy_id); + } + } + + return acc; + }, + { + packs: {} as Record, + agentPolicyToPackage: {} as Record, + packagePoliciesToDelete: [] as string[], + } + ); + + await packageService?.ensureInstalledPackage({ + esClient, + savedObjectsClient: soClient, + pkgName: OSQUERY_INTEGRATION_NAME, + }); + + // updatePackagePolicies + await Promise.all( + map(migrationObject.agentPolicyToPackage, async (value, key) => { + const agentPacks = filter(migrationObject.packs, (pack) => + // @ts-expect-error update types + pack.policy_ids.includes(key) + ); + await packagePolicyService?.upgrade(soClient, esClient, [value]); + const packagePolicy = await packagePolicyService?.get(soClient, value); + + if (packagePolicy) { + return packagePolicyService?.update( + soClient, + esClient, + packagePolicy.id, + produce(packagePolicy, (draft) => { + unset(draft, 'id'); + + set(draft, 'name', 'osquery_manager-1'); + + set(draft, 'inputs[0]', { + enabled: true, + policy_template: 'osquery_manager', + streams: [], + type: 'osquery', + }); + + each(agentPacks, (agentPack) => { + // @ts-expect-error update types + set(draft, `inputs[0].config.osquery.value.packs.${agentPack.name}`, { + // @ts-expect-error update types + queries: agentPack.queries, + }); + }); + + return draft; + }) + ); + } + }) + ); + + const agentPolicyIds = uniq(map(policyPackages?.items, 'policy_id')); + const agentPolicies = mapKeys( + await agentPolicyService?.getByIds(soClient, agentPolicyIds), + 'id' + ); + + await Promise.all( + map(migrationObject.packs, async (packObject) => { + await soClient.create( + packSavedObjectType, + { + // @ts-expect-error update types + name: packObject.name, + // @ts-expect-error update types + description: packObject.description, + // @ts-expect-error update types + queries: convertPackQueriesToSO(packObject.queries), + // @ts-expect-error update types + enabled: packObject.enabled, + created_at: new Date().toISOString(), + created_by: 'system', + updated_at: new Date().toISOString(), + updated_by: 'system', + }, + { + // @ts-expect-error update types + references: packObject.policy_ids.map((policyId: string) => ({ + id: policyId, + name: agentPolicies[policyId].name, + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + })), + refresh: 'wait_for', + } + ); + }) + ); + + await packagePolicyService?.delete( + soClient, + esClient, + migrationObject.packagePoliciesToDelete + ); + // eslint-disable-next-line no-empty + } catch (e) {} + } + return response.ok({ body: packageInfo }); } ); diff --git a/x-pack/plugins/osquery/server/routes/utils.ts b/x-pack/plugins/osquery/server/routes/utils.ts new file mode 100644 index 0000000000000..136cbc190e46c --- /dev/null +++ b/x-pack/plugins/osquery/server/routes/utils.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { pick, reduce } from 'lodash'; + +export const convertECSMappingToArray = (ecsMapping: Record | undefined) => + ecsMapping + ? Object.entries(ecsMapping).map((item) => ({ + value: item[0], + ...item[1], + })) + : undefined; + +export const convertECSMappingToObject = (ecsMapping: Array<{ field: string; value: string }>) => + reduce( + ecsMapping, + (acc, value) => { + acc[value.value] = pick(value, 'field'); + return acc; + }, + {} as Record + ); diff --git a/x-pack/plugins/osquery/server/saved_objects.ts b/x-pack/plugins/osquery/server/saved_objects.ts index 9f93ea5ccd6de..27e7dd28ce664 100644 --- a/x-pack/plugins/osquery/server/saved_objects.ts +++ b/x-pack/plugins/osquery/server/saved_objects.ts @@ -22,10 +22,7 @@ export const initSavedObjects = ( const config = osqueryContext.config(); savedObjects.registerType(usageMetricType); - - if (config.savedQueries) { - savedObjects.registerType(savedQueryType); - } + savedObjects.registerType(savedQueryType); if (config.packs) { savedObjects.registerType(packType); diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/index.ts index a288d621350d4..057af159a5e3e 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/index.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/factory/actions/details/index.ts @@ -17,9 +17,7 @@ import { OsqueryFactory } from '../../types'; import { buildActionDetailsQuery } from './query.action_details.dsl'; export const actionDetails: OsqueryFactory = { - buildDsl: (options: ActionDetailsRequestOptions) => { - return buildActionDetailsQuery(options); - }, + buildDsl: (options: ActionDetailsRequestOptions) => buildActionDetailsQuery(options), parse: async ( options: ActionDetailsRequestOptions, response: IEsSearchResponse diff --git a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts index 2fa9ee04ab534..6242d91b7b94b 100644 --- a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts +++ b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts @@ -48,14 +48,12 @@ export const osquerySearchStrategyProvider = ( deps ) .pipe( - map((response) => { - return { - ...response, - ...{ - rawResponse: shimHitsTotal(response.rawResponse), - }, - }; - }), + map((response) => ({ + ...response, + ...{ + rawResponse: shimHitsTotal(response.rawResponse), + }, + })), mergeMap((esSearchRes) => queryFactory.parse(request, esSearchRes)) ); }, diff --git a/x-pack/plugins/osquery/server/utils/build_validation/route_validation.ts b/x-pack/plugins/osquery/server/utils/build_validation/route_validation.ts index 9a7129ea0e176..a0c797193a0c3 100644 --- a/x-pack/plugins/osquery/server/utils/build_validation/route_validation.ts +++ b/x-pack/plugins/osquery/server/utils/build_validation/route_validation.ts @@ -8,8 +8,7 @@ import { fold } from 'fp-ts/lib/Either'; import { pipe } from 'fp-ts/lib/pipeable'; import * as rt from 'io-ts'; -import { formatErrors } from '../../../common/format_errors'; -import { exactCheck } from '../../../common/exact_check'; +import { formatErrors, exactCheck } from '@kbn/securitysolution-io-ts-utils'; import { RouteValidationFunction, RouteValidationResultFactory, diff --git a/x-pack/plugins/osquery/server/utils/runtime_types.ts b/x-pack/plugins/osquery/server/utils/runtime_types.ts index 8daf1ce4debef..492cbf07cdeb6 100644 --- a/x-pack/plugins/osquery/server/utils/runtime_types.ts +++ b/x-pack/plugins/osquery/server/utils/runtime_types.ts @@ -62,9 +62,10 @@ const getProps = ( return codec.props; case 'IntersectionType': { const iTypes = codec.types as rt.HasProps[]; - return iTypes.reduce((props, type) => { - return Object.assign(props, getProps(type) as rt.Props); - }, {} as rt.Props) as rt.Props; + return iTypes.reduce( + (props, type) => Object.assign(props, getProps(type) as rt.Props), + {} as rt.Props + ) as rt.Props; } default: return null; @@ -76,8 +77,8 @@ const getExcessProps = ( props: rt.Props | rt.RecordC, // eslint-disable-next-line @typescript-eslint/no-explicit-any r: any -): string[] => { - return Object.keys(r).reduce((acc, k) => { +): string[] => + Object.keys(r).reduce((acc, k) => { const codecChildren = get(props, [k]); const childrenProps = getProps(codecChildren); const childrenObject = r[k] as Record; @@ -98,7 +99,6 @@ const getExcessProps = ( } return acc; }, []); -}; export const excess = < C extends rt.InterfaceType | GenericIntersectionC | rt.PartialType diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 148390324c13f..14b1bf8dc22dd 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -16,7 +16,7 @@ export const allowedExperimentalValues = Object.freeze({ ruleRegistryEnabled: false, tGridEnabled: true, tGridEventRenderedViewEnabled: true, - trustedAppsByPolicyEnabled: false, + trustedAppsByPolicyEnabled: true, excludePoliciesInFilterEnabled: false, uebaEnabled: false, disableIsolationUIPendingStatuses: false, diff --git a/x-pack/plugins/security_solution/public/app/translations.ts b/x-pack/plugins/security_solution/public/app/translations.ts index da680bf45dc8d..e383725a7e40c 100644 --- a/x-pack/plugins/security_solution/public/app/translations.ts +++ b/x-pack/plugins/security_solution/public/app/translations.ts @@ -65,7 +65,7 @@ export const EVENT_FILTERS = i18n.translate( export const HOST_ISOLATION_EXCEPTIONS = i18n.translate( 'xpack.securitySolution.search.administration.hostIsolationExceptions', { - defaultMessage: 'Host Isolation Exceptions', + defaultMessage: 'Host isolation exceptions', } ); export const DETECT = i18n.translate('xpack.securitySolution.navigation.detect', { diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx index 29861b1434147..396f431a3232d 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx @@ -18,12 +18,15 @@ import { UrlInputsModel } from '../../../store/inputs/model'; import { useRouteSpy } from '../../../utils/route/use_route_spy'; import { useIsExperimentalFeatureEnabled } from '../../../hooks/use_experimental_features'; import { TestProviders } from '../../../mock'; +import { useCanSeeHostIsolationExceptionsMenu } from '../../../../management/pages/host_isolation_exceptions/view/hooks'; jest.mock('../../../lib/kibana/kibana_react'); jest.mock('../../../lib/kibana'); jest.mock('../../../hooks/use_selector'); jest.mock('../../../hooks/use_experimental_features'); jest.mock('../../../utils/route/use_route_spy'); +jest.mock('../../../../management/pages/host_isolation_exceptions/view/hooks'); + describe('useSecuritySolutionNavigation', () => { const mockUrlState = { [CONSTANTS.appQuery]: { query: 'host.name:"security-solution-es"', language: 'kuery' }, @@ -75,6 +78,7 @@ describe('useSecuritySolutionNavigation', () => { (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(false); (useDeepEqualSelector as jest.Mock).mockReturnValue({ urlState: mockUrlState }); (useRouteSpy as jest.Mock).mockReturnValue(mockRouteSpy); + (useCanSeeHostIsolationExceptionsMenu as jest.Mock).mockReturnValue(true); (useKibana as jest.Mock).mockReturnValue({ services: { @@ -240,7 +244,7 @@ describe('useSecuritySolutionNavigation', () => { "href": "securitySolution/host_isolation_exceptions", "id": "host_isolation_exceptions", "isSelected": false, - "name": "Host Isolation Exceptions", + "name": "Host isolation exceptions", "onClick": [Function], }, ], @@ -264,6 +268,19 @@ describe('useSecuritySolutionNavigation', () => { expect(result.current.items[2].items[2].id).toEqual(SecurityPageName.ueba); }); + it('should omit host isolation exceptions if hook reports false', () => { + (useCanSeeHostIsolationExceptionsMenu as jest.Mock).mockReturnValueOnce(false); + const { result } = renderHook<{}, KibanaPageTemplateProps['solutionNav']>( + () => useSecuritySolutionNavigation(), + { wrapper: TestProviders } + ); + expect( + result.current?.items + .find((item) => item.id === 'manage') + ?.items?.find((item) => item.id === 'host_isolation_exceptions') + ).toBeUndefined(); + }); + describe('Permission gated routes', () => { describe('cases', () => { it('should display the cases navigation item when the user has read permissions', () => { diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx index 976f15586b555..a1be69dd077ad 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx @@ -14,6 +14,7 @@ import { PrimaryNavigationItemsProps } from './types'; import { useGetUserCasesPermissions } from '../../../lib/kibana'; import { useNavigation } from '../../../lib/kibana/hooks'; import { NavTab } from '../types'; +import { useCanSeeHostIsolationExceptionsMenu } from '../../../../management/pages/host_isolation_exceptions/view/hooks'; export const usePrimaryNavigationItems = ({ navTabs, @@ -62,8 +63,9 @@ export const usePrimaryNavigationItems = ({ function usePrimaryNavigationItemsToDisplay(navTabs: Record) { const hasCasesReadPermissions = useGetUserCasesPermissions()?.read; - return useMemo( - () => [ + const canSeeHostIsolationExceptions = useCanSeeHostIsolationExceptionsMenu(); + return useMemo(() => { + return [ { id: 'main', name: '', @@ -87,10 +89,9 @@ function usePrimaryNavigationItemsToDisplay(navTabs: Record) { navTabs.endpoints, navTabs.trusted_apps, navTabs.event_filters, - navTabs.host_isolation_exceptions, + ...(canSeeHostIsolationExceptions ? [navTabs.host_isolation_exceptions] : []), ], }, - ], - [navTabs, hasCasesReadPermissions] - ); + ]; + }, [navTabs, hasCasesReadPermissions, canSeeHostIsolationExceptions]); } diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/service.ts b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/service.ts index b58c2d901c2cc..957fd2d4485bc 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/service.ts +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/service.ts @@ -8,6 +8,7 @@ import { CreateExceptionListItemSchema, ExceptionListItemSchema, + ExceptionListSummarySchema, FoundExceptionListItemSchema, UpdateExceptionListItemSchema, } from '@kbn/securitysolution-io-ts-list-types'; @@ -112,3 +113,13 @@ export async function updateOneHostIsolationExceptionItem( body: JSON.stringify(exception), }); } +export async function getHostIsolationExceptionSummary( + http: HttpStart +): Promise { + return http.get(`${EXCEPTION_LIST_URL}/summary`, { + query: { + list_id: ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID, + namespace_type: 'agnostic', + }, + }); +} diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.test.tsx b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.test.tsx index 4ab4ed785e491..3f0a8b9990b83 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.test.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.test.tsx @@ -18,6 +18,7 @@ import uuid from 'uuid'; import { createEmptyHostIsolationException } from '../../utils'; jest.mock('../../service.ts'); +jest.mock('../../../../../common/hooks/use_license'); describe('When on the host isolation exceptions flyout form', () => { let mockedContext: AppContextTestRender; diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.tsx b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.tsx index 799e327a3fb4c..14e976226c470 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/components/form_flyout.tsx @@ -52,9 +52,7 @@ import { HostIsolationExceptionsForm } from './form'; export const HostIsolationExceptionsFormFlyout: React.FC<{}> = memo(() => { const dispatch = useDispatch>(); const toasts = useToasts(); - const location = useHostIsolationExceptionsSelector(getCurrentLocation); - const creationInProgress = useHostIsolationExceptionsSelector((state) => isLoadingResourceState(state.form.status) ); @@ -62,11 +60,8 @@ export const HostIsolationExceptionsFormFlyout: React.FC<{}> = memo(() => { isLoadedResourceState(state.form.status) ); const creationFailure = useHostIsolationExceptionsSelector(getFormStatusFailure); - const exceptionToEdit = useHostIsolationExceptionsSelector(getExceptionToEdit); - const navigateCallback = useHostIsolationExceptionsNavigateCallback(); - const history = useHistory(); const [formHasError, setFormHasError] = useState(true); diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.test.ts b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.test.ts new file mode 100644 index 0000000000000..6a4e0cb840149 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.test.ts @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { useLicense } from '../../../../common/hooks/use_license'; +import { useCanSeeHostIsolationExceptionsMenu } from './hooks'; +import { renderHook } from '@testing-library/react-hooks'; +import { TestProviders } from '../../../../common/mock'; +import { getHostIsolationExceptionSummary } from '../service'; + +jest.mock('../../../../common/hooks/use_license'); +jest.mock('../service'); + +const getHostIsolationExceptionSummaryMock = getHostIsolationExceptionSummary as jest.Mock; + +describe('host isolation exceptions hooks', () => { + const isPlatinumPlusMock = useLicense().isPlatinumPlus as jest.Mock; + describe('useCanSeeHostIsolationExceptionsMenu', () => { + beforeEach(() => { + isPlatinumPlusMock.mockReset(); + }); + it('should return true if the license is platinum plus', () => { + isPlatinumPlusMock.mockReturnValue(true); + const { result } = renderHook(() => useCanSeeHostIsolationExceptionsMenu(), { + wrapper: TestProviders, + }); + expect(result.current).toBe(true); + }); + + it('should return false if the license is lower platinum plus and there are not existing host isolation items', () => { + isPlatinumPlusMock.mockReturnValue(false); + getHostIsolationExceptionSummaryMock.mockReturnValueOnce({ total: 0 }); + const { result } = renderHook(() => useCanSeeHostIsolationExceptionsMenu(), { + wrapper: TestProviders, + }); + expect(result.current).toBe(false); + }); + + it('should return true if the license is lower platinum plus and there are existing host isolation items', async () => { + isPlatinumPlusMock.mockReturnValue(false); + getHostIsolationExceptionSummaryMock.mockReturnValueOnce({ total: 11 }); + const { result, waitForNextUpdate } = renderHook( + () => useCanSeeHostIsolationExceptionsMenu(), + { + wrapper: TestProviders, + } + ); + await waitForNextUpdate(); + expect(result.current).toBe(true); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.ts b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.ts index db9ec467e7170..4b6129785c84a 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.ts +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/hooks.ts @@ -4,15 +4,18 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { useCallback } from 'react'; +import { useCallback, useEffect, useState } from 'react'; import { useSelector } from 'react-redux'; import { useHistory } from 'react-router-dom'; +import { useHttp } from '../../../../common/lib/kibana/hooks'; +import { useLicense } from '../../../../common/hooks/use_license'; import { State } from '../../../../common/store'; import { MANAGEMENT_STORE_GLOBAL_NAMESPACE, MANAGEMENT_STORE_HOST_ISOLATION_EXCEPTIONS_NAMESPACE, } from '../../../common/constants'; import { getHostIsolationExceptionsListPath } from '../../../common/routing'; +import { getHostIsolationExceptionSummary } from '../service'; import { getCurrentLocation } from '../store/selector'; import { HostIsolationExceptionsPageLocation, HostIsolationExceptionsPageState } from '../types'; @@ -36,3 +39,33 @@ export function useHostIsolationExceptionsNavigateCallback() { [history, location] ); } + +/** + * Checks if the current user should be able to see the host isolation exceptions + * menu item based on their current license level and existing excepted items. + */ +export function useCanSeeHostIsolationExceptionsMenu() { + const license = useLicense(); + const http = useHttp(); + + const [hasExceptions, setHasExceptions] = useState(license.isPlatinumPlus()); + + useEffect(() => { + async function checkIfHasExceptions() { + try { + const summary = await getHostIsolationExceptionSummary(http); + if (summary?.total > 0) { + setHasExceptions(true); + } + } catch (error) { + // an error will ocurr if the exception list does not exist + setHasExceptions(false); + } + } + if (!license.isPlatinumPlus()) { + checkIfHasExceptions(); + } + }, [http, license]); + + return hasExceptions; +} diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.test.tsx b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.test.tsx index 9de3d83ed8bab..a7dfb66b02235 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.test.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.test.tsx @@ -14,9 +14,12 @@ import { AppContextTestRender, createAppRootMockRenderer } from '../../../../com import { isFailedResourceState, isLoadedResourceState } from '../../../state'; import { getHostIsolationExceptionItems } from '../service'; import { HostIsolationExceptionsList } from './host_isolation_exceptions_list'; +import { useLicense } from '../../../../common/hooks/use_license'; jest.mock('../../../../common/components/user_privileges/use_endpoint_privileges'); + jest.mock('../service'); +jest.mock('../../../../common/hooks/use_license'); const getHostIsolationExceptionItemsMock = getHostIsolationExceptionItems as jest.Mock; @@ -25,9 +28,13 @@ describe('When on the host isolation exceptions page', () => { let renderResult: ReturnType; let history: AppContextTestRender['history']; let waitForAction: AppContextTestRender['middlewareSpy']['waitForAction']; + let mockedContext: AppContextTestRender; + + const isPlatinumPlusMock = useLicense().isPlatinumPlus as jest.Mock; + beforeEach(() => { getHostIsolationExceptionItemsMock.mockReset(); - const mockedContext = createAppRootMockRenderer(); + mockedContext = createAppRootMockRenderer(); ({ history } = mockedContext); render = () => (renderResult = mockedContext.render()); waitForAction = mockedContext.middlewareSpy.waitForAction; @@ -106,17 +113,38 @@ describe('When on the host isolation exceptions page', () => { ).toEqual(' Server is too far away'); }); }); - it('should show the create flyout when the add button is pressed', () => { - render(); - act(() => { - userEvent.click(renderResult.getByTestId('hostIsolationExceptionsListAddButton')); + describe('is license platinum plus', () => { + beforeEach(() => { + isPlatinumPlusMock.mockReturnValue(true); + }); + it('should show the create flyout when the add button is pressed', () => { + render(); + act(() => { + userEvent.click(renderResult.getByTestId('hostIsolationExceptionsListAddButton')); + }); + expect(renderResult.getByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeTruthy(); + }); + it('should show the create flyout when the show location is create', () => { + history.push(`${HOST_ISOLATION_EXCEPTIONS_PATH}?show=create`); + render(); + expect(renderResult.getByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeTruthy(); + expect(renderResult.queryByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeTruthy(); }); - expect(renderResult.getByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeTruthy(); }); - it('should show the create flyout when the show location is create', () => { - history.push(`${HOST_ISOLATION_EXCEPTIONS_PATH}?show=create`); - render(); - expect(renderResult.getByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeTruthy(); + describe('is not license platinum plus', () => { + beforeEach(() => { + isPlatinumPlusMock.mockReturnValue(false); + }); + it('should not show the create flyout if the user navigates to the create url', () => { + history.push(`${HOST_ISOLATION_EXCEPTIONS_PATH}?show=create`); + render(); + expect(renderResult.queryByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeFalsy(); + }); + it('should not show the create flyout if the user navigates to the edit url', () => { + history.push(`${HOST_ISOLATION_EXCEPTIONS_PATH}?show=edit`); + render(); + expect(renderResult.queryByTestId('hostIsolationExceptionsCreateEditFlyout')).toBeFalsy(); + }); }); }); }); diff --git a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.tsx b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.tsx index 3c634a917c0ce..f4a89e89a9f67 100644 --- a/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/host_isolation_exceptions/view/host_isolation_exceptions_list.tsx @@ -7,11 +7,13 @@ import { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { i18n } from '@kbn/i18n'; -import React, { Dispatch, useCallback } from 'react'; +import React, { Dispatch, useCallback, useEffect } from 'react'; import { EuiButton, EuiSpacer } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; import { useDispatch } from 'react-redux'; +import { useHistory } from 'react-router-dom'; import { ExceptionItem } from '../../../../common/components/exceptions/viewer/exception_item'; +import { useLicense } from '../../../../common/hooks/use_license'; import { getCurrentLocation, getItemToDelete, @@ -37,6 +39,7 @@ import { DELETE_HOST_ISOLATION_EXCEPTION_LABEL, EDIT_HOST_ISOLATION_EXCEPTION_LABEL, } from './components/translations'; +import { getEndpointListPath } from '../../../common/routing'; type HostIsolationExceptionPaginatedContent = PaginatedContentProps< Immutable, @@ -51,10 +54,16 @@ export const HostIsolationExceptionsList = () => { const location = useHostIsolationExceptionsSelector(getCurrentLocation); const dispatch = useDispatch>(); const itemToDelete = useHostIsolationExceptionsSelector(getItemToDelete); - - const showFlyout = !!location.show; - const navigateCallback = useHostIsolationExceptionsNavigateCallback(); + const history = useHistory(); + const license = useLicense(); + const showFlyout = license.isPlatinumPlus() && !!location.show; + + useEffect(() => { + if (!isLoading && listItems.length === 0 && !license.isPlatinumPlus()) { + history.replace(getEndpointListPath({ name: 'endpointList' })); + } + }, [history, isLoading, license, listItems.length]); const handleOnSearch = useCallback( (query: string) => { @@ -63,34 +72,35 @@ export const HostIsolationExceptionsList = () => { [navigateCallback] ); - const handleItemComponentProps = (element: ExceptionListItemSchema): ArtifactEntryCardProps => ({ - item: element, - 'data-test-subj': `hostIsolationExceptionsCard`, - actions: [ - { - icon: 'trash', - onClick: () => { - navigateCallback({ - show: 'edit', - id: element.id, - }); - }, - 'data-test-subj': 'editHostIsolationException', - children: EDIT_HOST_ISOLATION_EXCEPTION_LABEL, + function handleItemComponentProps(element: ExceptionListItemSchema): ArtifactEntryCardProps { + const editAction = { + icon: 'trash', + onClick: () => { + navigateCallback({ + show: 'edit', + id: element.id, + }); }, - { - icon: 'trash', - onClick: () => { - dispatch({ - type: 'hostIsolationExceptionsMarkToDelete', - payload: element, - }); - }, - 'data-test-subj': 'deleteHostIsolationException', - children: DELETE_HOST_ISOLATION_EXCEPTION_LABEL, + 'data-test-subj': 'editHostIsolationException', + children: EDIT_HOST_ISOLATION_EXCEPTION_LABEL, + }; + const deleteAction = { + icon: 'trash', + onClick: () => { + dispatch({ + type: 'hostIsolationExceptionsMarkToDelete', + payload: element, + }); }, - ], - }); + 'data-test-subj': 'deleteHostIsolationException', + children: DELETE_HOST_ISOLATION_EXCEPTION_LABEL, + }; + return { + item: element, + 'data-test-subj': `hostIsolationExceptionsCard`, + actions: license.isPlatinumPlus() ? [editAction, deleteAction] : [deleteAction], + }; + } const handlePaginatedContentChange: HostIsolationExceptionPaginatedContent['onChange'] = useCallback( @@ -121,18 +131,22 @@ export const HostIsolationExceptionsList = () => { /> } actions={ - - - + license.isPlatinumPlus() ? ( + + + + ) : ( + [] + ) } > {showFlyout && } diff --git a/x-pack/plugins/security_solution/server/endpoint/mocks.ts b/x-pack/plugins/security_solution/server/endpoint/mocks.ts index 0b4060a7e024f..39833b6e995d1 100644 --- a/x-pack/plugins/security_solution/server/endpoint/mocks.ts +++ b/x-pack/plugins/security_solution/server/endpoint/mocks.ts @@ -119,6 +119,7 @@ export const createMockEndpointAppContextServiceStartContract = export const createMockPackageService = (): jest.Mocked => { return { getInstallation: jest.fn(), + ensureInstalledPackage: jest.fn(), }; }; diff --git a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts index d0bbb3b346ea8..2f31f54143f74 100644 --- a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts +++ b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.test.ts @@ -343,9 +343,10 @@ describe('ingest_integration tests ', () => { }); }); - it("doesn't remove policy from trusted app FF disabled", async () => { + it("doesn't remove policy from trusted app if feature flag is disabled", async () => { await invokeDeleteCallback({ ...allowedExperimentalValues, + trustedAppsByPolicyEnabled: false, // since it was changed to `true` by default }); expect(exceptionListClient.findExceptionListItem).toHaveBeenCalledTimes(0); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 200246ba1a367..9d1cd3cbca3fb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -479,7 +479,6 @@ export const getRuleExecutionStatuses = (): Array< type: 'my-type', id: 'e0b86950-4e9f-11ea-bdbd-07b56aa159b3', attributes: { - alertId: '04128c15-0d1b-4716-a4c5-46997ac7f3bc', statusDate: '2020-02-18T15:26:49.783Z', status: RuleExecutionStatus.succeeded, lastFailureAt: undefined, @@ -492,7 +491,13 @@ export const getRuleExecutionStatuses = (): Array< bulkCreateTimeDurations: ['800.43'], }, score: 1, - references: [], + references: [ + { + id: '04128c15-0d1b-4716-a4c5-46997ac7f3bc', + type: 'alert', + name: 'alert_0', + }, + ], updated_at: '2020-02-18T15:26:51.333Z', version: 'WzQ2LDFd', }, @@ -500,7 +505,6 @@ export const getRuleExecutionStatuses = (): Array< type: 'my-type', id: '91246bd0-5261-11ea-9650-33b954270f67', attributes: { - alertId: '1ea5a820-4da1-4e82-92a1-2b43a7bece08', statusDate: '2020-02-18T15:15:58.806Z', status: RuleExecutionStatus.failed, lastFailureAt: '2020-02-18T15:15:58.806Z', @@ -514,7 +518,13 @@ export const getRuleExecutionStatuses = (): Array< bulkCreateTimeDurations: ['800.43'], }, score: 1, - references: [], + references: [ + { + id: '1ea5a820-4da1-4e82-92a1-2b43a7bece08', + type: 'alert', + name: 'alert_0', + }, + ], updated_at: '2020-02-18T15:15:58.860Z', version: 'WzMyLDFd', }, @@ -523,7 +533,6 @@ export const getRuleExecutionStatuses = (): Array< export const getFindBulkResultStatus = (): FindBulkExecutionLogResponse => ({ '04128c15-0d1b-4716-a4c5-46997ac7f3bd': [ { - alertId: '04128c15-0d1b-4716-a4c5-46997ac7f3bd', statusDate: '2020-02-18T15:26:49.783Z', status: RuleExecutionStatus.succeeded, lastFailureAt: undefined, @@ -538,7 +547,6 @@ export const getFindBulkResultStatus = (): FindBulkExecutionLogResponse => ({ ], '1ea5a820-4da1-4e82-92a1-2b43a7bece08': [ { - alertId: '1ea5a820-4da1-4e82-92a1-2b43a7bece08', statusDate: '2020-02-18T15:15:58.806Z', status: RuleExecutionStatus.failed, lastFailureAt: '2020-02-18T15:15:58.806Z', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts index 0048c735b0a7c..fed34743e220a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts @@ -31,7 +31,7 @@ import { updatePrepackagedRules } from '../../rules/update_prepacked_rules'; import { getRulesToInstall } from '../../rules/get_rules_to_install'; import { getRulesToUpdate } from '../../rules/get_rules_to_update'; import { getExistingPrepackagedRules } from '../../rules/get_existing_prepackaged_rules'; -import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset_saved_objects_client'; +import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset/rule_asset_saved_objects_client'; import { buildSiemResponse } from '../utils'; import { RulesClient } from '../../../../../../alerting/server'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_prepackaged_rules_status_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_prepackaged_rules_status_route.ts index 9a06928eee233..a18507eea4977 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_prepackaged_rules_status_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/get_prepackaged_rules_status_route.ts @@ -20,7 +20,7 @@ import { getRulesToUpdate } from '../../rules/get_rules_to_update'; import { findRules } from '../../rules/find_rules'; import { getLatestPrepackagedRules } from '../../rules/get_prepackaged_rules'; import { getExistingPrepackagedRules } from '../../rules/get_existing_prepackaged_rules'; -import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset_saved_objects_client'; +import { ruleAssetSavedObjectsClientFactory } from '../../rules/rule_asset/rule_asset_saved_objects_client'; import { buildFrameworkRequest } from '../../../timeline/utils/common'; import { ConfigType } from '../../../../config'; import { SetupPlugins } from '../../../../plugin'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/utils.test.ts index 10472fe1c0a03..6ddeeaa5ea1c2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/utils.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/utils.test.ts @@ -136,16 +136,16 @@ describe.each([ describe('mergeStatuses', () => { it('merges statuses and converts from camelCase saved object to snake_case HTTP response', () => { + // const statusOne = exampleRuleStatus(); statusOne.attributes.status = RuleExecutionStatus.failed; const statusTwo = exampleRuleStatus(); statusTwo.attributes.status = RuleExecutionStatus.failed; const currentStatus = exampleRuleStatus(); const foundRules = [currentStatus.attributes, statusOne.attributes, statusTwo.attributes]; - const res = mergeStatuses(currentStatus.attributes.alertId, foundRules, { + const res = mergeStatuses(currentStatus.references[0].id, foundRules, { 'myfakealertid-8cfac': { current_status: { - alert_id: 'myfakealertid-8cfac', status_date: '2020-03-27T22:55:59.517Z', status: RuleExecutionStatus.succeeded, last_failure_at: null, @@ -163,7 +163,6 @@ describe.each([ expect(res).toEqual({ 'myfakealertid-8cfac': { current_status: { - alert_id: 'myfakealertid-8cfac', status_date: '2020-03-27T22:55:59.517Z', status: 'succeeded', last_failure_at: null, @@ -179,7 +178,6 @@ describe.each([ }, 'f4b8e31d-cf93-4bde-a265-298bde885cd7': { current_status: { - alert_id: 'f4b8e31d-cf93-4bde-a265-298bde885cd7', status_date: '2020-03-27T22:55:59.517Z', status: 'succeeded', last_failure_at: null, @@ -193,7 +191,6 @@ describe.each([ }, failures: [ { - alert_id: 'f4b8e31d-cf93-4bde-a265-298bde885cd7', status_date: '2020-03-27T22:55:59.517Z', status: 'failed', last_failure_at: null, @@ -206,7 +203,6 @@ describe.each([ last_look_back_date: null, // NOTE: This is no longer used on the UI, but left here in case users are using it within the API }, { - alert_id: 'f4b8e31d-cf93-4bde-a265-298bde885cd7', status_date: '2020-03-27T22:55:59.517Z', status: 'failed', last_failure_at: null, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts index 086cc12788a40..a3fb50f1f6b0b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts @@ -42,7 +42,7 @@ export class EventLogAdapter implements IRuleExecutionLogClient { } public async update(args: UpdateExecutionLogArgs) { - const { attributes, spaceId, ruleName, ruleType } = args; + const { attributes, spaceId, ruleId, ruleName, ruleType } = args; await this.savedObjectsAdapter.update(args); @@ -51,7 +51,7 @@ export class EventLogAdapter implements IRuleExecutionLogClient { this.eventLogClient.logStatusChange({ ruleName, ruleType, - ruleId: attributes.alertId, + ruleId, newStatus: attributes.status, spaceId, }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/rule_status_saved_objects_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/rule_status_saved_objects_client.ts index 720659b72194f..66b646e96ea53 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/rule_status_saved_objects_client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/rule_status_saved_objects_client.ts @@ -5,27 +5,33 @@ * 2.0. */ -import { get } from 'lodash'; import { - SavedObjectsClientContract, SavedObject, - SavedObjectsUpdateResponse, + SavedObjectsClientContract, + SavedObjectsCreateOptions, SavedObjectsFindOptions, + SavedObjectsFindOptionsReference, SavedObjectsFindResult, -} from '../../../../../../../../src/core/server'; -import { ruleStatusSavedObjectType } from '../../rules/saved_object_mappings'; + SavedObjectsUpdateResponse, +} from 'kibana/server'; +import { get } from 'lodash'; +// eslint-disable-next-line no-restricted-imports +import { legacyRuleStatusSavedObjectType } from '../../rules/legacy_rule_status/legacy_rule_status_saved_object_mappings'; import { IRuleStatusSOAttributes } from '../../rules/types'; -import { buildChunkedOrFilter } from '../../signals/utils'; export interface RuleStatusSavedObjectsClient { find: ( options?: Omit ) => Promise>>; findBulk: (ids: string[], statusesPerId: number) => Promise; - create: (attributes: IRuleStatusSOAttributes) => Promise>; + create: ( + attributes: IRuleStatusSOAttributes, + options: SavedObjectsCreateOptions + ) => Promise>; update: ( id: string, - attributes: Partial + attributes: Partial, + options: SavedObjectsCreateOptions ) => Promise>; delete: (id: string) => Promise<{}>; } @@ -35,7 +41,7 @@ export interface FindBulkResponse { } /** - * @pdeprecated Use RuleExecutionLogClient instead + * @deprecated Use RuleExecutionLogClient instead */ export const ruleStatusSavedObjectsClientFactory = ( savedObjectsClient: SavedObjectsClientContract @@ -43,7 +49,7 @@ export const ruleStatusSavedObjectsClientFactory = ( find: async (options) => { const result = await savedObjectsClient.find({ ...options, - type: ruleStatusSavedObjectType, + type: legacyRuleStatusSavedObjectType, }); return result.saved_objects; }, @@ -51,47 +57,64 @@ export const ruleStatusSavedObjectsClientFactory = ( if (ids.length === 0) { return {}; } - const filter = buildChunkedOrFilter(`${ruleStatusSavedObjectType}.attributes.alertId`, ids); + const references = ids.map((alertId) => ({ + id: alertId, + type: 'alert', + })); const order: 'desc' = 'desc'; const aggs = { - alertIds: { - terms: { - field: `${ruleStatusSavedObjectType}.attributes.alertId`, - size: ids.length, + references: { + nested: { + path: `${legacyRuleStatusSavedObjectType}.references`, }, aggs: { - most_recent_statuses: { - top_hits: { - sort: [ - { - [`${ruleStatusSavedObjectType}.statusDate`]: { - order, + alertIds: { + terms: { + field: `${legacyRuleStatusSavedObjectType}.references.id`, + size: ids.length, + }, + aggs: { + rule_status: { + reverse_nested: {}, + aggs: { + most_recent_statuses: { + top_hits: { + sort: [ + { + [`${legacyRuleStatusSavedObjectType}.statusDate`]: { + order, + }, + }, + ], + size: statusesPerId, + }, }, }, - ], - size: statusesPerId, + }, }, }, }, }, }; const results = await savedObjectsClient.find({ - filter, + hasReference: references, aggs, - type: ruleStatusSavedObjectType, + type: legacyRuleStatusSavedObjectType, perPage: 0, }); - const buckets = get(results, 'aggregations.alertIds.buckets'); + const buckets = get(results, 'aggregations.references.alertIds.buckets'); return buckets.reduce((acc: Record, bucket: unknown) => { const key = get(bucket, 'key'); - const hits = get(bucket, 'most_recent_statuses.hits.hits'); + const hits = get(bucket, 'rule_status.most_recent_statuses.hits.hits'); // eslint-disable-next-line @typescript-eslint/no-explicit-any - const statuses = hits.map((hit: any) => hit._source['siem-detection-engine-rule-status']); - acc[key] = statuses; + acc[key] = hits.map((hit: any) => hit._source[legacyRuleStatusSavedObjectType]); return acc; }, {}); }, - create: (attributes) => savedObjectsClient.create(ruleStatusSavedObjectType, attributes), - update: (id, attributes) => savedObjectsClient.update(ruleStatusSavedObjectType, id, attributes), - delete: (id) => savedObjectsClient.delete(ruleStatusSavedObjectType, id), + create: (attributes, options) => { + return savedObjectsClient.create(legacyRuleStatusSavedObjectType, attributes, options); + }, + update: (id, attributes, options) => + savedObjectsClient.update(legacyRuleStatusSavedObjectType, id, attributes, options), + delete: (id) => savedObjectsClient.delete(legacyRuleStatusSavedObjectType, id), }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/saved_objects_adapter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/saved_objects_adapter.ts index ca806bd58e369..9db7afce62ee4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/saved_objects_adapter.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/saved_objects_adapter/saved_objects_adapter.ts @@ -5,9 +5,12 @@ * 2.0. */ -import { SavedObject } from 'src/core/server'; +import { SavedObject, SavedObjectReference } from 'src/core/server'; import { SavedObjectsClientContract } from '../../../../../../../../src/core/server'; import { RuleExecutionStatus } from '../../../../../common/detection_engine/schemas/common/schemas'; +// eslint-disable-next-line no-restricted-imports +import { legacyGetRuleReference } from '../../rules/legacy_rule_status/legacy_utils'; + import { IRuleStatusSOAttributes } from '../../rules/types'; import { RuleStatusSavedObjectsClient, @@ -51,7 +54,7 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { sortField: 'statusDate', sortOrder: 'desc', search: ruleId, - searchFields: ['alertId'], + searchFields: ['references.id'], }); } @@ -59,8 +62,9 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { return this.ruleStatusClient.findBulk(ruleIds, logsCount); } - public async update({ id, attributes }: UpdateExecutionLogArgs) { - await this.ruleStatusClient.update(id, attributes); + public async update({ id, attributes, ruleId }: UpdateExecutionLogArgs) { + const references: SavedObjectReference[] = [legacyGetRuleReference(ruleId)]; + await this.ruleStatusClient.update(id, attributes, { references }); } public async delete(id: string) { @@ -68,31 +72,39 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { } public async logExecutionMetrics({ ruleId, metrics }: LogExecutionMetricsArgs) { + const references: SavedObjectReference[] = [legacyGetRuleReference(ruleId)]; const [currentStatus] = await this.getOrCreateRuleStatuses(ruleId); - await this.ruleStatusClient.update(currentStatus.id, { - ...currentStatus.attributes, - ...convertMetricFields(metrics), - }); + await this.ruleStatusClient.update( + currentStatus.id, + { + ...currentStatus.attributes, + ...convertMetricFields(metrics), + }, + { references } + ); } private createNewRuleStatus = async ( ruleId: string ): Promise> => { + const references: SavedObjectReference[] = [legacyGetRuleReference(ruleId)]; const now = new Date().toISOString(); - return this.ruleStatusClient.create({ - alertId: ruleId, - statusDate: now, - status: RuleExecutionStatus['going to run'], - lastFailureAt: null, - lastSuccessAt: null, - lastFailureMessage: null, - lastSuccessMessage: null, - gap: null, - bulkCreateTimeDurations: [], - searchAfterTimeDurations: [], - lastLookBackDate: null, - }); + return this.ruleStatusClient.create( + { + statusDate: now, + status: RuleExecutionStatus['going to run'], + lastFailureAt: null, + lastSuccessAt: null, + lastFailureMessage: null, + lastSuccessMessage: null, + gap: null, + bulkCreateTimeDurations: [], + searchAfterTimeDurations: [], + lastLookBackDate: null, + }, + { references } + ); }; private getOrCreateRuleStatuses = async ( @@ -112,6 +124,8 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { }; public async logStatusChange({ newStatus, ruleId, message, metrics }: LogStatusChangeArgs) { + const references: SavedObjectReference[] = [legacyGetRuleReference(ruleId)]; + switch (newStatus) { case RuleExecutionStatus['going to run']: case RuleExecutionStatus.succeeded: @@ -119,10 +133,14 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { case RuleExecutionStatus['partial failure']: { const [currentStatus] = await this.getOrCreateRuleStatuses(ruleId); - await this.ruleStatusClient.update(currentStatus.id, { - ...currentStatus.attributes, - ...buildRuleStatusAttributes(newStatus, message, metrics), - }); + await this.ruleStatusClient.update( + currentStatus.id, + { + ...currentStatus.attributes, + ...buildRuleStatusAttributes(newStatus, message, metrics), + }, + { references } + ); return; } @@ -137,8 +155,8 @@ export class SavedObjectsAdapter implements IRuleExecutionLogClient { }; // We always update the newest status, so to 'persist' a failure we push a copy to the head of the list - await this.ruleStatusClient.update(currentStatus.id, failureAttributes); - const lastStatus = await this.ruleStatusClient.create(failureAttributes); + await this.ruleStatusClient.update(currentStatus.id, failureAttributes, { references }); + const lastStatus = await this.ruleStatusClient.create(failureAttributes, { references }); // drop oldest failures const oldStatuses = [lastStatus, ...ruleStatuses].slice(MAX_RULE_STATUSES); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/types.ts index e38f974ddee2e..564145cfc5d1f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/types.ts @@ -53,6 +53,7 @@ export interface LogStatusChangeArgs { export interface UpdateExecutionLogArgs { id: string; attributes: IRuleStatusSOAttributes; + ruleId: string; ruleName: string; ruleType: string; spaceId: string; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/delete_rules.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/delete_rules.test.ts index f8e1f873377a9..2d82cd7f8732a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/delete_rules.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/delete_rules.test.ts @@ -26,7 +26,6 @@ describe('deleteRules', () => { type: '', references: [], attributes: { - alertId: 'alertId', statusDate: '', lastFailureAt: null, lastFailureMessage: null, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/enable_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/enable_rule.ts index 2f3d05e0c9586..b75a1b0d80e9a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/enable_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/enable_rule.ts @@ -44,6 +44,7 @@ export const enableRule = async ({ const currentStatusToDisable = ruleCurrentStatus[0]; await ruleStatusClient.update({ id: currentStatusToDisable.id, + ruleId: rule.id, ruleName: rule.name, ruleType: rule.alertTypeId, attributes: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_prepackaged_rules.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_prepackaged_rules.ts index 6fe326a8d85a3..8116a42f42827 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_prepackaged_rules.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_prepackaged_rules.ts @@ -18,7 +18,7 @@ import { // TODO: convert rules files to TS and add explicit type definitions import { rawRules } from './prepackaged_rules'; -import { RuleAssetSavedObjectsClient } from './rule_asset_saved_objects_client'; +import { RuleAssetSavedObjectsClient } from './rule_asset/rule_asset_saved_objects_client'; import { IRuleAssetSOAttributes } from './types'; import { SavedObjectAttributes } from '../../../../../../../src/core/types'; import { ConfigType } from '../../../config'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts new file mode 100644 index 0000000000000..92d7487be0cdb --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_migrations.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + SavedObjectMigrationFn, + SavedObjectReference, + SavedObjectSanitizedDoc, + SavedObjectUnsanitizedDoc, +} from 'kibana/server'; +import { isString } from 'lodash/fp'; +import { truncateMessage } from '../../rule_execution_log'; +import { IRuleSavedAttributesSavedObjectAttributes } from '../types'; +// eslint-disable-next-line no-restricted-imports +import { legacyGetRuleReference } from './legacy_utils'; + +export const truncateMessageFields: SavedObjectMigrationFn> = (doc) => { + const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes; + + return { + ...doc, + attributes: { + lastFailureMessage: truncateMessage(lastFailureMessage), + lastSuccessMessage: truncateMessage(lastSuccessMessage), + ...restAttributes, + }, + references: doc.references ?? [], + }; +}; + +/** + * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and + * additional fields on the Alerting Framework Rule SO. + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + */ +export const legacyRuleStatusSavedObjectMigration = { + '7.15.2': truncateMessageFields, + '7.16.0': ( + doc: SavedObjectUnsanitizedDoc + ): SavedObjectSanitizedDoc => { + return legacyMigrateRuleAlertIdSOReferences(doc); + }, +}; + +/** + * This migrates alertId within legacy `siem-detection-engine-rule-status` to saved object references on an upgrade. + * We only migrate alertId if we find these conditions: + * - alertId is a string and not null, undefined, or malformed data. + * - The existing references do not already have a alertId found within it. + * + * Some of these issues could crop up during either user manual errors of modifying things, earlier migration + * issues, etc... so we are safer to check them as possibilities + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + * @param doc The document having an alertId to migrate into references + * @returns The document migrated with saved object references + */ +export const legacyMigrateRuleAlertIdSOReferences = ( + doc: SavedObjectUnsanitizedDoc +): SavedObjectSanitizedDoc => { + const { references } = doc; + + // Isolate alertId from the doc + const { alertId, ...attributesWithoutAlertId } = doc.attributes; + const existingReferences = references ?? []; + + if (!isString(alertId)) { + // early return if alertId is not a string as expected + return { ...doc, references: existingReferences }; + } else { + const alertReferences = legacyMigrateAlertId({ + alertId, + existingReferences, + }); + + return { + ...doc, + attributes: { + ...attributesWithoutAlertId.attributes, + }, + references: [...existingReferences, ...alertReferences], + }; + } +}; + +/** + * This is a helper to migrate "alertId" + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + * + * @param existingReferences The existing saved object references + * @param alertId The alertId to migrate + * + * @returns The savedObjectReferences migrated + */ +export const legacyMigrateAlertId = ({ + existingReferences, + alertId, +}: { + existingReferences: SavedObjectReference[]; + alertId: string; +}): SavedObjectReference[] => { + const existingReferenceFound = existingReferences.find((reference) => { + return reference.id === alertId && reference.type === 'alert'; + }); + if (existingReferenceFound) { + return []; + } else { + return [legacyGetRuleReference(alertId)]; + } +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_rule_status_saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_rule_status_saved_object_mappings.ts new file mode 100644 index 0000000000000..3fe3fc06cc7d6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_rule_status_saved_object_mappings.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsType } from 'kibana/server'; +// eslint-disable-next-line no-restricted-imports +import { legacyRuleStatusSavedObjectMigration } from './legacy_migrations'; + +/** + * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and + * additional fields on the Alerting Framework Rule SO. + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + */ +export const legacyRuleStatusSavedObjectType = 'siem-detection-engine-rule-status'; + +/** + * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and + * additional fields on the Alerting Framework Rule SO. + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + */ +export const ruleStatusSavedObjectMappings: SavedObjectsType['mappings'] = { + properties: { + status: { + type: 'keyword', + }, + statusDate: { + type: 'date', + }, + lastFailureAt: { + type: 'date', + }, + lastSuccessAt: { + type: 'date', + }, + lastFailureMessage: { + type: 'text', + }, + lastSuccessMessage: { + type: 'text', + }, + lastLookBackDate: { + type: 'date', + }, + gap: { + type: 'text', + }, + bulkCreateTimeDurations: { + type: 'float', + }, + searchAfterTimeDurations: { + type: 'float', + }, + }, +}; + +/** + * This side-car rule status SO is deprecated and is to be replaced by the RuleExecutionLog on Event-Log and + * additional fields on the Alerting Framework Rule SO. + * + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + */ +export const legacyRuleStatusType: SavedObjectsType = { + name: legacyRuleStatusSavedObjectType, + hidden: false, + namespaceType: 'single', + mappings: ruleStatusSavedObjectMappings, + migrations: legacyRuleStatusSavedObjectMigration, +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_utils.ts new file mode 100644 index 0000000000000..62de5ce591230 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/legacy_rule_status/legacy_utils.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/** + * Given an id this returns a legacy rule reference. + * @param id The id of the alert + * @deprecated Remove this once we've fully migrated to event-log and no longer require addition status SO (8.x) + */ +export const legacyGetRuleReference = (id: string) => ({ + id, + type: 'alert', + name: 'alert_0', +}); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_object_mappings.ts new file mode 100644 index 0000000000000..e2941b503664b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_object_mappings.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SavedObjectsType } from '../../../../../../../../src/core/server'; + +export const ruleAssetSavedObjectType = 'security-rule'; + +export const ruleAssetSavedObjectMappings: SavedObjectsType['mappings'] = { + dynamic: false, + properties: { + name: { + type: 'keyword', + }, + rule_id: { + type: 'keyword', + }, + version: { + type: 'long', + }, + }, +}; + +export const ruleAssetType: SavedObjectsType = { + name: ruleAssetSavedObjectType, + hidden: false, + namespaceType: 'agnostic', + mappings: ruleAssetSavedObjectMappings, +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset_saved_objects_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_objects_client.ts similarity index 88% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset_saved_objects_client.ts rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_objects_client.ts index ac0969dfc975d..c594385dce22b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset_saved_objects_client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/rule_asset/rule_asset_saved_objects_client.ts @@ -9,9 +9,9 @@ import { SavedObjectsClientContract, SavedObjectsFindOptions, SavedObjectsFindResponse, -} from '../../../../../../../src/core/server'; -import { ruleAssetSavedObjectType } from '../rules/saved_object_mappings'; -import { IRuleAssetSavedObject } from '../rules/types'; +} from 'kibana/server'; +import { ruleAssetSavedObjectType } from './rule_asset_saved_object_mappings'; +import { IRuleAssetSavedObject } from '../types'; const DEFAULT_PAGE_SIZE = 100; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts deleted file mode 100644 index d347fccf6b77b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { SavedObjectsType, SavedObjectMigrationFn } from 'kibana/server'; -import { truncateMessage } from '../rule_execution_log'; - -export const ruleStatusSavedObjectType = 'siem-detection-engine-rule-status'; - -export const ruleStatusSavedObjectMappings: SavedObjectsType['mappings'] = { - properties: { - alertId: { - type: 'keyword', - }, - status: { - type: 'keyword', - }, - statusDate: { - type: 'date', - }, - lastFailureAt: { - type: 'date', - }, - lastSuccessAt: { - type: 'date', - }, - lastFailureMessage: { - type: 'text', - }, - lastSuccessMessage: { - type: 'text', - }, - lastLookBackDate: { - type: 'date', - }, - gap: { - type: 'text', - }, - bulkCreateTimeDurations: { - type: 'float', - }, - searchAfterTimeDurations: { - type: 'float', - }, - }, -}; - -const truncateMessageFields: SavedObjectMigrationFn> = (doc) => { - const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes; - - return { - ...doc, - attributes: { - lastFailureMessage: truncateMessage(lastFailureMessage), - lastSuccessMessage: truncateMessage(lastSuccessMessage), - ...restAttributes, - }, - references: doc.references ?? [], - }; -}; - -export const type: SavedObjectsType = { - name: ruleStatusSavedObjectType, - hidden: false, - namespaceType: 'single', - mappings: ruleStatusSavedObjectMappings, - migrations: { - '7.15.2': truncateMessageFields, - }, -}; - -export const ruleAssetSavedObjectType = 'security-rule'; - -export const ruleAssetSavedObjectMappings: SavedObjectsType['mappings'] = { - dynamic: false, - properties: { - name: { - type: 'keyword', - }, - rule_id: { - type: 'keyword', - }, - version: { - type: 'long', - }, - }, -}; - -export const ruleAssetType: SavedObjectsType = { - name: ruleAssetSavedObjectType, - hidden: false, - namespaceType: 'agnostic', - mappings: ruleAssetSavedObjectMappings, -}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts index 8adf19a53f92b..53a83d61da78d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts @@ -111,7 +111,6 @@ export type RuleAlertType = SanitizedAlert; // eslint-disable-next-line @typescript-eslint/no-explicit-any export interface IRuleStatusSOAttributes extends Record { - alertId: string; // created alert id. statusDate: StatusDate; lastFailureAt: LastFailureAt | null | undefined; lastFailureMessage: LastFailureMessage | null | undefined; @@ -125,7 +124,6 @@ export interface IRuleStatusSOAttributes extends Record { } export interface IRuleStatusResponseAttributes { - alert_id: string; // created alert id. status_date: StatusDate; last_failure_at: LastFailureAt | null | undefined; last_failure_message: LastFailureMessage | null | undefined; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts index 207ea497c7e8e..078d36a99ad17 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -18,7 +18,8 @@ import type { import { SavedObject } from '../../../../../../../../src/core/server'; import { loggingSystemMock } from '../../../../../../../../src/core/server/mocks'; import { IRuleStatusSOAttributes } from '../../rules/types'; -import { ruleStatusSavedObjectType } from '../../rules/saved_object_mappings'; +// eslint-disable-next-line no-restricted-imports +import { legacyRuleStatusSavedObjectType } from '../../rules/legacy_rule_status/legacy_rule_status_saved_object_mappings'; import { getListArrayMock } from '../../../../../common/detection_engine/schemas/types/lists.mock'; import { RulesSchema } from '../../../../../common/detection_engine/schemas/response'; import { RuleParams } from '../../schemas/rule_schemas'; @@ -725,10 +726,9 @@ export const sampleRuleGuid = '04128c15-0d1b-4716-a4c5-46997ac7f3bd'; export const sampleIdGuid = 'e1e08ddc-5e37-49ff-a258-5393aa44435a'; export const exampleRuleStatus: () => SavedObject = () => ({ - type: ruleStatusSavedObjectType, + type: legacyRuleStatusSavedObjectType, id: '042e6d90-7069-11ea-af8b-0f8ae4fa817e', attributes: { - alertId: 'f4b8e31d-cf93-4bde-a265-298bde885cd7', statusDate: '2020-03-27T22:55:59.517Z', status: RuleExecutionStatus.succeeded, lastFailureAt: null, @@ -740,7 +740,13 @@ export const exampleRuleStatus: () => SavedObject = () searchAfterTimeDurations: [], lastLookBackDate: null, }, - references: [], + references: [ + { + id: 'f4b8e31d-cf93-4bde-a265-298bde885cd7', + type: 'alert', + name: 'alert_0', + }, + ], updated_at: '2020-03-27T22:55:59.577Z', version: 'WzgyMiwxXQ==', }); diff --git a/x-pack/plugins/security_solution/server/saved_objects.ts b/x-pack/plugins/security_solution/server/saved_objects.ts index 1523b3ddf4cbf..53618d738984b 100644 --- a/x-pack/plugins/security_solution/server/saved_objects.ts +++ b/x-pack/plugins/security_solution/server/saved_objects.ts @@ -8,10 +8,9 @@ import { CoreSetup } from '../../../../src/core/server'; import { noteType, pinnedEventType, timelineType } from './lib/timeline/saved_object_mappings'; -import { - type as ruleStatusType, - ruleAssetType, -} from './lib/detection_engine/rules/saved_object_mappings'; +// eslint-disable-next-line no-restricted-imports +import { legacyRuleStatusType } from './lib/detection_engine/rules/legacy_rule_status/legacy_rule_status_saved_object_mappings'; +import { ruleAssetType } from './lib/detection_engine/rules/rule_asset/rule_asset_saved_object_mappings'; // eslint-disable-next-line no-restricted-imports import { legacyType as legacyRuleActionsType } from './lib/detection_engine/rule_actions/legacy_saved_object_mappings'; import { type as signalsMigrationType } from './lib/detection_engine/migrations/saved_objects'; @@ -24,7 +23,7 @@ const types = [ noteType, pinnedEventType, legacyRuleActionsType, - ruleStatusType, + legacyRuleStatusType, ruleAssetType, timelineType, exceptionsArtifactType, diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index d67126fdad4bb..0445d9de0634e 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -19021,14 +19021,11 @@ "xpack.osquery.addSavedQuery.form.saveQueryButtonLabel": "クエリを保存", "xpack.osquery.addSavedQuery.pageTitle": "保存されたクエリの追加", "xpack.osquery.addSavedQuery.viewSavedQueriesListTitle": "すべての保存されたクエリを表示", - "xpack.osquery.addScheduledQueryGroup.pageTitle": "スケジュールされたクエリグループを追加", - "xpack.osquery.addScheduledQueryGroup.viewScheduledQueryGroupsListTitle": "すべてのスケジュールされたクエリグループを表示", "xpack.osquery.agent_groups.fetchError": "エージェントグループの取得中にエラーが発生しました", "xpack.osquery.agent_policies.fetchError": "エージェントポリシーの取得中にエラーが発生しました", "xpack.osquery.agent_policy_details.fetchError": "エージェントポリシー詳細の取得中にエラーが発生しました", "xpack.osquery.agent_status.fetchError": "エージェントステータスの取得中にエラーが発生しました", "xpack.osquery.agentDetails.fetchError": "エージェント詳細の取得中にエラーが発生しました", - "xpack.osquery.agentPolicy.confirmModalCalloutDescription": "選択されたエージェントポリシー {policyName} が一部のエージェントですでに使用されていることを Fleet が検出しました。このアクションの結果として、Fleetはこのポリシーで使用されているすべてのエージェントに更新をデプロイします。", "xpack.osquery.agentPolicy.confirmModalCancelButtonLabel": "キャンセル", "xpack.osquery.agentPolicy.confirmModalConfirmButtonLabel": "変更を保存してデプロイ", "xpack.osquery.agentPolicy.confirmModalDescription": "続行していいですか?", @@ -19047,17 +19044,13 @@ "xpack.osquery.appNavigation.liveQueriesLinkText": "ライブクエリ", "xpack.osquery.appNavigation.manageIntegrationButton": "統合を管理", "xpack.osquery.appNavigation.savedQueriesLinkText": "保存されたクエリ", - "xpack.osquery.appNavigation.scheduledQueryGroupsLinkText": "スケジュールされたクエリグループ", "xpack.osquery.appNavigation.sendFeedbackButton": "フィードバックを送信", - "xpack.osquery.breadcrumbs.addScheduledQueryGroupsPageTitle": "追加", "xpack.osquery.breadcrumbs.appTitle": "Osquery", - "xpack.osquery.breadcrumbs.editScheduledQueryGroupsPageTitle": "編集", "xpack.osquery.breadcrumbs.liveQueriesPageTitle": "ライブクエリ", "xpack.osquery.breadcrumbs.newLiveQueryPageTitle": "新規", "xpack.osquery.breadcrumbs.newSavedQueryPageTitle": "新規", "xpack.osquery.breadcrumbs.overviewPageTitle": "概要", "xpack.osquery.breadcrumbs.savedQueriesPageTitle": "保存されたクエリ", - "xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle": "スケジュールされたクエリグループ", "xpack.osquery.common.tabBetaBadgeLabel": "ベータ", "xpack.osquery.common.tabBetaBadgeTooltipContent": "この機能は現在開発中です。他にも機能が追加され、機能によっては変更されるものもあります。", "xpack.osquery.editSavedQuery.deleteSavedQueryButtonLabel": "クエリを削除", @@ -19067,16 +19060,12 @@ "xpack.osquery.editSavedQuery.pageTitle": "Edit \"{savedQueryId}\"", "xpack.osquery.editSavedQuery.successToastMessageText": "\"{savedQueryName}\"クエリが正常に更新されました", "xpack.osquery.editSavedQuery.viewSavedQueriesListTitle": "すべての保存されたクエリを表示", - "xpack.osquery.editScheduledQuery.pageTitle": "{queryName}を編集", - "xpack.osquery.editScheduledQuery.viewScheduledQueriesListTitle": "{queryName}詳細を表示", "xpack.osquery.features.liveQueriesSubFeatureName": "ライブクエリ", "xpack.osquery.features.osqueryFeatureName": "Osquery", "xpack.osquery.features.runSavedQueriesPrivilegeName": "保存されたクエリを実行", "xpack.osquery.features.savedQueriesSubFeatureName": "保存されたクエリ", - "xpack.osquery.features.scheduledQueryGroupsSubFeatureName": "スケジュールされたクエリグループ", "xpack.osquery.fleetIntegration.runLiveQueriesButtonText": "ライブクエリを実行", "xpack.osquery.fleetIntegration.saveIntegrationCalloutTitle": "次のオプションにアクセスするには、統合を保存します", - "xpack.osquery.fleetIntegration.scheduleQueryGroupsButtonText": "クエリグループをスケジュール", "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "新しいライブクエリ", "xpack.osquery.liveQueriesHistory.pageTitle": "ライブクエリ履歴", "xpack.osquery.liveQuery.queryForm.largeQueryError": "クエリが大きすぎます(最大{maxLength}文字)", @@ -19117,13 +19106,13 @@ "xpack.osquery.packUploader.unsupportedFileTypeText": "ファイルタイプ{fileType}はサポートされていません。{supportedFileTypes}構成ファイルをアップロードしてください", "xpack.osquery.permissionDeniedErrorMessage": "このページへのアクセスが許可されていません。", "xpack.osquery.permissionDeniedErrorTitle": "パーミッションが拒否されました", + "xpack.osquery.queryFlyoutForm.addFormTitle": "次のクエリを関連付ける", + "xpack.osquery.queryFlyoutForm.editFormTitle": "クエリの編集", "xpack.osquery.results.errorSearchDescription": "すべての結果検索でエラーが発生しました", "xpack.osquery.results.failSearchDescription": "結果を取得できませんでした", "xpack.osquery.results.fetchError": "結果の取得中にエラーが発生しました", "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "保存されたクエリから構築(任意)", "xpack.osquery.savedQueries.dropdown.searchFieldPlaceholder": "保存されたクエリの検索", - "xpack.osquery.savedQueries.form.scheduledQueryGroupConfigSection.description": "次のリストのオプションは任意であり、クエリがスケジュールされたクエリグループに割り当てられるときにのみ適用されます。", - "xpack.osquery.savedQueries.form.scheduledQueryGroupConfigSection.title": "スケジュールされたクエリグループ構成", "xpack.osquery.savedQueries.table.actionsColumnTitle": "アクション", "xpack.osquery.savedQueries.table.createdByColumnTitle": "作成者", "xpack.osquery.savedQueries.table.descriptionColumnTitle": "説明", @@ -19134,73 +19123,6 @@ "xpack.osquery.savedQueryList.pageTitle": "保存されたクエリ", "xpack.osquery.savedQueryList.queriesTable.editActionAriaLabel": "{savedQueryName}を編集", "xpack.osquery.savedQueryList.queriesTable.runActionAriaLabel": "{savedQueryName}を実行", - "xpack.osquery.scheduledQueryDetails.pageTitle": "{queryName}詳細", - "xpack.osquery.scheduledQueryDetails.viewAllScheduledQueriesListTitle": "すべてのスケジュールされたクエリグループを表示", - "xpack.osquery.scheduledQueryDetailsPage.editQueryButtonLabel": "編集", - "xpack.osquery.scheduledQueryGroup.form.agentPolicyFieldLabel": "エージェントポリシー", - "xpack.osquery.scheduledQueryGroup.form.cancelButtonLabel": "キャンセル", - "xpack.osquery.scheduledQueryGroup.form.createSuccessToastMessageText": "正常に{scheduledQueryGroupName}をスケジュールしました", - "xpack.osquery.scheduledQueryGroup.form.descriptionFieldLabel": "説明", - "xpack.osquery.scheduledQueryGroup.form.ecsMappingSection.description": "次のフィールドを使用して、このクエリの結果をiECSフィールドにマッピングします。", - "xpack.osquery.scheduledQueryGroup.form.ecsMappingSection.title": "ECSマッピング", - "xpack.osquery.scheduledQueryGroup.form.nameFieldLabel": "名前", - "xpack.osquery.scheduledQueryGroup.form.nameFieldRequiredErrorMessage": "名前は必須フィールドです", - "xpack.osquery.scheduledQueryGroup.form.namespaceFieldLabel": "名前空間", - "xpack.osquery.scheduledQueryGroup.form.policyIdFieldRequiredErrorMessage": "エージェントポリシーは必須フィールドです", - "xpack.osquery.scheduledQueryGroup.form.saveQueryButtonLabel": "クエリを保存", - "xpack.osquery.scheduledQueryGroup.form.settingsSectionDescriptionText": "スケジュールされたクエリグループには、設定された間隔で実行され、エージェントポリシーに関連付けられている1つ以上のクエリが含まれています。スケジュールされたクエリグループを定義するときには、新しいOsquery Managerポリシーとして追加されます。", - "xpack.osquery.scheduledQueryGroup.form.settingsSectionTitleText": "スケジュールされたクエリグループ設定", - "xpack.osquery.scheduledQueryGroup.form.updateSuccessToastMessageText": "正常に{scheduledQueryGroupName}を更新しました", - "xpack.osquery.scheduledQueryGroup.queriesForm.addQueryButtonLabel": "クエリを追加", - "xpack.osquery.scheduledQueryGroup.queriesTable.actionsColumnTitle": "アクション", - "xpack.osquery.scheduledQueryGroup.queriesTable.deleteActionAriaLabel": "{queryName}を削除", - "xpack.osquery.scheduledQueryGroup.queriesTable.editActionAriaLabel": "{queryName}を編集", - "xpack.osquery.scheduledQueryGroup.queriesTable.idColumnTitle": "ID", - "xpack.osquery.scheduledQueryGroup.queriesTable.intervalColumnTitle": "間隔", - "xpack.osquery.scheduledQueryGroup.queriesTable.osqueryVersionAllLabel": "すべて", - "xpack.osquery.scheduledQueryGroup.queriesTable.platformColumnTitle": "プラットフォーム", - "xpack.osquery.scheduledQueryGroup.queriesTable.queryColumnTitle": "クエリ", - "xpack.osquery.scheduledQueryGroup.queriesTable.versionColumnTitle": "最低Osqueryバージョン", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewDiscoverResultsActionAriaLabel": "Discoverに表示", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewLensResultsActionAriaLabel": "Lensで表示", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewResultsColumnTitle": "結果を表示", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.addECSMappingRowButtonAriaLabel": "ECSマッピング行を追加", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.cancelButtonLabel": "キャンセル", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.deleteECSMappingRowButtonAriaLabel": "ECSマッピング行を削除", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.descriptionFieldLabel": "説明", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldLabel": "ECSフィールド", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldRequiredErrorMessage": "ECSフィールドは必須です。", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyIdError": "IDが必要です", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyQueryError": "クエリは必須フィールドです", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.idFieldLabel": "ID", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.intervalFieldLabel": "間隔", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIdError": "文字は英数字、_、または-でなければなりません", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIntervalField": "正の間隔値が必要です", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldLabel": "Osquery結果", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldRequiredErrorMessage": "Osquery結果は必須です。", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldValueMissingErrorMessage": "現在のクエリは{columnName}フィールドを返しません", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformFieldLabel": "プラットフォーム", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformLinusLabel": "macOS", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformMacOSLabel": "Linux", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformWindowsLabel": "Windows", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.queryFieldLabel": "クエリ", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.saveButtonLabel": "保存", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.uniqueIdError": "IDは一意でなければなりません", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.versionFieldLabel": "最低Osqueryバージョン", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.versionFieldOptionalLabel": "(オプション)", - "xpack.osquery.scheduledQueryGroup.table.activatedSuccessToastMessageText": "正常に{scheduledQueryGroupName}をアクティブ化しました", - "xpack.osquery.scheduledQueryGroup.table.deactivatedSuccessToastMessageText": "正常に{scheduledQueryGroupName}を非アクティブ化しました", - "xpack.osquery.scheduledQueryGroups.table.activeColumnTitle": "アクティブ", - "xpack.osquery.scheduledQueryGroups.table.createdByColumnTitle": "作成者", - "xpack.osquery.scheduledQueryGroups.table.nameColumnTitle": "名前", - "xpack.osquery.scheduledQueryGroups.table.numberOfQueriesColumnTitle": "クエリ数", - "xpack.osquery.scheduledQueryGroups.table.policyColumnTitle": "ポリシー", - "xpack.osquery.scheduledQueryList.addScheduledQueryButtonLabel": "スケジュールされたクエリグループを追加", - "xpack.osquery.scheduledQueryList.pageTitle": "スケジュールされたクエリグループ", - "xpack.osquery.scheduleQueryGroup.kpis.policyLabelText": "ポリシー", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.addFormTitle": "次のクエリを関連付ける", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.editFormTitle": "クエリの編集", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.unsupportedPlatformAndVersionFieldsCalloutTitle": "プラットフォームおよびバージョンフィールドは{version}以降で使用できます", "xpack.osquery.viewSavedQuery.pageTitle": "\"{savedQueryId}\" details", "xpack.painlessLab.apiReferenceButtonLabel": "API リファレンス", "xpack.painlessLab.context.defaultLabel": "スクリプト結果は文字列に変換されます", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 598a5c24bdee2..210392d11514e 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -19296,14 +19296,11 @@ "xpack.osquery.addSavedQuery.form.saveQueryButtonLabel": "保存查询", "xpack.osquery.addSavedQuery.pageTitle": "添加已保存查询", "xpack.osquery.addSavedQuery.viewSavedQueriesListTitle": "查看所有已保存查询", - "xpack.osquery.addScheduledQueryGroup.pageTitle": "添加已计划查询组", - "xpack.osquery.addScheduledQueryGroup.viewScheduledQueryGroupsListTitle": "查看所有已计划查询组", "xpack.osquery.agent_groups.fetchError": "提取代理组时出错", "xpack.osquery.agent_policies.fetchError": "提取代理策略时出错", "xpack.osquery.agent_policy_details.fetchError": "提取代理策略详情时出错", "xpack.osquery.agent_status.fetchError": "提取代理状态时出错", "xpack.osquery.agentDetails.fetchError": "提取代理详细信息时出错", - "xpack.osquery.agentPolicy.confirmModalCalloutDescription": "Fleet 检测到您的部分代理已在使用选定代理策略 {policyName}。由于此操作,Fleet 会将更新部署到使用此策略的所有代理。", "xpack.osquery.agentPolicy.confirmModalCalloutTitle": "此操作将更新 {agentCount, plural, other {# 个代理}}", "xpack.osquery.agentPolicy.confirmModalCancelButtonLabel": "取消", "xpack.osquery.agentPolicy.confirmModalConfirmButtonLabel": "保存并部署更改", @@ -19323,17 +19320,13 @@ "xpack.osquery.appNavigation.liveQueriesLinkText": "实时查询", "xpack.osquery.appNavigation.manageIntegrationButton": "管理集成", "xpack.osquery.appNavigation.savedQueriesLinkText": "已保存查询", - "xpack.osquery.appNavigation.scheduledQueryGroupsLinkText": "已计划查询组", "xpack.osquery.appNavigation.sendFeedbackButton": "发送反馈", - "xpack.osquery.breadcrumbs.addScheduledQueryGroupsPageTitle": "添加", "xpack.osquery.breadcrumbs.appTitle": "Osquery", - "xpack.osquery.breadcrumbs.editScheduledQueryGroupsPageTitle": "编辑", "xpack.osquery.breadcrumbs.liveQueriesPageTitle": "实时查询", "xpack.osquery.breadcrumbs.newLiveQueryPageTitle": "新建", "xpack.osquery.breadcrumbs.newSavedQueryPageTitle": "新建", "xpack.osquery.breadcrumbs.overviewPageTitle": "概览", "xpack.osquery.breadcrumbs.savedQueriesPageTitle": "已保存查询", - "xpack.osquery.breadcrumbs.scheduledQueryGroupsPageTitle": "已计划查询组", "xpack.osquery.common.tabBetaBadgeLabel": "公测版", "xpack.osquery.common.tabBetaBadgeTooltipContent": "我们正在开发此功能。将会有更多的功能,某些功能可能有变更。", "xpack.osquery.createScheduledQuery.agentPolicyAgentsCountText": "{count, plural, other {# 个代理}}已注册", @@ -19344,16 +19337,12 @@ "xpack.osquery.editSavedQuery.pageTitle": "编辑“{savedQueryId}”", "xpack.osquery.editSavedQuery.successToastMessageText": "已成功更新“{savedQueryName}”查询", "xpack.osquery.editSavedQuery.viewSavedQueriesListTitle": "查看所有已保存查询", - "xpack.osquery.editScheduledQuery.pageTitle": "编辑 {queryName}", - "xpack.osquery.editScheduledQuery.viewScheduledQueriesListTitle": "查看 {queryName} 详细信息", "xpack.osquery.features.liveQueriesSubFeatureName": "实时查询", "xpack.osquery.features.osqueryFeatureName": "Osquery", "xpack.osquery.features.runSavedQueriesPrivilegeName": "运行已保存查询", "xpack.osquery.features.savedQueriesSubFeatureName": "已保存查询", - "xpack.osquery.features.scheduledQueryGroupsSubFeatureName": "已计划查询组", "xpack.osquery.fleetIntegration.runLiveQueriesButtonText": "运行实时查询", "xpack.osquery.fleetIntegration.saveIntegrationCalloutTitle": "保存用于访问如下选项的集成", - "xpack.osquery.fleetIntegration.scheduleQueryGroupsButtonText": "计划查询组", "xpack.osquery.liveQueriesHistory.newLiveQueryButtonLabel": "新建实时查询", "xpack.osquery.liveQueriesHistory.pageTitle": "实时查询历史记录", "xpack.osquery.liveQuery.queryForm.largeQueryError": "查询过大(最多 {maxLength} 个字符)", @@ -19395,14 +19384,14 @@ "xpack.osquery.packUploader.unsupportedFileTypeText": "文件类型 {fileType} 不受支持,请上传 {supportedFileTypes} 配置文件", "xpack.osquery.permissionDeniedErrorMessage": "您无权访问此页面。", "xpack.osquery.permissionDeniedErrorTitle": "权限被拒绝", + "xpack.osquery.queryFlyoutForm.addFormTitle": "附加下一个查询", + "xpack.osquery.queryFlyoutForm.editFormTitle": "编辑查询", "xpack.osquery.results.errorSearchDescription": "搜索所有结果时发生错误", "xpack.osquery.results.failSearchDescription": "无法获取结果", "xpack.osquery.results.fetchError": "提取结果时出错", "xpack.osquery.results.multipleAgentsResponded": "{agentsResponded, plural, other {# 个代理已}}响应,未报告任何 osquery 数据。", "xpack.osquery.savedQueries.dropdown.searchFieldLabel": "从已保存查询构建(可选)", "xpack.osquery.savedQueries.dropdown.searchFieldPlaceholder": "搜索已保存查询", - "xpack.osquery.savedQueries.form.scheduledQueryGroupConfigSection.description": "下面所列选项是可选的,只在查询分配给已计划查询组时应用。", - "xpack.osquery.savedQueries.form.scheduledQueryGroupConfigSection.title": "已计划查询组配置", "xpack.osquery.savedQueries.table.actionsColumnTitle": "操作", "xpack.osquery.savedQueries.table.createdByColumnTitle": "创建者", "xpack.osquery.savedQueries.table.descriptionColumnTitle": "描述", @@ -19413,74 +19402,6 @@ "xpack.osquery.savedQueryList.pageTitle": "已保存查询", "xpack.osquery.savedQueryList.queriesTable.editActionAriaLabel": "编辑 {savedQueryName}", "xpack.osquery.savedQueryList.queriesTable.runActionAriaLabel": "运行 {savedQueryName}", - "xpack.osquery.scheduledQueryDetails.pageTitle": "{queryName} 详细信息", - "xpack.osquery.scheduledQueryDetails.viewAllScheduledQueriesListTitle": "查看所有已计划查询组", - "xpack.osquery.scheduledQueryDetailsPage.editQueryButtonLabel": "编辑", - "xpack.osquery.scheduledQueryGroup.form.agentPolicyFieldLabel": "代理策略", - "xpack.osquery.scheduledQueryGroup.form.cancelButtonLabel": "取消", - "xpack.osquery.scheduledQueryGroup.form.createSuccessToastMessageText": "已成功计划 {scheduledQueryGroupName}", - "xpack.osquery.scheduledQueryGroup.form.descriptionFieldLabel": "描述", - "xpack.osquery.scheduledQueryGroup.form.ecsMappingSection.description": "使用下面的字段将此查询的结果映射到 ECS 字段。", - "xpack.osquery.scheduledQueryGroup.form.ecsMappingSection.title": "ECS 映射", - "xpack.osquery.scheduledQueryGroup.form.nameFieldLabel": "名称", - "xpack.osquery.scheduledQueryGroup.form.nameFieldRequiredErrorMessage": "“名称”是必填字段", - "xpack.osquery.scheduledQueryGroup.form.namespaceFieldLabel": "命名空间", - "xpack.osquery.scheduledQueryGroup.form.policyIdFieldRequiredErrorMessage": "“代理策略”是必填字段", - "xpack.osquery.scheduledQueryGroup.form.saveQueryButtonLabel": "保存查询", - "xpack.osquery.scheduledQueryGroup.form.settingsSectionDescriptionText": "已计划查询组包含一个或多个以设置的时间间隔运行且与代理策略关联的查询。定义已计划查询组时,其将添加为新的 Osquery Manager 策略。", - "xpack.osquery.scheduledQueryGroup.form.settingsSectionTitleText": "已计划查询组设置", - "xpack.osquery.scheduledQueryGroup.form.updateSuccessToastMessageText": "已成功更新 {scheduledQueryGroupName}", - "xpack.osquery.scheduledQueryGroup.queriesForm.addQueryButtonLabel": "添加查询", - "xpack.osquery.scheduledQueryGroup.queriesTable.actionsColumnTitle": "操作", - "xpack.osquery.scheduledQueryGroup.queriesTable.deleteActionAriaLabel": "删除 {queryName}", - "xpack.osquery.scheduledQueryGroup.queriesTable.editActionAriaLabel": "编辑 {queryName}", - "xpack.osquery.scheduledQueryGroup.queriesTable.idColumnTitle": "ID", - "xpack.osquery.scheduledQueryGroup.queriesTable.intervalColumnTitle": "时间间隔 (s)", - "xpack.osquery.scheduledQueryGroup.queriesTable.osqueryVersionAllLabel": "全部", - "xpack.osquery.scheduledQueryGroup.queriesTable.platformColumnTitle": "平台", - "xpack.osquery.scheduledQueryGroup.queriesTable.queryColumnTitle": "查询", - "xpack.osquery.scheduledQueryGroup.queriesTable.versionColumnTitle": "最低 Osquery 版本", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewDiscoverResultsActionAriaLabel": "在 Discover 中查看", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewLensResultsActionAriaLabel": "在 Lens 中查看", - "xpack.osquery.scheduledQueryGroup.queriesTable.viewResultsColumnTitle": "查看结果", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.addECSMappingRowButtonAriaLabel": "添加 ECS 映射行", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.cancelButtonLabel": "取消", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.deleteECSMappingRowButtonAriaLabel": "删除 ECS 映射行", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.descriptionFieldLabel": "描述", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldLabel": "ECS 字段", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.ecsFieldRequiredErrorMessage": "ECS 字段必填。", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyIdError": "“ID”必填", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.emptyQueryError": "“查询”是必填字段", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.idFieldLabel": "ID", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.intervalFieldLabel": "时间间隔 (s)", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIdError": "字符必须是数字字母、_ 或 -", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.invalidIntervalField": "时间间隔值必须为正数", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldLabel": "Osquery 结果", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldRequiredErrorMessage": "Osquery 结果必填。", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.osqueryResultFieldValueMissingErrorMessage": "当前查询不返回 {columnName} 字段", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformFieldLabel": "平台", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformLinusLabel": "macOS", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformMacOSLabel": "Linux", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.platformWindowsLabel": "Windows", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.queryFieldLabel": "查询", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.saveButtonLabel": "保存", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.uniqueIdError": "ID 必须唯一", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.versionFieldLabel": "最低 Osquery 版本", - "xpack.osquery.scheduledQueryGroup.queryFlyoutForm.versionFieldOptionalLabel": "(可选)", - "xpack.osquery.scheduledQueryGroup.table.activatedSuccessToastMessageText": "已成功激活 {scheduledQueryGroupName}", - "xpack.osquery.scheduledQueryGroup.table.deactivatedSuccessToastMessageText": "已成功停用 {scheduledQueryGroupName}", - "xpack.osquery.scheduledQueryGroup.table.deleteQueriesButtonLabel": "删除 {queriesCount, plural, other {# 个查询}}", - "xpack.osquery.scheduledQueryGroups.table.activeColumnTitle": "活动", - "xpack.osquery.scheduledQueryGroups.table.createdByColumnTitle": "创建者", - "xpack.osquery.scheduledQueryGroups.table.nameColumnTitle": "名称", - "xpack.osquery.scheduledQueryGroups.table.numberOfQueriesColumnTitle": "查询数目", - "xpack.osquery.scheduledQueryGroups.table.policyColumnTitle": "策略", - "xpack.osquery.scheduledQueryList.addScheduledQueryButtonLabel": "添加已计划查询组", - "xpack.osquery.scheduledQueryList.pageTitle": "已计划查询组", - "xpack.osquery.scheduleQueryGroup.kpis.policyLabelText": "策略", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.addFormTitle": "附加下一个查询", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.editFormTitle": "编辑查询", - "xpack.osquery.scheduleQueryGroup.queryFlyoutForm.unsupportedPlatformAndVersionFieldsCalloutTitle": "{version} 提供平台和版本字段", "xpack.osquery.viewSavedQuery.pageTitle": "“{savedQueryId}”详细信息", "xpack.painlessLab.apiReferenceButtonLabel": "API 参考", "xpack.painlessLab.context.defaultLabel": "脚本结果将转换成字符串", diff --git a/x-pack/plugins/uptime/kibana.json b/x-pack/plugins/uptime/kibana.json index 3124324d90389..409436d734011 100644 --- a/x-pack/plugins/uptime/kibana.json +++ b/x-pack/plugins/uptime/kibana.json @@ -14,6 +14,7 @@ "requiredPlugins": [ "alerting", "embeddable", + "inspector", "features", "licensing", "triggersActionsUi", diff --git a/x-pack/plugins/uptime/public/apps/plugin.ts b/x-pack/plugins/uptime/public/apps/plugin.ts index ed936fe164983..124de9a60110c 100644 --- a/x-pack/plugins/uptime/public/apps/plugin.ts +++ b/x-pack/plugins/uptime/public/apps/plugin.ts @@ -42,6 +42,7 @@ import { LazySyntheticsPolicyEditExtension, } from '../components/fleet_package'; import { LazySyntheticsCustomAssetsExtension } from '../components/fleet_package/lazy_synthetics_custom_assets_extension'; +import { Start as InspectorPluginStart } from '../../../../../src/plugins/inspector/public'; export interface ClientPluginsSetup { data: DataPublicPluginSetup; @@ -56,6 +57,7 @@ export interface ClientPluginsStart { triggersActionsUi: TriggersAndActionsUIPublicPluginStart; fleet?: FleetStart; observability: ObservabilityPublicStart; + inspector: InspectorPluginStart; } export interface UptimePluginServices extends Partial { diff --git a/x-pack/plugins/uptime/public/apps/uptime_app.tsx b/x-pack/plugins/uptime/public/apps/uptime_app.tsx index 73f228f621540..991657f258029 100644 --- a/x-pack/plugins/uptime/public/apps/uptime_app.tsx +++ b/x-pack/plugins/uptime/public/apps/uptime_app.tsx @@ -33,6 +33,7 @@ import { ActionMenu } from '../components/common/header/action_menu'; import { EuiThemeProvider } from '../../../../../src/plugins/kibana_react/common'; import { Storage } from '../../../../../src/plugins/kibana_utils/public'; import { UptimeIndexPatternContextProvider } from '../contexts/uptime_index_pattern_context'; +import { InspectorContextProvider } from '../../../observability/public'; export interface UptimeAppColors { danger: string; @@ -110,6 +111,7 @@ const Application = (props: UptimeAppProps) => { ...plugins, storage, data: startPlugins.data, + inspector: startPlugins.inspector, triggersActionsUi: startPlugins.triggersActionsUi, observability: startPlugins.observability, }} @@ -126,9 +128,11 @@ const Application = (props: UptimeAppProps) => { className={APP_WRAPPER_CLASS} application={core.application} > - - - + + + + + diff --git a/x-pack/plugins/uptime/public/apps/uptime_page_template.tsx b/x-pack/plugins/uptime/public/apps/uptime_page_template.tsx index 817bbf9bedcb1..c6eaeb78a7c1e 100644 --- a/x-pack/plugins/uptime/public/apps/uptime_page_template.tsx +++ b/x-pack/plugins/uptime/public/apps/uptime_page_template.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { useMemo } from 'react'; +import React, { useEffect, useMemo } from 'react'; import styled from 'styled-components'; import { EuiPageHeaderProps } from '@elastic/eui'; import { CERTIFICATES_ROUTE, OVERVIEW_ROUTE } from '../../common/constants'; @@ -15,6 +15,7 @@ import { useNoDataConfig } from './use_no_data_config'; import { EmptyStateLoading } from '../components/overview/empty_state/empty_state_loading'; import { EmptyStateError } from '../components/overview/empty_state/empty_state_error'; import { useHasData } from '../components/overview/empty_state/use_has_data'; +import { useInspectorContext } from '../../../observability/public'; interface Props { path: string; @@ -39,6 +40,11 @@ export const UptimePageTemplateComponent: React.FC = ({ path, pageHeader, const noDataConfig = useNoDataConfig(); const { loading, error, data } = useHasData(); + const { inspectorAdapters } = useInspectorContext(); + + useEffect(() => { + inspectorAdapters.requests.reset(); + }, [inspectorAdapters.requests]); if (error) { return ; diff --git a/x-pack/plugins/uptime/public/components/certificates/use_cert_search.ts b/x-pack/plugins/uptime/public/components/certificates/use_cert_search.ts index 22531faff2da1..c4379e550b47a 100644 --- a/x-pack/plugins/uptime/public/components/certificates/use_cert_search.ts +++ b/x-pack/plugins/uptime/public/components/certificates/use_cert_search.ts @@ -7,7 +7,7 @@ import { useSelector } from 'react-redux'; import { useContext } from 'react'; -import { useEsSearch, createEsParams } from '../../../../observability/public'; +import { createEsParams, useEsSearch } from '../../../../observability/public'; import { CertResult, GetCertsParams, Ping } from '../../../common/runtime_types'; @@ -48,13 +48,13 @@ export const useCertSearch = ({ body: searchBody, }); - const { data: result, loading } = useEsSearch(esParams, [ - settings.settings?.heartbeatIndices, - size, - pageIndex, - lastRefresh, - search, - ]); + const { data: result, loading } = useEsSearch( + esParams, + [settings.settings?.heartbeatIndices, size, pageIndex, lastRefresh, search], + { + name: 'getTLSCertificates', + } + ); return result ? { ...processCertsResult(result), loading } : { certs: [], total: 0, loading }; }; diff --git a/x-pack/plugins/uptime/public/components/common/header/action_menu_content.tsx b/x-pack/plugins/uptime/public/components/common/header/action_menu_content.tsx index c459fe46da975..21ef3428696e9 100644 --- a/x-pack/plugins/uptime/public/components/common/header/action_menu_content.tsx +++ b/x-pack/plugins/uptime/public/components/common/header/action_menu_content.tsx @@ -18,6 +18,7 @@ import { useGetUrlParams } from '../../../hooks'; import { ToggleAlertFlyoutButton } from '../../overview/alerts/alerts_containers'; import { SETTINGS_ROUTE } from '../../../../common/constants'; import { stringifyUrlParams } from '../../../lib/helper/stringify_url_params'; +import { InspectorHeaderLink } from './inspector_header_link'; import { monitorStatusSelector } from '../../../state/selectors'; const ADD_DATA_LABEL = i18n.translate('xpack.uptime.addDataButtonLabel', { @@ -107,6 +108,7 @@ export function ActionMenuContent(): React.ReactElement { > {ADD_DATA_LABEL} + ); } diff --git a/x-pack/plugins/uptime/public/components/common/header/inspector_header_link.tsx b/x-pack/plugins/uptime/public/components/common/header/inspector_header_link.tsx new file mode 100644 index 0000000000000..8f787512aaf9d --- /dev/null +++ b/x-pack/plugins/uptime/public/components/common/header/inspector_header_link.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiHeaderLink } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import React from 'react'; +import { useKibana } from '../../../../../../../src/plugins/kibana_react/public'; +import { enableInspectEsQueries, useInspectorContext } from '../../../../../observability/public'; +import { ClientPluginsStart } from '../../../apps/plugin'; + +export function InspectorHeaderLink() { + const { + services: { inspector, uiSettings }, + } = useKibana(); + + const { inspectorAdapters } = useInspectorContext(); + + const isInspectorEnabled = uiSettings?.get(enableInspectEsQueries); + + const inspect = () => { + inspector.open(inspectorAdapters); + }; + + if (!isInspectorEnabled) { + return null; + } + + return ( + + {i18n.translate('xpack.uptime.inspectButtonText', { + defaultMessage: 'Inspect', + })} + + ); +} diff --git a/x-pack/plugins/uptime/public/components/monitor/ml/ml_flyout.test.tsx b/x-pack/plugins/uptime/public/components/monitor/ml/ml_flyout.test.tsx index d066bf416e083..29c4a852e208b 100644 --- a/x-pack/plugins/uptime/public/components/monitor/ml/ml_flyout.test.tsx +++ b/x-pack/plugins/uptime/public/components/monitor/ml/ml_flyout.test.tsx @@ -33,6 +33,7 @@ describe('ML Flyout component', () => { spy1.mockReturnValue(false); const value = { + isDevMode: true, basePath: '', dateRangeStart: DATE_RANGE_START, dateRangeEnd: DATE_RANGE_END, @@ -48,6 +49,7 @@ describe('ML Flyout component', () => { onClose={onClose} canCreateMLJob={true} /> + uptime/public/state/api/utils.ts ); @@ -57,6 +59,7 @@ describe('ML Flyout component', () => { it('able to create job if valid license is available', async () => { const value = { + isDevMode: true, basePath: '', dateRangeStart: DATE_RANGE_START, dateRangeEnd: DATE_RANGE_END, diff --git a/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.test.tsx b/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.test.tsx index 8b23d867572f3..441ede99fd8b4 100644 --- a/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.test.tsx +++ b/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.test.tsx @@ -87,7 +87,8 @@ describe('useStepWaterfallMetrics', () => { }, index: 'heartbeat-*', }, - ['heartbeat-*', '44D-444FFF-444-FFF-3333', true] + ['heartbeat-*', '44D-444FFF-444-FFF-3333', true], + { name: 'getWaterfallStepMetrics' } ); expect(result.current).toEqual({ loading: false, diff --git a/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.ts b/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.ts index cf60f6d7d5567..ad2762826c91f 100644 --- a/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.ts +++ b/x-pack/plugins/uptime/public/components/monitor/synthetics/step_detail/use_step_waterfall_metrics.ts @@ -57,7 +57,10 @@ export const useStepWaterfallMetrics = ({ checkGroup, hasNavigationRequest, step }, }) : {}, - [heartbeatIndices, checkGroup, hasNavigationRequest] + [heartbeatIndices, checkGroup, hasNavigationRequest], + { + name: 'getWaterfallStepMetrics', + } ); if (!hasNavigationRequest) { diff --git a/x-pack/plugins/uptime/public/components/overview/filter_group/filter_group.tsx b/x-pack/plugins/uptime/public/components/overview/filter_group/filter_group.tsx index 3980b4bf9d3da..835cbb8060142 100644 --- a/x-pack/plugins/uptime/public/components/overview/filter_group/filter_group.tsx +++ b/x-pack/plugins/uptime/public/components/overview/filter_group/filter_group.tsx @@ -8,9 +8,10 @@ import React, { useCallback, useState } from 'react'; import { EuiFilterGroup } from '@elastic/eui'; import styled from 'styled-components'; +import { capitalize } from 'lodash'; import { useFilterUpdate } from '../../../hooks/use_filter_update'; import { useSelectedFilters } from '../../../hooks/use_selected_filters'; -import { FieldValueSuggestions } from '../../../../../observability/public'; +import { FieldValueSuggestions, useInspectorContext } from '../../../../../observability/public'; import { SelectedFilters } from './selected_filters'; import { useIndexPattern } from '../../../contexts/uptime_index_pattern_context'; import { useGetUrlParams } from '../../../hooks'; @@ -34,6 +35,8 @@ export const FilterGroup = () => { const { dateRangeStart, dateRangeEnd } = useGetUrlParams(); + const { inspectorAdapters } = useInspectorContext(); + const { filtersList } = useSelectedFilters(); const indexPattern = useIndexPattern(); @@ -67,6 +70,10 @@ export const FilterGroup = () => { filters={[]} cardinalityField="monitor.id" time={{ from: dateRangeStart, to: dateRangeEnd }} + inspector={{ + adapter: inspectorAdapters.requests, + title: 'get' + capitalize(label) + 'FilterValues', + }} /> ))} diff --git a/x-pack/plugins/uptime/public/components/overview/monitor_list/use_monitor_histogram.ts b/x-pack/plugins/uptime/public/components/overview/monitor_list/use_monitor_histogram.ts index e1ef3d9efee89..a3985fe5ccca5 100644 --- a/x-pack/plugins/uptime/public/components/overview/monitor_list/use_monitor_histogram.ts +++ b/x-pack/plugins/uptime/public/components/overview/monitor_list/use_monitor_histogram.ts @@ -37,10 +37,13 @@ export const useMonitorHistogram = ({ items }: { items: MonitorSummary[] }) => { monitorIds ); - const { data, loading } = useEsSearch(queryParams, [ - JSON.stringify(monitorIds), - lastRefresh, - ]); + const { data, loading } = useEsSearch( + queryParams, + [JSON.stringify(monitorIds), lastRefresh], + { + name: 'getMonitorDownHistory', + } + ); const histogramBuckets = data?.aggregations?.histogram.buckets ?? []; const simplified = histogramBuckets.map((histogramBucket) => { diff --git a/x-pack/plugins/uptime/public/routes.tsx b/x-pack/plugins/uptime/public/routes.tsx index 9f7310b43e556..54f2110c88bc4 100644 --- a/x-pack/plugins/uptime/public/routes.tsx +++ b/x-pack/plugins/uptime/public/routes.tsx @@ -39,6 +39,8 @@ import { StepDetailPageRightSideItem, } from './pages/synthetics/step_detail_page'; import { UptimePageTemplateComponent } from './apps/uptime_page_template'; +import { apiService } from './state/api/utils'; +import { useInspectorContext } from '../../observability/public'; interface RouteProps { path: string; @@ -178,6 +180,10 @@ const RouteInit: React.FC> = }; export const PageRouter: FC = () => { + const { addInspectorRequest } = useInspectorContext(); + + apiService.addInspectorRequest = addInspectorRequest; + return ( {Routes.map( diff --git a/x-pack/plugins/uptime/public/state/api/snapshot.test.ts b/x-pack/plugins/uptime/public/state/api/snapshot.test.ts index 6c10bd0fa3cb7..38be97d74844f 100644 --- a/x-pack/plugins/uptime/public/state/api/snapshot.test.ts +++ b/x-pack/plugins/uptime/public/state/api/snapshot.test.ts @@ -18,6 +18,7 @@ describe('snapshot API', () => { get: jest.fn(), fetch: jest.fn(), } as any; + apiService.addInspectorRequest = jest.fn(); fetchMock = jest.spyOn(apiService.http, 'fetch'); mockResponse = { up: 3, down: 12, total: 15 }; }); diff --git a/x-pack/plugins/uptime/public/state/api/utils.ts b/x-pack/plugins/uptime/public/state/api/utils.ts index 91e017292d00f..d10064f1ff7a1 100644 --- a/x-pack/plugins/uptime/public/state/api/utils.ts +++ b/x-pack/plugins/uptime/public/state/api/utils.ts @@ -9,7 +9,7 @@ import { PathReporter } from 'io-ts/lib/PathReporter'; import { isRight } from 'fp-ts/lib/Either'; import { HttpFetchQuery, HttpSetup } from 'src/core/public'; import * as t from 'io-ts'; -import { startsWith } from 'lodash'; +import { FETCH_STATUS, AddInspectorRequest } from '../../../../observability/public'; function isObject(value: unknown) { const type = typeof value; @@ -43,6 +43,7 @@ export const formatErrors = (errors: t.Errors): string[] => { class ApiService { private static instance: ApiService; private _http!: HttpSetup; + private _addInspectorRequest!: AddInspectorRequest; public get http() { return this._http; @@ -52,6 +53,14 @@ class ApiService { this._http = httpSetup; } + public get addInspectorRequest() { + return this._addInspectorRequest; + } + + public set addInspectorRequest(addInspectorRequest: AddInspectorRequest) { + this._addInspectorRequest = addInspectorRequest; + } + private constructor() {} static getInstance(): ApiService { @@ -63,15 +72,14 @@ class ApiService { } public async get(apiUrl: string, params?: HttpFetchQuery, decodeType?: any, asResponse = false) { - const debugEnabled = - sessionStorage.getItem('uptime_debug') === 'true' && startsWith(apiUrl, '/api/uptime'); - const response = await this._http!.fetch({ path: apiUrl, - query: { ...params, ...(debugEnabled ? { _inspect: true } : {}) }, + query: params, asResponse, }); + this.addInspectorRequest?.({ data: response, status: FETCH_STATUS.SUCCESS, loading: false }); + if (decodeType) { const decoded = decodeType.decode(response); if (isRight(decoded)) { diff --git a/x-pack/plugins/uptime/server/lib/lib.ts b/x-pack/plugins/uptime/server/lib/lib.ts index 9b8ea6b98c8be..eb2ad9ce21b9e 100644 --- a/x-pack/plugins/uptime/server/lib/lib.ts +++ b/x-pack/plugins/uptime/server/lib/lib.ts @@ -18,6 +18,9 @@ import { UMLicenseCheck } from './domains'; import { UptimeRequests } from './requests'; import { savedObjectsAdapter } from './saved_objects'; import { ESSearchResponse } from '../../../../../src/core/types/elasticsearch'; +import { RequestStatus } from '../../../../../src/plugins/inspector'; +import { getInspectResponse } from '../../../observability/server'; +import { InspectResponse } from '../../../observability/typings/common'; export interface UMDomainLibs { requests: UptimeRequests; @@ -45,6 +48,8 @@ export interface CountResponse { export type UptimeESClient = ReturnType; +export const inspectableEsQueriesMap = new WeakMap(); + export function createUptimeESClient({ esClient, request, @@ -59,7 +64,8 @@ export function createUptimeESClient({ return { baseESClient: esClient, async search( - params: TParams + params: TParams, + operationName?: string ): Promise<{ body: ESSearchResponse }> { let res: any; let esError: any; @@ -70,11 +76,33 @@ export function createUptimeESClient({ const esParams = { index: dynamicSettings!.heartbeatIndices, ...params }; const startTime = process.hrtime(); + const startTimeNow = Date.now(); + + let esRequestStatus: RequestStatus = RequestStatus.PENDING; + try { res = await esClient.search(esParams); + esRequestStatus = RequestStatus.OK; } catch (e) { esError = e; + esRequestStatus = RequestStatus.ERROR; } + + const inspectableEsQueries = inspectableEsQueriesMap.get(request!); + if (inspectableEsQueries) { + inspectableEsQueries.push( + getInspectResponse({ + esError, + esRequestParams: esParams, + esRequestStatus, + esResponse: res.body, + kibanaRequest: request!, + operationName: operationName ?? '', + startTime: startTimeNow, + }) + ); + } + if (_inspect && request) { debugESCall({ startTime, request, esError, operationName: 'search', params: esParams }); } diff --git a/x-pack/plugins/uptime/server/lib/requests/get_ping_histogram.ts b/x-pack/plugins/uptime/server/lib/requests/get_ping_histogram.ts index 107a0f29e55fa..600a335effe2c 100644 --- a/x-pack/plugins/uptime/server/lib/requests/get_ping_histogram.ts +++ b/x-pack/plugins/uptime/server/lib/requests/get_ping_histogram.ts @@ -87,7 +87,7 @@ export const getPingHistogram: UMElasticsearchQueryFn { diff --git a/x-pack/plugins/uptime/server/lib/requests/get_snapshot_counts.ts b/x-pack/plugins/uptime/server/lib/requests/get_snapshot_counts.ts index aef01f29f4d57..ee4e3eb96eb5a 100644 --- a/x-pack/plugins/uptime/server/lib/requests/get_snapshot_counts.ts +++ b/x-pack/plugins/uptime/server/lib/requests/get_snapshot_counts.ts @@ -43,9 +43,12 @@ export const getSnapshotCount: UMElasticsearchQueryFn => { - const { body: res } = await context.search({ - body: statusCountBody(await context.dateAndCustomFilters(), context), - }); + const { body: res } = await context.search( + { + body: statusCountBody(await context.dateAndCustomFilters(), context), + }, + 'geSnapshotCount' + ); return ( (res.aggregations?.counts?.value as Snapshot) ?? { diff --git a/x-pack/plugins/uptime/server/lib/requests/search/find_potential_matches.ts b/x-pack/plugins/uptime/server/lib/requests/search/find_potential_matches.ts index 179e9e809e59b..d0d8e61d02181 100644 --- a/x-pack/plugins/uptime/server/lib/requests/search/find_potential_matches.ts +++ b/x-pack/plugins/uptime/server/lib/requests/search/find_potential_matches.ts @@ -40,7 +40,7 @@ const query = async (queryContext: QueryContext, searchAfter: any, size: number) body, }; - const response = await queryContext.search(params); + const response = await queryContext.search(params, 'getMonitorList-potentialMatches'); return response; }; diff --git a/x-pack/plugins/uptime/server/lib/requests/search/query_context.ts b/x-pack/plugins/uptime/server/lib/requests/search/query_context.ts index 0bc503093f131..84c170363b1ee 100644 --- a/x-pack/plugins/uptime/server/lib/requests/search/query_context.ts +++ b/x-pack/plugins/uptime/server/lib/requests/search/query_context.ts @@ -43,8 +43,8 @@ export class QueryContext { this.query = query; } - async search(params: TParams) { - return this.callES.search(params); + async search(params: TParams, operationName?: string) { + return this.callES.search(params, operationName); } async count(params: any): Promise { diff --git a/x-pack/plugins/uptime/server/lib/requests/search/refine_potential_matches.ts b/x-pack/plugins/uptime/server/lib/requests/search/refine_potential_matches.ts index 3ba2a90d07635..f8357e8066573 100644 --- a/x-pack/plugins/uptime/server/lib/requests/search/refine_potential_matches.ts +++ b/x-pack/plugins/uptime/server/lib/requests/search/refine_potential_matches.ts @@ -165,5 +165,5 @@ export const query = async ( }, }; - return await queryContext.search(params); + return await queryContext.search(params, 'getMonitorList-refinePotentialMatches'); }; diff --git a/x-pack/plugins/uptime/server/rest_api/index_state/get_index_status.ts b/x-pack/plugins/uptime/server/rest_api/index_state/get_index_status.ts index 29a7a06f1530a..66f6d597344b6 100644 --- a/x-pack/plugins/uptime/server/rest_api/index_state/get_index_status.ts +++ b/x-pack/plugins/uptime/server/rest_api/index_state/get_index_status.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { schema } from '@kbn/config-schema'; import { UMServerLibs } from '../../lib/lib'; import { UMRestApiRouteFactory } from '../types'; import { API_URLS } from '../../../common/constants'; @@ -13,11 +12,7 @@ import { API_URLS } from '../../../common/constants'; export const createGetIndexStatusRoute: UMRestApiRouteFactory = (libs: UMServerLibs) => ({ method: 'GET', path: API_URLS.INDEX_STATUS, - validate: { - query: schema.object({ - _inspect: schema.maybe(schema.boolean()), - }), - }, + validate: {}, handler: async ({ uptimeEsClient }): Promise => { return await libs.requests.getIndexStatus({ uptimeEsClient }); }, diff --git a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_list.ts b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_list.ts index 36bc5a80ef47a..df8463786449b 100644 --- a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_list.ts +++ b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_list.ts @@ -21,7 +21,6 @@ export const createMonitorListRoute: UMRestApiRouteFactory = (libs) => ({ statusFilter: schema.maybe(schema.string()), query: schema.maybe(schema.string()), pageSize: schema.number(), - _inspect: schema.maybe(schema.boolean()), }), }, options: { diff --git a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_locations.ts b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_locations.ts index 77f265d0b81e8..de102f153d650 100644 --- a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_locations.ts +++ b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_locations.ts @@ -18,7 +18,6 @@ export const createGetMonitorLocationsRoute: UMRestApiRouteFactory = (libs: UMSe monitorId: schema.string(), dateStart: schema.string(), dateEnd: schema.string(), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_status.ts b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_status.ts index 94b50386ac216..ac5133fbb7b4e 100644 --- a/x-pack/plugins/uptime/server/rest_api/monitors/monitor_status.ts +++ b/x-pack/plugins/uptime/server/rest_api/monitors/monitor_status.ts @@ -18,7 +18,6 @@ export const createGetStatusBarRoute: UMRestApiRouteFactory = (libs: UMServerLib monitorId: schema.string(), dateStart: schema.string(), dateEnd: schema.string(), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/monitors/monitors_details.ts b/x-pack/plugins/uptime/server/rest_api/monitors/monitors_details.ts index 50712153a5fea..64e9ed504e7cd 100644 --- a/x-pack/plugins/uptime/server/rest_api/monitors/monitors_details.ts +++ b/x-pack/plugins/uptime/server/rest_api/monitors/monitors_details.ts @@ -18,7 +18,6 @@ export const createGetMonitorDetailsRoute: UMRestApiRouteFactory = (libs: UMServ monitorId: schema.string(), dateStart: schema.maybe(schema.string()), dateEnd: schema.maybe(schema.string()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, context, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/monitors/monitors_durations.ts b/x-pack/plugins/uptime/server/rest_api/monitors/monitors_durations.ts index e94198ee4e063..8dd9fbb7adb00 100644 --- a/x-pack/plugins/uptime/server/rest_api/monitors/monitors_durations.ts +++ b/x-pack/plugins/uptime/server/rest_api/monitors/monitors_durations.ts @@ -19,7 +19,6 @@ export const createGetMonitorDurationRoute: UMRestApiRouteFactory = (libs: UMSer monitorId: schema.string(), dateStart: schema.string(), dateEnd: schema.string(), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/pings/get_ping_histogram.ts b/x-pack/plugins/uptime/server/rest_api/pings/get_ping_histogram.ts index db111390cfaf7..439975a0f5215 100644 --- a/x-pack/plugins/uptime/server/rest_api/pings/get_ping_histogram.ts +++ b/x-pack/plugins/uptime/server/rest_api/pings/get_ping_histogram.ts @@ -21,7 +21,6 @@ export const createGetPingHistogramRoute: UMRestApiRouteFactory = (libs: UMServe filters: schema.maybe(schema.string()), bucketSize: schema.maybe(schema.string()), query: schema.maybe(schema.string()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/pings/get_pings.ts b/x-pack/plugins/uptime/server/rest_api/pings/get_pings.ts index abb2c85f9ea0c..2be838c5e8658 100644 --- a/x-pack/plugins/uptime/server/rest_api/pings/get_pings.ts +++ b/x-pack/plugins/uptime/server/rest_api/pings/get_pings.ts @@ -24,7 +24,6 @@ export const createGetPingsRoute: UMRestApiRouteFactory = (libs: UMServerLibs) = size: schema.maybe(schema.number()), sort: schema.maybe(schema.string()), status: schema.maybe(schema.string()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request, response }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshot_blocks.ts b/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshot_blocks.ts index 3127c34590ef5..4b06a13d29f4e 100644 --- a/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshot_blocks.ts +++ b/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshot_blocks.ts @@ -22,9 +22,6 @@ export const createJourneyScreenshotBlocksRoute: UMRestApiRouteFactory = (libs: body: schema.object({ hashes: schema.arrayOf(schema.string()), }), - query: schema.object({ - _inspect: schema.maybe(schema.boolean()), - }), }, handler: async ({ request, response, uptimeEsClient }) => { const { hashes: blockIds } = request.body; diff --git a/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshots.ts b/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshots.ts index 5f0825279ecfa..3e71051816d30 100644 --- a/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshots.ts +++ b/x-pack/plugins/uptime/server/rest_api/pings/journey_screenshots.ts @@ -26,10 +26,6 @@ export const createJourneyScreenshotRoute: UMRestApiRouteFactory = (libs: UMServ params: schema.object({ checkGroup: schema.string(), stepIndex: schema.number(), - _inspect: schema.maybe(schema.boolean()), - }), - query: schema.object({ - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request, response }) => { diff --git a/x-pack/plugins/uptime/server/rest_api/pings/journeys.ts b/x-pack/plugins/uptime/server/rest_api/pings/journeys.ts index 284feda2c662b..7c3dcdfbe845c 100644 --- a/x-pack/plugins/uptime/server/rest_api/pings/journeys.ts +++ b/x-pack/plugins/uptime/server/rest_api/pings/journeys.ts @@ -22,7 +22,6 @@ export const createJourneyRoute: UMRestApiRouteFactory = (libs: UMServerLibs) => syntheticEventTypes: schema.maybe( schema.oneOf([schema.arrayOf(schema.string()), schema.string()]) ), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request, response }): Promise => { @@ -59,7 +58,6 @@ export const createJourneyFailedStepsRoute: UMRestApiRouteFactory = (libs: UMSer validate: { query: schema.object({ checkGroups: schema.arrayOf(schema.string()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request, response }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/snapshot/get_snapshot_count.ts b/x-pack/plugins/uptime/server/rest_api/snapshot/get_snapshot_count.ts index 67b106fdf6814..2fae13db7fa0d 100644 --- a/x-pack/plugins/uptime/server/rest_api/snapshot/get_snapshot_count.ts +++ b/x-pack/plugins/uptime/server/rest_api/snapshot/get_snapshot_count.ts @@ -19,7 +19,6 @@ export const createGetSnapshotCount: UMRestApiRouteFactory = (libs: UMServerLibs dateRangeEnd: schema.string(), filters: schema.maybe(schema.string()), query: schema.maybe(schema.string()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/synthetics/last_successful_step.ts b/x-pack/plugins/uptime/server/rest_api/synthetics/last_successful_step.ts index cb90de50e2510..5d1407a8679c8 100644 --- a/x-pack/plugins/uptime/server/rest_api/synthetics/last_successful_step.ts +++ b/x-pack/plugins/uptime/server/rest_api/synthetics/last_successful_step.ts @@ -22,7 +22,6 @@ export const createLastSuccessfulStepRoute: UMRestApiRouteFactory = (libs: UMSer monitorId: schema.string(), stepIndex: schema.number(), timestamp: schema.string(), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ uptimeEsClient, request, response }) => { diff --git a/x-pack/plugins/uptime/server/rest_api/telemetry/log_page_view.ts b/x-pack/plugins/uptime/server/rest_api/telemetry/log_page_view.ts index 088cf494efbf7..ec7de05dd2cf1 100644 --- a/x-pack/plugins/uptime/server/rest_api/telemetry/log_page_view.ts +++ b/x-pack/plugins/uptime/server/rest_api/telemetry/log_page_view.ts @@ -22,7 +22,6 @@ export const createLogPageViewRoute: UMRestApiRouteFactory = () => ({ autoRefreshEnabled: schema.boolean(), autorefreshInterval: schema.number(), refreshTelemetryHistory: schema.maybe(schema.boolean()), - _inspect: schema.maybe(schema.boolean()), }), }, handler: async ({ savedObjectsClient, uptimeEsClient, request }): Promise => { diff --git a/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts b/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts index 24e501a1bddb8..ddde993cc9c70 100644 --- a/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts +++ b/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts @@ -6,10 +6,11 @@ */ import { UMKibanaRouteWrapper } from './types'; -import { createUptimeESClient } from '../lib/lib'; +import { createUptimeESClient, inspectableEsQueriesMap } from '../lib/lib'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { KibanaResponse } from '../../../../../src/core/server/http/router'; +import { enableInspectEsQueries } from '../../../observability/common'; export const uptimeRouteWrapper: UMKibanaRouteWrapper = (uptimeRoute) => ({ ...uptimeRoute, @@ -20,11 +21,18 @@ export const uptimeRouteWrapper: UMKibanaRouteWrapper = (uptimeRoute) => ({ const { client: esClient } = context.core.elasticsearch; const { client: savedObjectsClient } = context.core.savedObjects; + const isInspectorEnabled = await context.core.uiSettings.client.get( + enableInspectEsQueries + ); + const uptimeEsClient = createUptimeESClient({ request, savedObjectsClient, esClient: esClient.asCurrentUser, }); + if (isInspectorEnabled) { + inspectableEsQueriesMap.set(request, []); + } const res = await uptimeRoute.handler({ uptimeEsClient, @@ -41,6 +49,7 @@ export const uptimeRouteWrapper: UMKibanaRouteWrapper = (uptimeRoute) => ({ return response.ok({ body: { ...res, + ...(isInspectorEnabled ? { _inspect: inspectableEsQueriesMap.get(request) } : {}), }, }); }, diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts index 4c0f21df8c0ff..6d1d64a04cd93 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/migrations.ts @@ -86,6 +86,33 @@ export default ({ getService }: FtrProviderContext): void => { '7d' ); }); + + it('migrates legacy siem-detection-engine-rule-status to use saved object references', async () => { + const response = await es.get<{ + 'siem-detection-engine-rule-status': { + alertId: string; + }; + references: [{}]; + }>({ + index: '.kibana', + id: 'siem-detection-engine-rule-status:d62d2980-27c4-11ec-92b0-f7b47106bb35', + }); + expect(response.statusCode).to.eql(200); + + // references exist and are expected values + expect(response.body._source?.references).to.eql([ + { + name: 'alert_0', + id: 'fb1046a0-0452-11ec-9b15-d13d79d162f3', + type: 'alert', + }, + ]); + + // alertId no longer exist + expect(response.body._source?.['siem-detection-engine-rule-status'].alertId).to.eql( + undefined + ); + }); }); }); }; diff --git a/x-pack/test/functional/es_archives/security_solution/migrations/data.json b/x-pack/test/functional/es_archives/security_solution/migrations/data.json index 7b8d81135065d..97a2596f9dba1 100644 --- a/x-pack/test/functional/es_archives/security_solution/migrations/data.json +++ b/x-pack/test/functional/es_archives/security_solution/migrations/data.json @@ -1,4 +1,4 @@ -{ + { "type": "doc", "value": { "id": "siem-detection-engine-rule-actions:fce024a0-0452-11ec-9b15-d13d79d162f3", @@ -29,3 +29,35 @@ } } } + +{ + "type": "doc", + "value": { + "id": "siem-detection-engine-rule-status:d62d2980-27c4-11ec-92b0-f7b47106bb35", + "index": ".kibana_1", + "source": { + "siem-detection-engine-rule-status": { + "alertId": "fb1046a0-0452-11ec-9b15-d13d79d162f3", + "statusDate": "2021-10-11T20:51:26.622Z", + "status": "succeeded", + "lastFailureAt": "2021-10-11T18:10:08.982Z", + "lastSuccessAt": "2021-10-11T20:51:26.622Z", + "lastFailureMessage": "4 days (323690920ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: \"Threshy\" id: \"fb1046a0-0452-11ec-9b15-d13d79d162f3\" rule id: \"b789c80f-f6d8-41f1-8b4f-b4a23342cde2\" signals index: \".siem-signals-spong-default\"", + "lastSuccessMessage": "succeeded", + "gap": "4 days", + "bulkCreateTimeDurations": [ + "34.49" + ], + "searchAfterTimeDurations": [ + "62.58" + ], + "lastLookBackDate": null + }, + "type": "siem-detection-engine-rule-status", + "references": [], + "coreMigrationVersion": "7.14.0", + "updated_at": "2021-10-11T20:51:26.657Z" + } + } +} + diff --git a/yarn.lock b/yarn.lock index 9cba714293ff9..e5e2f59359c9f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -24090,10 +24090,10 @@ react-popper@^2.2.4: react-fast-compare "^3.0.1" warning "^4.0.2" -react-query@^3.21.1: - version "3.21.1" - resolved "https://registry.yarnpkg.com/react-query/-/react-query-3.21.1.tgz#8fe4df90bf6c6a93e0552ea9baff211d1b28f6e0" - integrity sha512-aKFLfNJc/m21JBXJk7sR9tDUYPjotWA4EHAKvbZ++GgxaY+eI0tqBxXmGBuJo0Pisis1W4pZWlZgoRv9yE8yjA== +react-query@^3.27.0: + version "3.27.0" + resolved "https://registry.yarnpkg.com/react-query/-/react-query-3.27.0.tgz#77c76377ae41d180c4718da07ef72df82e07306b" + integrity sha512-2MR5LBXnR6OMXQVLcv/57x1zkDNj6gK5J5mtjGi6pu0aQ6Y4jGQysVvkrAErMKMZJVZELFcYGA8LsGIHzlo/zg== dependencies: "@babel/runtime" "^7.5.5" broadcast-channel "^3.4.1"